FilterSecurityInterceptor applies to every request by default

Closes gh-11466

Author: marcusdacoregio

config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc

@@ -375,7 +375,7 @@ http.attlist &=
 	## Allows a customized AuthenticationEntryPoint to be set on the ExceptionTranslationFilter.
 	attribute entry-point-ref {xsd:token}?
 http.attlist &=
-	## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true"
+	## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "false"
 	attribute once-per-request {xsd:boolean}?
 http.attlist &=
 	## Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" (rewriting is disabled).

config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd

@@ -1335,7 +1335,7 @@
       <xs:attribute name="once-per-request" type="xs:boolean">
          <xs:annotation>
             <xs:documentation>Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults
-                to "true"
+                to "false"
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
@@ -3729,4 +3729,4 @@
          <xs:enumeration value="LAST"/>
       </xs:restriction>
   </xs:simpleType>
-</xs:schema>
+</xs:schema>

config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -853,7 +853,7 @@ private void assertThatFiltersMatchExpectedAutoConfigList(String url) {
 		assertThat(filters.next()).isInstanceOf(SessionManagementFilter.class);
 		assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class);
 		assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class)
-				.hasFieldOrPropertyWithValue("observeOncePerRequest", true);
+				.hasFieldOrPropertyWithValue("observeOncePerRequest", false);
 	}
 
 	private <T extends Filter> T getFilter(Class<T> filterClass) {

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-WithSecurityContextHolderStrategy.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright 2002-2018 the original author or authors.
+  ~ Copyright 2002-2022 the original author or authors.
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -28,6 +28,7 @@
 			https://www.springframework.org/schema/mvc/spring-mvc.xsd">
 
 	<http auto-config="true" security-context-holder-strategy-ref="ref">
+		<intercept-url request-matcher-ref="dispatcherTypeMatcher" access="permitAll" />
 		<intercept-url pattern="/**" access="authenticated"/>
 	</http>
 
@@ -37,6 +38,10 @@
 		</b:constructor-arg>
 	</b:bean>
 
+	<b:bean id="dispatcherTypeMatcher" class="org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher">
+		<b:constructor-arg value="ASYNC"/>
+	</b:bean>
+
 	<mvc:annotation-driven>
 		<mvc:argument-resolvers>
 			<b:bean class="org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver">

docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc

@@ -94,7 +94,7 @@ A bean identifier, used for referring to the bean elsewhere in the context.
 [[nsa-http-once-per-request]]
 * **once-per-request**
 Corresponds to the `observeOncePerRequest` property of `FilterSecurityInterceptor`.
-Defaults to `true`.
+Defaults to `false`.
 
 
 [[nsa-http-pattern]]

web/src/main/java/org/springframework/security/web/access/intercept/FilterSecurityInterceptor.java

@@ -48,7 +48,7 @@ public class FilterSecurityInterceptor extends AbstractSecurityInterceptor imple
 
 	private FilterInvocationSecurityMetadataSource securityMetadataSource;
 
-	private boolean observeOncePerRequest = true;
+	private boolean observeOncePerRequest = false;
 
 	/**
 	 * Not used (we rely on IoC container lifecycle services instead)

web/src/test/java/org/springframework/security/web/access/intercept/FilterSecurityInterceptorTests.java

@@ -50,6 +50,7 @@
 import static org.mockito.BDDMockito.willThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyZeroInteractions;
 
@@ -174,6 +175,17 @@ public void doFilterWhenObserveOncePerRequestThenAttributeNotSet() throws Except
 		assertThat(request.getAttributeNames().hasMoreElements()).isFalse();
 	}
 
+	@Test
+	public void doFilterWhenObserveOncePerRequestFalseAndInvokedTwiceThenObserveTwice() throws Throwable {
+		Authentication token = new TestingAuthenticationToken("Test", "Password", "NOT_USED");
+		SecurityContextHolder.getContext().setAuthentication(token);
+		FilterInvocation fi = createinvocation();
+		given(this.ods.getAttributes(fi)).willReturn(SecurityConfig.createList("MOCK_OK"));
+		this.interceptor.invoke(fi);
+		this.interceptor.invoke(fi);
+		verify(this.adm, times(2)).decide(any(), any(), any());
+	}
+
 	private FilterInvocation createinvocation() {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		MockHttpServletRequest request = new MockHttpServletRequest();