Spring Security Factory method 'securityFilterChain' threw exception with message: This method cannot decide whether these patterns are Spring MVC patterns or not

Describe the bug

An error message from //.requestMatchers("/error").permitAll() This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher)., it appears there is a confusion about the type of matcher to use for our requestMatchers configuration.

You can resolve this by using the requestMatchers(new AntPathRequestMatcher("/error")).permitAll()method instead of requestMatchers()

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChains' parameter 0: Error creating bean with name 'securityFilterChain' defined in class path resource [toto/config/SecurityConfiguration.class]: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'securityFilterChain' threw exception with message: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher). .

To Reproduce Steps to reproduce the behavior.

Expected behavior A clear and concise description of what you expected to happen.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.

Comment From: arshadalisoomro

There is small configuration which will prevent us from:

This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher). error.

It is clearly mentoined at Configuration Migrations

If you are having problem with the new requestMatchers methods, you can always switch back to the RequestMatcher implementation that you were using. For example, if you still want to use AntPathRequestMatcher and RegexRequestMatcher implementations, you can use the requestMatchers method that accepts a RequestMatcher instance:

Okay! In the context of issue mentoined, you should try to add antMatcher(pattern) as parameter to requestMatchers() as shown below:

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http.csrf(csrf -> csrf.disable())
           .authorizeHttpRequests(auth -> {
            auth.anyRequest().authenticated();
            auth.requestMatchers(antMatcher("/auth/**")).permitAll();
            auth.anyRequest().authenticated();
        }).httpBasic().and().build();
    }

Hope it will solve your issue.

Comment From: marcusdacoregio

Hi, @Mbaroudi. This is probably related to https://github.com/spring-projects/spring-security/issues/13850. That fix has been backported to the maintenance branches and will be available when they are released.

For the time being take a peek at the docs and try doing:

@Bean
MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) {
    return new MvcRequestMatcher.Builder(introspector);
}

@Bean
SecurityFilterChain appEndpoints(HttpSecurity http, MvcRequestMatcher.Builder mvc) {
    http
        .authorizeHttpRequests((authorize) -> authorize
            .requestMatchers(mvc.pattern("/my/controller/**")).hasAuthority("controller")
            .anyRequest().authenticated()
        );

    return http.build();
}

You can also try the latest SNAPSHOT and check if the problem is solved.