.github/workflows/update-antora-ui-spring.yml

@@ -18,7 +18,7 @@ jobs:
       matrix:
         branch: [ '5.8.x', '6.2.x', '6.3.x', 'main' ]
     steps:
-      - uses: spring-io/spring-doc-actions/update-antora-spring-ui@852920ba3fb1f28b35a2f13201133bc00ef33677
+      - uses: spring-io/spring-doc-actions/update-antora-spring-ui@c2038265125ec6f305a4a041d892ee44c156a754
         name: Update
         with:
           docs-branch: ${{ matrix.branch }}
@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Update on docs-build
     steps:
-      - uses: spring-io/spring-doc-actions/update-antora-spring-ui@852920ba3fb1f28b35a2f13201133bc00ef33677
+      - uses: spring-io/spring-doc-actions/update-antora-spring-ui@c2038265125ec6f305a4a041d892ee44c156a754
         name: Update
         with:
           docs-branch: 'docs-build'

build.gradle

@@ -124,7 +124,7 @@ wrapperUpgrade {
 	gradle {
 		'spring-security' {
 			repo = 'spring-projects/spring-security'
-			baseBranch = '6.2.x' // runs only on 6.2.x and the update is merged forward to main
+			baseBranch = '6.3.x' // runs only on 6.3.x and the update is merged forward to main
 		}
 	}
 }

config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java

@@ -183,6 +183,9 @@ BeanDefinition getCsrfAuthenticationStrategy() {
 		BeanDefinitionBuilder csrfAuthenticationStrategy = BeanDefinitionBuilder
 			.rootBeanDefinition(CsrfAuthenticationStrategy.class);
 		csrfAuthenticationStrategy.addConstructorArgReference(this.csrfRepositoryRef);
+		if (StringUtils.hasText(this.requestHandlerRef)) {
+			csrfAuthenticationStrategy.addPropertyReference("requestHandler", this.requestHandlerRef);
+		}
 		return csrfAuthenticationStrategy.getBeanDefinition();
 	}
 

config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -56,6 +56,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.Role;
+import org.springframework.core.annotation.AnnotationAwareOrderComparator;
 import org.springframework.core.annotation.AnnotationConfigurationException;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.PermissionEvaluator;
@@ -1103,6 +1104,21 @@ public void jsr250MethodWhenExcludeAuthorizationObservationsThenUnobserved() {
 		verifyNoInteractions(handler);
 	}
 
+	// gh-16819
+	@Test
+	void autowireWhenDefaultsThenAdvisorAnnotationsAreSorted() {
+		this.spring.register(MethodSecurityServiceConfig.class).autowire();
+		AuthorizationAdvisorProxyFactory proxyFactory = this.spring.getContext()
+			.getBean(AuthorizationAdvisorProxyFactory.class);
+		AnnotationAwareOrderComparator comparator = AnnotationAwareOrderComparator.INSTANCE;
+		AuthorizationAdvisor previous = null;
+		for (AuthorizationAdvisor advisor : proxyFactory) {
+			boolean ordered = previous == null || comparator.compare(previous, advisor) < 0;
+			assertThat(ordered).isTrue();
+			previous = advisor;
+		}
+	}
+
 	private static Consumer<ConfigurableWebApplicationContext> disallowBeanOverriding() {
 		return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false);
 	}

config/src/test/java/org/springframework/security/config/http/CsrfConfigTests.java

@@ -336,6 +336,43 @@ public void postWhenUsingCsrfAndXorCsrfTokenRequestAttributeHandlerWithRawTokenT
 		// @formatter:on
 	}
 
