Spring AntPattern issue (No more pattern data allowed after {*...} or ** pattern element) with Spring-Boot 3.0 (regression from 2.7.5)

Hi,

I've migrated from spring-boot 2.7.x to spring-boot 3 and now I am facing this issue with a valid Ant-Style pattern which does not fail in 2.7.5:

Having this on my security chain:

.requestMatchers("/**/*.js").permitAll()

does result in this failure now:

org.springframework.web.util.pattern.PatternParseException: No more pattern data allowed after {*...} or ** pattern element
    at app//org.springframework.web.util.pattern.InternalPathPatternParser.peekDoubleWildcard(InternalPathPatternParser.java:250)
    at app//org.springframework.web.util.pattern.InternalPathPatternParser.parse(InternalPathPatternParser.java:113)
    at app//org.springframework.web.util.pattern.PathPatternParser.parse(PathPatternParser.java:117)
    at app//org.springframework.web.servlet.handler.PathPatternMatchableHandlerMapping.lambda$match$0(PathPatternMatchableHandlerMapping.java:63)
    at java.base@17.0.5/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708)
    at app//org.springframework.web.servlet.handler.PathPatternMatchableHandlerMapping.match(PathPatternMatchableHandlerMapping.java:61)
    at app//org.springframework.web.servlet.handler.HandlerMappingIntrospector$PathSettingHandlerMapping.match(HandlerMappingIntrospector.java:322)
    at app//org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.matcher(MvcRequestMatcher.java:95)
    at app//org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager.check(RequestMatcherDelegatingAuthorizationManager.java:76)
    at app//org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager.check(RequestMatcherDelegatingAuthorizationManager.java:45)

Looking at:

https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/util/AntPathMatcher.html

that is a valid ant pattern and I can't remember reading something about that in the migration guide.

Comment From: bclozel

As you can see in the stacktrace, this is not using the AntPathMatcher but the PathPatternParser. Spring Boot opted for PathPatternParser as a default for Spring MVC apps as of Spring Boot 2.6. So this looks like your application was somehow overriding the Spring Boot auto-configuration. Is your Spring Boot application completely disabling the Spring Boot auto-configuration by declaring an @EnableWebMvc annotation somewhere?

This behavior change is mostly linked to this default also changing in Spring Framework 6.0 (see #28607). Note that this strategy has been deprecated as a result. This change is documented in the Spring Framework wiki.

This limitation has been introduced in PathPatternParser on purpose as this could lead to performance issues and would confuse developers in certain cases about matching and sorting. In your case, using "/**.js" should work fine.