Expected Behavior We need couple public getters for some fields of security mappings configuration and matchers:

class: org.springframework.security.config.annotation.web.configurers.AbstractConfigAttributeRequestMatcherRegistry - public getter for copy of urlMappings field

class: org.springframework.security.web.util.matcher.AntPathRequestMatcher - public getter for httpMethod field

class: org.springframework.security.web.util.matcher.RegexRequestMatcher - public getter for httpMethod field - public getter for pattern field

class: org.springframework.security.web.util.matcher.MvcRequestMatcher - public getter for httpMethod field - public getter for pattern field

Current Behavior

Currently all above fields are private and getters for those fields don't exists or are package-private.

Context

We have bussiness case to collect data sucha as HttpMethod, uri, pattern etc. for all secured endpoints in microservice to preapre security report.

Currently we are using a workaround to get access to package-private getter by using the same package and regex parsing of toString methods to access data from private fields. But this solution is not reliable as spring-security code may change in the future.

Comment From: jgrandja

@Mateusz-Stasielowicz We only expose class/fields/methods for cases where it makes sense. As soon as we expose anything, then we are committed to supporting it for the long term (now it's a public API) and it really limits our flexibility to change functionality internally. Encapsulation gives us all the flexibility we need to apply changes and improve on our current implementation.

We have bussiness case to collect data sucha as HttpMethod, uri, pattern etc. for all secured endpoints in microservice to preapre security report.

It doesn't make sense to expose for this particular use case. I'm glad you have a workaround by using package private helper classes. I'm going to close this as this is not a change we would apply.