Describe the bug This is my spring security configuration and using h2 with dashboard not working when i use raw url inside authorizeRequests but with PathRequest.toH2Console() and AntPathRequestMatcher configs are working great.
@Bean
fun securityFilterChainDSL(http: HttpSecurity): SecurityFilterChain {
http {
cors {}
csrf { disable() }
exceptionHandling { authenticationEntryPoint = unauthorizedHandler }
authorizeRequests {
authorize("/api/v1/auth/**", permitAll)
authorize("/api/v1/swagger/**", permitAll)
authorize("/swagger**/**", permitAll)
//authorize(PathRequest.toH2Console(), permitAll) // works
//authorize(AntPathRequestMatcher("/h2-console**/**"), permitAll) // works
//authorize("/h2-console**/**", permitAll) // not working
authorize(matches = anyRequest, access = authenticated)
}
sessionManagement { sessionCreationPolicy = SessionCreationPolicy.STATELESS }
headers { frameOptions { disable() } }
addFilterBefore<UsernamePasswordAuthenticationFilter>(filter = jwtAuthenticationFilter)
}
return http.build()
}
To Reproduce Activate following line;
authorize("/h2-console**/**", permitAll)
Expected behavior Request matcher should be working as it works internal apis such as "swagger"
Sample I can create a repo for the issue but i do not have one now. A link to a GitHub repository with a minimal, reproducible sample.
Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.
Comment From: marcusdacoregio
Hi, @senocak. Thanks for the report.
Can you confirm that this is not a duplicate of https://github.com/spring-projects/spring-security/issues/12310#issuecomment-1328990026?
Comment From: senocak
Hi @marcusdacoregio , Yes it looks same. I could not find that in the first place. Closing this.
Hi, @senocak. Thanks for the report.
Can you confirm that this is not a duplicate of #12310 (comment)?