Support fullyAuthenticated in Kotlin authorizeHttpRequests

Describe the bug Upgrading from Spring Boot 3.3.5 to 3.4.0 includes an upgrade to Spring Security 6.4, which deprecates the authorizeRequests block in the HTTP configuration DSL. The deprecation message suggests using authorizeHttpRequests instead. But authorizeHttpRequests is missing the fullyAuthenticated property.

w: file:///home/runner/work/terraware-server/terraware-server/src/main/kotlin/com/terraformation/backend/auth/SecurityConfig.kt:67:7 '@Deprecated(...) fun authorizeRequests(authorizeRequestsConfiguration: AuthorizeRequestsDsl.() -> Unit): Unit' is deprecated. Since 6.4. Use authorizeHttpRequests instead.

To Reproduce In a Spring Boot 3.3.5 app, use a security configuration like

@Configuration
@EnableWebSecurity
class SecurityConfig {
  @Bean
  fun securityFilter(http: HttpSecurity): SecurityFilterChain {
    http {
      authorizeRequests {
        authorize("/api/**", fullyAuthenticated)
      }
    }
  }
}

Upgrade to Spring Boot 3.4.0 and follow the suggestion to replace authorizeRequests with authorizeHttpRequests:

@Configuration
@EnableWebSecurity
class SecurityConfig {
  @Bean
  fun securityFilter(http: HttpSecurity): SecurityFilterChain {
    http {
      authorizeHttpRequests {
        authorize("/api/**", fullyAuthenticated)
      }
    }
  }
}

Compilation will fail because fullyAuthenticated is undefined.

Expected behavior The suggested replacement in the deprecation message should include all the functionality of the older version or there should be a migration guide describing what to use instead.

Sample https://github.com/sgrimm/spring-security-fullyauthenticated

SecurityConfig.kt in that repo

Workaround Define fullyAuthenticated in the application code:

val fullyAuthenticated = AuthenticatedAuthorizationManager.fullyAuthenticated<RequestAuthorizationContext>()

spring-projects / spring-security

Support fullyAuthenticated in Kotlin authorizeHttpRequests #16162