Spring Security once-per-request="true" does not work in XML configuration

Describe the bug When using XML configuration with once-per-request="true" with use-authorization-manager="false" as per this guide, the resulting org.springframework.security.web.access.intercept.FilterSecurityInterceptor still containts observeOncePerRequest = false.

This is probably because org.springframework.security.config.http.HttpConfigurationBuilder does not ever set the value to true:

if ("false".equals(this.httpElt.getAttribute(ATT_ONCE_PER_REQUEST))) {
    builder.addPropertyValue("observeOncePerRequest", Boolean.FALSE);
}

It is probably expected that the default is still true, which changed in gh-11466 (6455e98)

To Reproduce

1. Create a Spring Security configuration with a similar configuration:

<http once-per-request="true" use-authorization-manager="false">
    <intercept-url pattern="/app/*" access="hasRole('APP')"/>
    <!-- ... -->
</http>

1. Perform a forward when serving the request (such as forwarding to a view from Spring MVC).
2. The forwarded request is then still processed by the security chain.

Expected behavior Upon setting once-per-request="true", the forwarded request should not be processed the second time.

Comment From: marcusdacoregio

Thanks for the report @svorcmar, this is now fixed and will be available in 6.0.5 and 6.1.2.