+	@Test
+	public void postWhenUsingCsrfAndXorCsrfTokenRequestAttributeHandlerThenCsrfAuthenticationStrategyUses()
+			throws Exception {
+		this.spring.configLocations(this.xml("WithXorCsrfTokenRequestAttributeHandler"), this.xml("shared-controllers"))
+			.autowire();
+		// @formatter:off
+		MvcResult mvcResult1 = this.mvc.perform(get("/csrf"))
+				.andExpect(status().isOk())
+				.andReturn();
+		// @formatter:on
+		MockHttpServletRequest request1 = mvcResult1.getRequest();
+		MockHttpSession session = (MockHttpSession) request1.getSession();
+		CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request1);
+		// @formatter:off
+		MockHttpServletRequestBuilder login = post("/login")
+			.param("username", "user")
+			.param("password", "password")
+			.session(session)
+			.with(csrf());
+		this.mvc.perform(login)
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("/"));
+		// @formatter:on
+		assertThat(repository.loadToken(request1)).isNull();
+		// @formatter:off
+		MvcResult mvcResult2 = this.mvc.perform(get("/csrf").session(session))
+			.andExpect(status().isOk())
+			.andReturn();
+		// @formatter:on
+		MockHttpServletRequest request2 = mvcResult2.getRequest();
+		CsrfToken csrfToken = repository.loadToken(request2);
+		CsrfToken csrfTokenAttribute = (CsrfToken) request2.getAttribute(CsrfToken.class.getName());
+		assertThat(csrfTokenAttribute).isNotNull();
+		assertThat(csrfTokenAttribute.getToken()).isNotBlank();
+		assertThat(csrfTokenAttribute.getToken()).isNotEqualTo(csrfToken.getToken());
+	}
+
 	@Test
 	public void postWhenHasCsrfTokenButSessionExpiresThenRequestIsCancelledAfterSuccessfulAuthentication()
 			throws Exception {

core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisorProxyFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,6 +47,7 @@
 import org.springframework.aop.Pointcut;
 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.aop.framework.ProxyFactory;
+import org.springframework.beans.factory.SmartInitializingSingleton;
 import org.springframework.core.annotation.AnnotationAwareOrderComparator;
 import org.springframework.lang.NonNull;
 import org.springframework.security.authorization.AuthorizationProxyFactory;
@@ -79,8 +80,8 @@
  * @author Josh Cummings
  * @since 6.3
  */
-public final class AuthorizationAdvisorProxyFactory
-		implements AuthorizationProxyFactory, Iterable<AuthorizationAdvisor>, AopInfrastructureBean {
+public final class AuthorizationAdvisorProxyFactory implements AuthorizationProxyFactory,
+		Iterable<AuthorizationAdvisor>, AopInfrastructureBean, SmartInitializingSingleton {
 
 	private static final boolean isReactivePresent = ClassUtils.isPresent("reactor.core.publisher.Mono", null);
 
@@ -125,6 +126,7 @@ public static AuthorizationAdvisorProxyFactory withDefaults() {
 		advisors.add(new PostFilterAuthorizationMethodInterceptor());
 		AuthorizationAdvisorProxyFactory proxyFactory = new AuthorizationAdvisorProxyFactory(advisors);
 		proxyFactory.addAdvisor(new AuthorizeReturnObjectMethodInterceptor(proxyFactory));
+		AnnotationAwareOrderComparator.sort(proxyFactory.advisors);
 		return proxyFactory;
 	}
 
@@ -142,9 +144,15 @@ public static AuthorizationAdvisorProxyFactory withReactiveDefaults() {
 		advisors.add(new PostFilterAuthorizationReactiveMethodInterceptor());
 		AuthorizationAdvisorProxyFactory proxyFactory = new AuthorizationAdvisorProxyFactory(advisors);
 		proxyFactory.addAdvisor(new AuthorizeReturnObjectMethodInterceptor(proxyFactory));
+		AnnotationAwareOrderComparator.sort(proxyFactory.advisors);
 		return proxyFactory;
 	}
 
