SpringBoot In Spring Boot 3.0.2, dispatcherServlet is not working when combined with filterChain function

I'm using spring-security in my project. After upgrading to Spring Boot 3.0.2, the dispatcherServlet seems not working.

I've composed a simple project here.

In the main branch, the project is backed by Spring Boot 2.7.8 and it's working * Run the application * Type curl localhost:8080 in the terminal and it returns No secrets here!.

In the spring-boot3 branch, the project is backed by Spring Boot 3.0.0 and it's not working * Run the application * Type curl localhost:8080 in the terminal and nothing returns. Note that apart from the dependency change, I only changed antMatchers to requestMatchers in here.

Additional reference on the spring-security's filterChain function.

Comment From: wilkinsona

Thanks for the report.

The change in behavior is due to this change in Spring Security. As I understand it, the change was made so that the defaults are more secure as an accidental hole in your security configuration will now result in the request being denied. You can allow access to / by adding .requestMatchers("/").anonymous() to your security configuration.

Please follow up on https://github.com/spring-projects/spring-security/issues/11958 if you have any further questions as they will be best addressed by the Spring Security team.

Comment From: JoeWang1127

Thanks, the .requestMatchers("/").anonymous() works with GetMapping("/").

However, I have a follow up question about why a secured path /topsecret is not working. I created an issue in spring-secret. Thanks for your advice.

Comment From: salim16

It doesn't work for me .. I am using spring boot 3.1.3

    http.cors(cors -> cors.configurationSource(corsConfigurationSource()))
        .authorizeHttpRequests(
            requests ->
                requests
                    .requestMatchers(publicUrls.toArray(String[]::new))
                    .permitAll()
                    .requestMatchers(forPort(managementPort))
                    .permitAll()
                    .requestMatchers("/")
                    .anonymous()
                    .anyRequest()
                    .authenticated())

Comment From: wilkinsona

@salim16 As described above, the functionality that you're asking about is part of Spring Security. If you believe you have found a bug, please open a Spring Security issue. If you're looking for some help, please ask on Stack Overflow.