Spring Security MVC Matcher rules that worked in Spring Security 5.7.6 don't work in 6.0.1

Hello.

MVC Matcher rules that worked in Spring Security 5.7.6 don't work in 6.0.1.

Spring Security 5.7.6 configuration (Spring Boot 2.7.7 environment)

• Configuration

java http.authorizeHttpRequests() // .mvcMatchers("/hello") .authenticated();

• Test code

java // HTTP 200 Response @Test @WithUserDetails("mklinkj") void testCallingHelloVariationWithAuthentication() throws Exception { mvc.perform(get("/hello/")) // .andExpect(status().isOk()); }

Spring Security 6.0.1 configuration (Spring Boot 3.0.1 environment)

• Configuration

java http.authorizeHttpRequests() // .requestMatchers("/hello") .authenticated();

• Test code

java // HTTP 403 Response @Test @WithUserDetails("mklinkj") void testCallingHelloVariationWithAuthentication() throws Exception { mvc.perform(get("/hello/")) // .andExpect(status().isForbidden()); }

As above, I expected 200, but I get 403 response in Spring Security 6.0.1 environment.

I don't think I did anything wrong, but I shared it because I didn't know if it was a bug.

Thank you.

• Sample Project mvcMatcherTest.zip
• Repository Link https://github.com/mklinkj/QnA/tree/master/Spring-Security/mvcMatcherTest

Comment From: jzheaux

The reason is that in 6.0, the authorization filter is run for all dispatcher types, including FORWARD. This means that the JSP that is forwarded to also needs to be permitted.

You can achieve this by permitting FORWARDs:

http.authorizeHttpRequests((authorize) -> authorize
    .dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll()
    // ... the rest of your authorization rules
)

For more details, you can see the section about Spring MVC in the migration guide.

Comment From: mklinkj

Hello. Thank you for answer.

However, even if I set the FORWARD permit setting, it still returns a 403 response.

• Configuration Class

java http.authorizeHttpRequests( authorize -> authorize // .shouldFilterAllDispatcherTypes(false) // Even adding this setting had no effect. .dispatcherTypeMatchers(DispatcherType.FORWARD) .permitAll() .requestMatchers("/hello") .authenticated());

• REST Controller Method

java @GetMapping({"/hello"}) public String hello() { return "Hello!"; }

• Test Code

java @Test @WithUserDetails("mklinkj") void testCallingHelloVariationWithAuthentication() throws Exception { mvc.perform(get("/hello/")) // .andExpect(status().isOk()); // Test failed with 403 response. }

I'm not sure what the cause is.

I'll try to find out more slowly. thank you

• Repository Link https://github.com/mklinkj/QnA/tree/master/Spring-Security/mvcMatcherTest

Comment From: its-felix

Adding dispatcherTypeMatchers configuration worked for me.

I quoted your response in here ( @jzheaux ): https://stackoverflow.com/a/75012896/4515989

Comment From: mklinkj

hello.

I've solved the problem.

It was not related to Spring Security.

In Spring 6 MVC, trailing slashes in URLs are not automatically handled. * Spring-Boot-3.0-Migration-Guide - Web Application Changes * https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#web-application-changes

After adding the following settings the test was successful.

@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
   @Override
   public void configurePathMatch(PathMatchConfigurer configurer) {
     configurer.setUseTrailingSlashMatch(true);
   }
}

• commit
• https://github.com/mklinkj/QnA/commit/aeed19a99dda880f65cf9316be2eed85e28b0a08

Thank you all.