Fix Cyclic Bean Dependency

Closes gh-17484

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java

@@ -83,7 +83,7 @@
 @Target(ElementType.TYPE)
 @Documented
 @Import({ WebSecurityConfiguration.class, SpringWebMvcImportSelector.class, OAuth2ImportSelector.class,
-		HttpSecurityConfiguration.class, ObservationImportSelector.class })
+		HttpSecurityConfiguration.class, ObservationImportSelector.class, AuthorizationConfiguration.class })
 @EnableGlobalAuthentication
 public @interface EnableWebSecurity {
 

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java

@@ -42,7 +42,6 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.DependsOn;
-import org.springframework.context.annotation.Fallback;
 import org.springframework.context.annotation.ImportAware;
 import org.springframework.core.OrderComparator;
 import org.springframework.core.Ordered;
@@ -58,7 +57,6 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.crypto.RsaKeyConversionServicePostProcessor;
-import org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean;
 import org.springframework.security.context.DelegatingApplicationListener;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.FilterChainProxy;
@@ -144,12 +142,6 @@ public WebInvocationPrivilegeEvaluator privilegeEvaluator() {
 		return this.webSecurity.getPrivilegeEvaluator();
 	}
 
-	@Bean
-	@Fallback
-	public PathPatternRequestMatcherBuilderFactoryBean pathPatternRequestMatcherBuilder() {
-		return new PathPatternRequestMatcherBuilderFactoryBean();
-	}
-
 	/**
 	 * Sets the {@code <SecurityConfigurer<FilterChainProxy, WebSecurityBuilder>}
 	 * instances used to create the web configuration.

config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java

@@ -36,6 +36,7 @@
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -111,6 +112,15 @@ public void enableWebSecurityWhenProxyBeanMethodsFalseThenBeanProxyingDisabled()
 		assertThat(parentBean.getChild()).isNotSameAs(childBean);
 	}
 
+	// gh-17484
+	@Test
+	void configureWhenEnableWebSecuritySeparateFromSecurityFilterChainThenWires() {
+		try (AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext()) {
+			context.register(TestConfiguration.class, EnableWebSecurityConfiguration.class);
+			context.refresh();
+		}
+	}
+
 	@Configuration
 	@EnableWebMvc
 	@EnableWebSecurity(debug = true)
@@ -226,4 +236,20 @@ static class Child {
 
 	}
 
+	@Configuration(proxyBeanMethods = false)
+	static class TestConfiguration {
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			return http.build();
+		}
+
+	}
+
+	@EnableWebSecurity
+	@Configuration(proxyBeanMethods = false)
+	static class EnableWebSecurityConfiguration {
+
+	}
+
 }