If you use Spring Security to lock down a web application and you use the hasAnyRole or hasAnyAuthority you are likely using a comma separated list of roles or authorities. If you upgrade to Spring Framework 5.3.13 or higher your roles will not parse correctly if the entire comma separated list is contained in single quotes.
For example, this works with Spring Framework 5.3.12 and lower
<intercept-url pattern="/account/**" access="hasAnyRole('ROLE_ADMIN,ROLE_WEB_SITE_USER')" requires-channel="${requires-channel}"/>
Upgrading to Spring Framework 5.3.13 and higher you will need to change to
<intercept-url pattern="/account/**" access="hasAnyRole('ROLE_ADMIN','ROLE_WEB_SITE_USER')" requires-channel="${requires-channel}"/>
Without this change, your roles or authorities will not be parsed correctly and access will be denied.
This is a result of this change in 5.3.13