Allow configuration of servlet api through nested builder

Issue: spring-projectsgh-5557

Author: eleftherias

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -1294,6 +1294,36 @@ public ServletApiConfigurer<HttpSecurity> servletApi() throws Exception {
 		return getOrApply(new ServletApiConfigurer<>());
 	}
 
+	/**
+	 * Integrates the {@link HttpServletRequest} methods with the values found on the
+	 * {@link SecurityContext}. This is automatically applied when using
+	 * {@link WebSecurityConfigurerAdapter}. You can disable it using:
+	 *
+	 * <pre>
+	 * &#064;Configuration
+	 * &#064;EnableWebSecurity
+	 * public class ServletApiSecurityConfig extends WebSecurityConfigurerAdapter {
+	 *
+	 * 	&#064;Override
+	 * 	protected void configure(HttpSecurity http) throws Exception {
+	 * 		http
+	 * 			.servletApi(servletApi ->
+	 * 				servletApi.disable()
+	 * 			);
+	 * 	}
+	 * }
+	 * </pre>
+	 *
+	 * @param servletApiCustomizer the {@link Customizer} to provide more options for
+	 * the {@link ServletApiConfigurer}
+	 * @return the {@link HttpSecurity} for further customizations
+	 * @throws Exception
+	 */
+	public HttpSecurity servletApi(Customizer<ServletApiConfigurer<HttpSecurity>> servletApiCustomizer) throws Exception {
+		servletApiCustomizer.customize(getOrApply(new ServletApiConfigurer<>()));
+		return HttpSecurity.this;
+	}
+
 	/**
 	 * Adds CSRF support. This is activated by default when using
 	 * {@link WebSecurityConfigurerAdapter}'s default constructor. You can disable it

config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java

@@ -47,6 +47,7 @@
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
+import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
@@ -230,6 +231,53 @@ protected void configure(HttpSecurity http) throws Exception {
 		}
 	}
 
+	@Test
+	public void requestWhenServletApiWithDefaultsInLambdaThenUsesDefaultRolePrefix() throws Exception {
+		this.spring.register(ServletApiWithDefaultsInLambdaConfig.class, AdminController.class).autowire();
+
+		this.mvc.perform(get("/admin")
+				.with(user("user").authorities(AuthorityUtils.createAuthorityList("ROLE_ADMIN"))))
+				.andExpect(status().isOk());
+	}
+
+	@EnableWebSecurity
+	static class ServletApiWithDefaultsInLambdaConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.servletApi(withDefaults());
+			// @formatter:on
+		}
+	}
+
+	@Test
+	public void requestWhenRolePrefixInLambdaThenUsesCustomRolePrefix() throws Exception {
+		this.spring.register(RolePrefixInLambdaConfig.class, AdminController.class).autowire();
+
+		this.mvc.perform(get("/admin")
+				.with(user("user").authorities(AuthorityUtils.createAuthorityList("PERMISSION_ADMIN"))))
+				.andExpect(status().isOk());
+
+		this.mvc.perform(get("/admin")
+				.with(user("user").authorities(AuthorityUtils.createAuthorityList("ROLE_ADMIN"))))
+				.andExpect(status().isForbidden());
+	}
+
+	@EnableWebSecurity
+	static class RolePrefixInLambdaConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.servletApi(servletApi ->
+					servletApi
+						.rolePrefix("PERMISSION_")
+				);
+			// @formatter:on
+		}
+	}
+
 	@RestController
 	static class AdminController {
 		@GetMapping("/admin")