Can be seen in action here --> https://github.com/Enigo/SpringSecurityBug

Expected behaviour

antMatchers together with oauth2ResourceServer are working properly on both 2.5.6 and 2.5.7+ spring-boot-starter-parent versions

Current behaviour

When updated to spring-boot-starter-parent versions version 2.5.7 antMatchers together with oauth2ResourceServer are not working anymore - Failed to authorize filter invocation

I think the relevant logs would be 2.5.7

2021-12-23 14:48:10.484 DEBUG 9552 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2021-12-23 14:48:10.717 DEBUG 9552 --- [nio-8080-exec-6] o.s.s.o.s.r.a.JwtAuthenticationProvider  : Authenticated token
2021-12-23 14:48:10.717 DEBUG 9552 --- [nio-8080-exec-5] o.s.s.o.s.r.a.JwtAuthenticationProvider  : Authenticated token
2021-12-23 14:48:10.718 DEBUG 9552 --- [nio-8080-exec-5] .o.s.r.w.BearerTokenAuthenticationFilter : Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@8dfbdb19, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ADMIN]]
2021-12-23 14:48:10.718 DEBUG 9552 --- [nio-8080-exec-6] .o.s.r.w.BearerTokenAuthenticationFilter : Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@8dfbdb19, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ADMIN]]
2021-12-23 14:48:10.727 DEBUG 9552 --- [nio-8080-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor    : Failed to authorize filter invocation [GET /api/exchanges/] with attributes [hasAnyRole('ADMIN, USER')]
2021-12-23 14:48:10.730 DEBUG 9552 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2021-12-23 14:48:10.732 DEBUG 9552 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

2.5.6


2021-12-23 14:54:26.282 DEBUG 10533 --- [nio-8080-exec-8] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2021-12-23 14:54:26.898 DEBUG 10533 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Securing GET /api/exchanges/
2021-12-23 14:54:26.899 DEBUG 10533 --- [nio-8080-exec-9] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2021-12-23 14:54:26.903 DEBUG 10533 --- [nio-8080-exec-9] o.s.s.o.s.r.a.JwtAuthenticationProvider  : Authenticated token
2021-12-23 14:54:26.904 DEBUG 10533 --- [nio-8080-exec-9] .o.s.r.w.BearerTokenAuthenticationFilter : Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@8dfbdb19, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ADMIN]]
2021-12-23 14:54:26.904 DEBUG 10533 --- [nio-8080-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorized filter invocation [GET /api/exchanges/] with attributes [hasAnyRole('ADMIN, USER')]
2021-12-23 14:54:26.904 DEBUG 10533 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Secured GET /api/exchanges/
2021-12-23 14:54:26.906 DEBUG 10533 --- [nio-8080-exec-9] o.s.s.a.i.a.MethodSecurityInterceptor    : Authorized ReflectiveMethodInvocation: public java.lang.Iterable ExchangeController.getAllExchanges(); target is of class [com.smaato.sem.rest.exchange.ExchangeController] with attributes [ROLE_USER, ROLE_ADMIN]
2021-12-23 14:54:26.922 DEBUG 10533 --- [nio-8080-exec-9] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

On the version 2.5.7 all is2xxSuccessful tests are failing with

java.lang.AssertionError: Range for response status value 403 expected:<SUCCESSFUL> but was:<CLIENT_ERROR>
Expected :SUCCESSFUL
Actual   :CLIENT_ERROR

Reproducible also on

https://github.com/spring-projects/spring-boot/releases/tag/v2.4.13 https://github.com/spring-projects/spring-boot/releases/tag/v2.6.0 There is a similar set of changes across those 3 versions

Note! I also added 

spring:
  mvc:
    pathmatch:
      matching-strategy: ant_path_matcher

but it didn't help.

Comment From: philwebb

Spring Framework recently fixed a bug involving SpEL expressions and commas. Unfortunately your configuration relies on this bug.

If you change this line of your SecurityConfiguration from hasAnyRole('ADMIN, USER') to hasAnyRole('ADMIN', 'USER') things work as expected.