Spring Security The single-arg constructor in AntPathRequestMatcher is creating a case-sensitive matcher

java doc for public AntPathRequestMatcher(String pattern) says "Creates a matcher with the specific pattern which will match all HTTP methods in a case insensitive manner." This was true in previous versions, but now it is not.

This calls another overloaded constructor which in turn passes the caseSensitive arg = true to AntPathRequestMatcher(String pattern, String httpMethod, boolean caseSensitive)

In previous versions, the caseSensitive arg was set to false:

Here's the 4.02 code:

/**
 * Creates a matcher with the specific pattern which will match all HTTP methods in a
 * case insensitive manner.
 *
 * @param pattern the ant pattern to use for matching
 */
public AntPathRequestMatcher(String pattern) {
    this(pattern, null);
}

/**
 * Creates a matcher with the supplied pattern and HTTP method in a case insensitive
 * manner.
 *
 * @param pattern the ant pattern to use for matching
 * @param httpMethod the HTTP method. The {@code matches} method will return false if
 * the incoming request doesn't have the same method.
 */
public AntPathRequestMatcher(String pattern, String httpMethod) {
    this(pattern, httpMethod, false);
}

/**
 * Creates a matcher with the supplied pattern which will match the specified Http
 * method
 *
 * @param pattern the ant pattern to use for matching
 * @param httpMethod the HTTP method. The {@code matches} method will return false if
 * the incoming request doesn't doesn't have the same method.
 * @param caseSensitive true if the matcher should consider case, else false
 */
public AntPathRequestMatcher(String pattern, String httpMethod, boolean caseSensitive)

Comment From: Siggen

I confirm the problem. Upgrading from Spring-Security 3 to 4 breaks case-insensitive pattern matching in FilterChainProxy.

Comment From: alexvk82

I confirm the problem too, java doc and reference doc are out of date for versions 4.2.12 , 5.0.12, 5.1.5 and latest

Comment From: rwinch

Thanks for the confirmation @alexvk82! Would you be interested in submitting a PR to fix the documentation?

Comment From: eleftherias

This was fixed in Spring Security 5.4.0, 5.3.3 and 5.2.5 via #8512.