+	@Override
+	public void afterSingletonsInstantiated() {
+		AnnotationAwareOrderComparator.sort(this.advisors);
+	}
+
 	/**
 	 * Proxy an object to enforce authorization advice.
 	 *
@@ -165,7 +173,6 @@ public static AuthorizationAdvisorProxyFactory withReactiveDefaults() {
 	 */
 	@Override
 	public Object proxy(Object target) {
-		AnnotationAwareOrderComparator.sort(this.advisors);
 		if (target == null) {
 			return null;
 		}
@@ -178,9 +185,9 @@ public Object proxy(Object target) {
 		}
 		ProxyFactory factory = new ProxyFactory(target);
 		factory.addAdvisors(this.authorizationProxy);
-		for (Advisor advisor : this.advisors) {
-			factory.addAdvisors(advisor);
-		}
+		List<Advisor> advisors = new ArrayList<>(this.advisors);
+		AnnotationAwareOrderComparator.sort(advisors);
+		factory.addAdvisors(advisors);
 		factory.addInterface(AuthorizationProxy.class);
 		factory.setOpaque(true);
 		factory.setProxyTargetClass(!Modifier.isFinal(target.getClass().getModifiers()));

core/src/main/java/org/springframework/security/authorization/method/AuthorizeReturnObjectMethodInterceptor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -48,7 +48,7 @@ public final class AuthorizeReturnObjectMethodInterceptor implements Authorizati
 	private int order = AuthorizationInterceptorsOrder.SECURE_RESULT.getOrder();
 
 	public AuthorizeReturnObjectMethodInterceptor(AuthorizationProxyFactory authorizationProxyFactory) {
-		Assert.notNull(authorizationProxyFactory, "authorizationManager cannot be null");
+		Assert.notNull(authorizationProxyFactory, "authorizationProxyFactory cannot be null");
 		this.authorizationProxyFactory = authorizationProxyFactory;
 	}
 

core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -40,6 +40,7 @@
 import org.junit.jupiter.api.Test;
 
 import org.springframework.aop.Pointcut;
+import org.springframework.core.annotation.AnnotationAwareOrderComparator;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.authentication.TestAuthentication;
@@ -360,6 +361,32 @@ public void proxyWhenDefaultsThenInstanceOfAuthorizationProxy() {
 		assertThat(target).isSameAs(this.flight);
 	}
 
+	// gh-16819
+	@Test
+	void advisorsWhenWithDefaultsThenAreSorted() {
+		AuthorizationAdvisorProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
+		AnnotationAwareOrderComparator comparator = AnnotationAwareOrderComparator.INSTANCE;
+		AuthorizationAdvisor previous = null;
+		for (AuthorizationAdvisor advisor : proxyFactory) {
+			boolean ordered = previous == null || comparator.compare(previous, advisor) < 0;
+			assertThat(ordered).isTrue();
+			previous = advisor;
+		}
+	}
+
+	// gh-16819
+	@Test
+	void advisorsWhenWithReactiveDefaultsThenAreSorted() {
+		AuthorizationAdvisorProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withReactiveDefaults();
+		AnnotationAwareOrderComparator comparator = AnnotationAwareOrderComparator.INSTANCE;
+		AuthorizationAdvisor previous = null;
+		for (AuthorizationAdvisor advisor : proxyFactory) {
+			boolean ordered = previous == null || comparator.compare(previous, advisor) < 0;
+			assertThat(ordered).isTrue();
+			previous = advisor;
+		}
+	}
+
 	private Authentication authenticated(String user, String... authorities) {
 		return TestAuthentication.authenticated(TestAuthentication.withUsername(user).authorities(authorities).build());
 	}

docs/modules/ROOT/nav.adoc

@@ -132,7 +132,7 @@
 *** xref:servlet/appendix/faq.adoc[FAQ]
 * xref:reactive/index.adoc[Reactive Applications]
 ** xref:reactive/getting-started.adoc[Getting Started]
-** Authentication
+** xref:reactive/authentication/index.adoc[Authentication]
 *** xref:reactive/authentication/x509.adoc[X.509 Authentication]
 *** xref:reactive/authentication/logout.adoc[Logout]
 *** Session Management

docs/modules/ROOT/pages/features/authentication/index.adoc

@@ -8,4 +8,4 @@ Once authentication is performed we know the identity and can perform authorizat
 
