Incorrect sample code in securityMatcher migration docs

[beckermarc]

While updating our security configurations as part of the Spring Boot 3.0.0 upgrade, I noticed a mismatch between the upgrade documentation on the new securityMatcher methods. The last code sample in https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#use-new-security-matchers shows the following snippet:

import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .securityMatcher(antMatcher("/api/**"), antMatcher("/app/**"))
        .authorizeHttpRequests((authz) -> authz
            .requestMatchers(antMatcher("/api/admin/**")).hasRole("ADMIN")
            .anyRequest().authenticated()
        );
    return http.build();
}

However http.securityMatcher(antMatcher("/api/**"), antMatcher("/app/**")) is not possible at the moment. There is no public HttpSecurity securityMatcher(RequestMatcher... requestMatcher) method only a public HttpSecurity securityMatcher(RequestMatcher requestMatcher) method (no varargs) is available.

Can you please clarify in the docs how such a use case should be migrated? Thanks!
I now opted for the following variant, as I wanted to use the antMatcher explicitly: http.securityMatchers().requestMatchers(antMatcher("/api/**"), antMatcher("/app/**"))

[marcusdacoregio]

Hi @beckermarc, thanks for the report.

Indeed, there was an oversight in that snippet, the variant that you've opted for is right. Do you want to contribute with a PR to fix the docs?

[beckermarc]

Sure, I'll open a PR.

[beckermarc]

Docu fix is provided here #12301