Spring Security Recent Spring Security release redirection issue in secured POST method

I have this single file in my sample Spring application

//skipped imports

@SpringBootApplication
@Controller
public class SpringMvcExampleApplication {
    public static void main(String[] args) {
        SpringApplication.run(SpringMvcExampleApplication.class, args);
    }
}

@RestController
class IndexController {
    @GetMapping("/")
    public String index() {
        return """
                <form method="post" action="/home/1234">
                    <input type="submit" value="post"/>
                </form>
                """;
    }
}

@Controller
@RequestMapping("/home")
class HomeController {
    @GetMapping
    @ResponseBody
    String homeGet() {
        return "<h1>Hello</h1>";
    }

    @PostMapping("/{id}")
    String homePost(@PathVariable String id) {
        return "redirect:/home";
    }
}

@Configuration
@EnableWebSecurity
class Config {
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
                .formLogin()
                .and()
                .csrf(cfg -> cfg.disable())
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers("/").permitAll()
                        .requestMatchers("/home/**").authenticated()
                )
                .build();
    }
}

I try to have default page - with button which requires user to be logged in, after clicking the button you are redirected to a secured page, if you are not logged in - you should log in and then be redirected.

In Spring Boot parent version 3 - I click to the button, login page shows up (expected), I enter credentials (which is "user" and generated password) and then I get 403 error code.

In Spring Boot parent version 2 - I change requestMatchers call to mvcMatchers (because I have to) and everything works, I normally get redirected to the secured page.

Please notice the use of path variable, I think this is important as well.

I wonder what's the issue. It looks like a bug, because technically, it's the same code, because requestMatchers are replacement to mvcMatchers.

Also note that this is a simplified version of what I have in larger project and I tried to simplify the problem as much as I could.

Comment From: Kehrlann

This seems fixed in Boot 3.0.3 (broken up to 3.0.2).

Comment From: sandrojologua

@Kehrlann Tried with all versions (from start.spring.io) higher than 3.0.2 but it seems to me that issue is still there.

Comment From: Kehrlann

I tried an hour ago with 3.0.3 from start.spring.io, following with the following build.gradle.kts, and it seems to work.

plugins {
    java
    id("org.springframework.boot") version "3.0.3"
    id("io.spring.dependency-management") version "1.1.0"
}

group = "wf.garnier"
version = "0.0.1-SNAPSHOT"
java.sourceCompatibility = JavaVersion.VERSION_17

repositories {
    mavenCentral()
}

dependencies {
    implementation("org.springframework.boot:spring-boot-starter-security")
    implementation("org.springframework.boot:spring-boot-starter-web")
    testImplementation("org.springframework.boot:spring-boot-starter-test")
    testImplementation("org.springframework.security:spring-security-test")
}

tasks.withType<Test> {
    useJUnitPlatform()
}

---

The issue seems to have been fixed when gh-12665 was fixed.

Comment From: sandrojologua

@Kehrlann Sorry for confusion. You are correct. Thanks.