 Spring Security provides built-in support for authenticating users.
 This section is dedicated to generic authentication support that applies in both Servlet and WebFlux environments.
-Refer to the sections on authentication for xref:servlet/authentication/index.adoc#servlet-authentication[Servlet] and xref:servlet/authentication/index.adoc[WebFlux] for details on what is supported for each stack.
+Refer to the sections on authentication for xref:servlet/authentication/index.adoc[Servlet] and xref:reactive/authentication/index.adoc[WebFlux] for details on what is supported for each stack.

docs/modules/ROOT/pages/index.adoc

@@ -1,5 +1,10 @@
 = Spring Security
 
+[NOTE]
+====
+Spring Security's documentation can be https://docs.spring.io/spring-security/reference/spring-security-docs.zip[downloaded] as a zip file.
+====
+
 Spring Security is a framework that provides xref:features/authentication/index.adoc[authentication], xref:features/authorization/index.adoc[authorization], and xref:features/exploits/index.adoc[protection against common attacks].
 With first class support for securing both xref:servlet/index.adoc[imperative] and xref:reactive/index.adoc[reactive] applications, it is the de-facto standard for securing Spring-based applications.
 

docs/modules/ROOT/pages/reactive/authentication/index.adoc

@@ -0,0 +1,3 @@
+[[webflux-authentication]]
+= Authentication
+:page-section-summary-toc: 1

docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc

@@ -34,7 +34,7 @@ The attributes on the `<http>` element control some of the properties on the cor
 Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
 
 [[nsa-http-authorization-manager-ref]]
-* **access-decision-manager-ref**
+* **use-authorization-manager**
 Use this AuthorizationManager instead of deriving one from <intercept-url> elements
 
 [[nsa-http-access-decision-manager-ref]]

docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc

@@ -1048,8 +1048,8 @@ public class SecurityConfig {
 		http
 			.securityMatcher("/api/**")                            <1>
 			.authorizeHttpRequests(authorize -> authorize
-				.requestMatchers("/user/**").hasRole("USER")       <2>
-				.requestMatchers("/admin/**").hasRole("ADMIN")     <3>
+				.requestMatchers("/api/user/**").hasRole("USER")   <2>
+				.requestMatchers("/api/admin/**").hasRole("ADMIN") <3>
 				.anyRequest().authenticated()                      <4>
 			)
 			.formLogin(withDefaults());
@@ -1071,8 +1071,8 @@ open class SecurityConfig {
         http {
             securityMatcher("/api/**")                                           <1>
             authorizeHttpRequests {
-                authorize("/user/**", hasRole("USER"))                           <2>
-                authorize("/admin/**", hasRole("ADMIN"))                         <3>
+                authorize("/api/user/**", hasRole("USER"))                       <2>
+                authorize("/api/admin/**", hasRole("ADMIN"))                     <3>
                 authorize(anyRequest, authenticated)                             <4>
             }
         }
@@ -1084,8 +1084,8 @@ open class SecurityConfig {
 ======
 
 <1> Configure `HttpSecurity` to only be applied to URLs that start with `/api/`
-<2> Allow access to URLs that start with `/user/` to users with the `USER` role
-<3> Allow access to URLs that start with `/admin/` to users with the `ADMIN` role
+<2> Allow access to URLs that start with `/api/user/` to users with the `USER` role
+<3> Allow access to URLs that start with `/api/admin/` to users with the `ADMIN` role
 <4> Any other request that doesn't match the rules above, will require authentication
 
