Describe the bug
Defining multiple .requestMatchers().mvcMatchers() are overriding previous one.
http
.requestMatchers()
.mvcMatchers("/api-1")
.mvcMatchers("/api-2")
.mvcMatchers("/api-3")
.and()
In the example above matcher for "/api-3" will override the one for "/api-1", and result matcher list will contain only two latest matchers: "/api-2" and "/api-3".
Expected behavior
All matches should be used together, joined by OrRequestMatcher.
Possible issue
MvcMatchersRequestMatcherConfigurer that returned after .mvcMatchers() contains only the last pattern, but it should collect all pattern combined together.
I think the line https://github.com/spring-projects/spring-security/blob/main/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java#L3119 from the following code:
@Override
public MvcMatchersRequestMatcherConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
setMatchers(mvcMatchers);
return new MvcMatchersRequestMatcherConfigurer(getContext(), mvcMatchers);
}
should be changed to return all matches: this.matchers, like below:
@Override
public MvcMatchersRequestMatcherConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
setMatchers(mvcMatchers);
return new MvcMatchersRequestMatcherConfigurer(getContext(), this.matchers);
}
Version Reproduced on v5.3.4. But main and the latest v5.6.2 contains the same code.
Comment From: marcusdacoregio
Thanks for the report @vova-yatsyk-theraven, I was able to reproduce the bug here. This is now scheduled for the next patch release and should be backported to 5.5.x and 5.6.x.
As a workaround, you can specify it like this:
http
.requestMatchers()
.mvcMatchers("/api-1", "/api-2", "/api-3")