AuthorizationManagerWebInvocationPrivilegeEvaluator does not provide access to ServletContext

[mengelbrecht]

Describe the bug
When using Spring-Boot 2.6.4 + Spring-Security usage of an ApplicationContextRequestMatcher (such as EndpointRequest.to(HealthEndpoint::class.java) from actuator or PathRequest.toH2Console() for h2) will lead to an error java.lang.IllegalArgumentException: ServletContext must not be null when using authorizeHttpRequests and performing an unauthorized request.
The response will also contain unexpected html.

According to my analysis this is because AuthorizationManagerWebInvocationPrivilegeEvaluator creates a FilterInvocation which does not contain the servlet context. This filter invocation is then checked using RequestMatcherDelegatingAuthorizationManager which then passes it to a ApplicationContextRequestMatcher which accesses the servlet context which is null.

This is related to #10779.

To Reproduce
Start the sample project and perform a GET http://localhost:8080 without credentials.

Expected behavior
No exception is thrown and the response contains no unexpected html.

Sample
demo.zip

[marcusdacoregio]

Thanks for the report @mengelbrecht. I've assigned it to the next patch releases, 5.5.6, 5.6.3, and 5.7.0-M3.

[mengelbrecht]

@marcusdacoregio I just tested this with Spring-Boot 2.6.7 which includes Spring-Security 5.6.3 and this issue is still present (can be checked using the sample from my initial post with an updated Spring-Boot version).
Although AuthorizationManagerWebInvocationPrivilegeEvaluator is now ServletContextAware the setServletContext function is never called and thus the servletContext is still null.