Spring Security Remove lowercase-comparisons

Summary

The lowercase-comparisons attribute of <filter-security-metadata-source> is documented and supported by the XSD but AFAIK it actually has not been working since 3.1.0, as it was removed in commit 93438def.

I'm not sure if there is currently an alternative way to configure security to match ant patterns in a case insensitive way.

Actual Behavior

The namespace parser doesn't honor the lowercase-comparisons attribute. <intercept-url> ant patterns are always matched using a case sensitive ant path matcher.

Expected Behavior

<intercept-url> patterns should be matched using a case insensitive ant path matcher.

Configuration

<sec:filter-security-metadata-source request-matcher="ant" lowercase-comparisons="true" use-expressions="false">
  ...
</sec:filter-security-metadata-source>

Version

Spring Security 4.1.0.RELEASE

Comment From: rwinch

Thanks for the report! We will provide the ability to use any RequestMatcher implementation with #4097

Comment From: rwinch

This is now fixed in master along with #4097

Comment From: hbrands

Does that mean when migrating from Spring Security 3.x to Spring Security 4.1.4 an existing definition like this

<security:filter-security-metadata-source use-expressions="false" lowercase-comparisons="true" request-matcher="ant">
      <security:intercept-url pattern="/remoting/remoteauthenticationmanager-httpinvoker" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
...
 </security:filter-security-metadata-source>

does not work correctly because lowercase-comparison is ignored ? what's the recommended workaround for 4.1, specify case-sensitve patterns like pattern="/remoting/RemoteAuthenticationManager-httpinvoker" ?

Comment From: sreenathac

From spring-security 4.2.5 reference, "As mentioned above, the default strategy is to use Ant-style paths for matching and this is likely to be the best choice for most users. The strategy is implemented in the class AntPathRequestMatcher which uses Spring’s AntPathMatcher to perform a case-insensitive match of the pattern against the concatenated servletPath and pathInfo, ignoring the queryString."

From the above statement I understood that AntPathRequestMatcher by default match with case-insensitive. However I have observed that it is taking default value as true for caseSensitive. Do we have any alternative for lowercase-comparisons in spring-security 4,2.

Comment From: Lonzak

We have the same problem (just updated from Spring 3.0.X to Spring 5.X. "lowercase-comparisons="false" has been removed. So how can I make the whole thing case-insensitive now?