spring-projects
PathPatternRequestMatcher is not a suitable replacement for the deprecated MvcRequestMatcher
Describe the bug Due to the deprecation of MvcRequestMatcher, its replacement 'PathPatternRequestMatcher' requires to know the servlet path(s) beforehand. In my usecase i cannot know this.
To Reproduce
- Have the security chain defined in a seperate autoconfigure module. With a permitAll path.
- Have a servlet path defined in the application that uses the autoconfigure module.
- In the old (mvcrequestmatcher) situation: request /servlet-path/permit-all-path = 200
- In the new (pathpatternrequestmatcher) situation: request /servlet-path/permit-all-path = Err
Expected behavior Another matcher that can dynamically add the requestMatchers to each registered servlet within the applcation, without requiring me to know the servlet paths beforehand.
Sample
See a sample in this repo: https://github.com/genie137/demo-depr-webmvc-matcher I have taken the important parts from closed source libraries to reproduce.
Hi, @genie137, thanks for reaching out. This concern was also raised by the Boot team.
As of Security 7.0.0-M2 the following should work, if not already applied by Boot:
@Bean
PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder(DispatcherServletPath servletPath) {
PathPatternRequestMatcherBuilderFactoryBean bean = new PathPatternRequestMatcherBuilderFactoryBean();
String path = servletPath.getPath();
if (!"/".equals(path)) {
bean.setBasePath(path);
}
return bean;
}
With Boot 3.5, can you please add the following to your auto-configuration:
@Bean
PathPatternRequestMatcher.Builder requestMatcherBuilder(PathPatternParser mvcPatternParser, DispatcherServletPath servletPath) {
PathPatternRequestMatcher.Builder builder = new PathPatternRequestMatcher.withPathPatternParser(mvcPatternParser);
String path = servletPath.getPath();
return ("/".equals(path)) ? builder : builder.basePath(path);
}
This snippet should do the following:
- Pick up the
PathPatternParserbean configured by Spring Web - Pick up the servlet path configured in your application properties
- Publish a bean that the DSL will use to prefix all URI patterns
I've added https://github.com/spring-projects/spring-security/issues/17811 to add this to the migration guide.
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Hey, thanks for your response. Apologies for the delay. The only issue i see with this, is that it does not support multiple servlets.
Hi, @genie137, thanks for reaching out. This concern was also raised by the Boot team.
As of Security
7.0.0-M2the following should work, if not already applied by Boot:@Bean PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder(DispatcherServletPath servletPath) { PathPatternRequestMatcherBuilderFactoryBean bean = new PathPatternRequestMatcherBuilderFactoryBean(); String path = servletPath.getPath(); if (!"/".equals(path)) { bean.setBasePath(path); } return bean; }
With Boot 3.5, can you please add the following to your auto-configuration:
@Bean PathPatternRequestMatcher.Builder requestMatcherBuilder(PathPatternParser mvcPatternParser, DispatcherServletPath servletPath) { PathPatternRequestMatcher.Builder builder = new PathPatternRequestMatcher.withPathPatternParser(mvcPatternParser); String path = servletPath.getPath(); return ("/".equals(path)) ? builder : builder.basePath(path); }
This snippet should do the following:
1. Pick up the `PathPatternParser` bean configured by Spring Web 2. Pick up the servlet path configured in your application properties 3. Publish a bean that the DSL will use to prefix all URI patternsI've added #17811 to add this to the migration guide.
Thanks for sharing !
Just to rectify the fact that this is :
PathPatternRequestMatcher.Builder builder = PathPatternRequestMatcher.withPathPatternParser(mvcPatternParser);
instead of :
PathPatternRequestMatcher.Builder builder = new PathPatternRequestMatcher.withPathPatternParser(mvcPatternParser);