 The `securityMatcher(s)` and `requestMatcher(s)` methods will decide which `RequestMatcher` implementation fits best for your application: If {spring-framework-reference-url}web.html#spring-web[Spring MVC] is in the classpath, then javadoc:org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher[] will be used, otherwise, javadoc:org.springframework.security.web.util.matcher.AntPathRequestMatcher[] will be used.
@@ -1111,8 +1111,8 @@ public class SecurityConfig {
 		http
 			.securityMatcher(antMatcher("/api/**"))                              <2>
 			.authorizeHttpRequests(authorize -> authorize
-				.requestMatchers(antMatcher("/user/**")).hasRole("USER")         <3>
-				.requestMatchers(regexMatcher("/admin/.*")).hasRole("ADMIN")     <4>
+				.requestMatchers(antMatcher("/api/user/**")).hasRole("USER")     <3>
+				.requestMatchers(regexMatcher("/api/admin/.*")).hasRole("ADMIN") <4>
 				.requestMatchers(new MyCustomRequestMatcher()).hasRole("SUPERVISOR")     <5>
 				.anyRequest().authenticated()
 			)
@@ -1146,8 +1146,8 @@ open class SecurityConfig {
         http {
             securityMatcher(antMatcher("/api/**"))                               <2>
             authorizeHttpRequests {
-                authorize(antMatcher("/user/**"), hasRole("USER"))               <3>
-                authorize(regexMatcher("/admin/**"), hasRole("ADMIN"))           <4>
+                authorize(antMatcher("/api/user/**"), hasRole("USER"))           <3>
+                authorize(regexMatcher("/api/admin/**"), hasRole("ADMIN"))       <4>
                 authorize(MyCustomRequestMatcher(), hasRole("SUPERVISOR"))       <5>
                 authorize(anyRequest, authenticated)
             }
@@ -1161,8 +1161,8 @@ open class SecurityConfig {
 
 <1> Import the static factory methods from `AntPathRequestMatcher` and `RegexRequestMatcher` to create `RequestMatcher` instances.
 <2> Configure `HttpSecurity` to only be applied to URLs that start with `/api/`, using `AntPathRequestMatcher`
-<3> Allow access to URLs that start with `/user/` to users with the `USER` role, using `AntPathRequestMatcher`
-<4> Allow access to URLs that start with `/admin/` to users with the `ADMIN` role, using `RegexRequestMatcher`
+<3> Allow access to URLs that start with `/api/user/` to users with the `USER` role, using `AntPathRequestMatcher`
+<4> Allow access to URLs that start with `/api/admin/` to users with the `ADMIN` role, using `RegexRequestMatcher`
 <5> Allow access to URLs that match the `MyCustomRequestMatcher` to users with the `SUPERVISOR` role, using a custom `RequestMatcher`
 
 == Further Reading

docs/modules/ROOT/pages/servlet/test/mockmvc/index.adoc

@@ -2,4 +2,4 @@
 = Spring MVC Test Integration
 :page-section-summary-toc: 1
 
-Spring Security provides comprehensive integration with https://docs.spring.io/spring/docs/current/spring-framework-reference/html/testing.html#spring-mvc-test-framework[Spring MVC Test]
+Spring Security provides comprehensive integration with {spring-framework-reference-url}testing/mockmvc.html[Spring MVC Test]

gradle.properties

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 springBootVersion=3.3.3
-version=6.4.4
+version=6.4.5-SNAPSHOT
 samplesBranch=main
 org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError
 org.gradle.parallel=true

gradle/libs.versions.toml

@@ -8,16 +8,16 @@ org-apache-directory-server = "1.5.5"
 org-apache-maven-resolver = "1.9.22"
 org-aspectj = "1.9.22.1"
 org-bouncycastle = "1.79"
-org-eclipse-jetty = "11.0.24"
+org-eclipse-jetty = "11.0.25"
 org-jetbrains-kotlin = "1.9.25"
 org-jetbrains-kotlinx = "1.9.0"
 org-mockito = "5.14.2"
 org-opensaml = "4.3.2"
 org-opensaml5 = "5.1.2"
-org-springframework = "6.2.4"
+org-springframework = "6.2.5"
 
 [libraries]
-ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.17"
+ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.18"
 com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.18.3"
 com-google-inject-guice = "com.google.inject:guice:3.0"
 com-netflix-nebula-nebula-project-plugin = "com.netflix.nebula:nebula-project-plugin:8.2.0"