Consider alerting applications when both `FilterSecurityInterceptor` and `AuthorizationFilter` are in the same filter chain

[jzheaux]

This is almost definitely a misconfiguration. It could be detected in DefaultFilterChainValidator.

Since Spring Security can "work" with both of these filters, let's simply warn in the logs. Along those lines, there should be two warn messages:

1. If they are using both filters, warn that this is probably a misconfiguration and they should migrate as soon as possible to authorizeHttpRequests.
2. If they are only using FilterSecurityInterceptor, warn that it is due for removal and they should migrate as soon as possible to authorizeHttpRequests

[franticticktick]

Hi @jzheaux, could you assign this task to me? It seems to be related to this one. Currently the DefaultFilterChainValidator only works with xml config. In addition, it contains several bugs:

RequestMatcher matcher = ((DefaultSecurityFilterChain) chains.next()).getRequestMatcher();

Such forced castes can lead to errors if a custom filterChain is used. Therefore, we must first consider 15982.

[evgeniycheban]

Hi, @jzheaux I'd want to work on this, can you assign it to me?