Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide MvcRequestMatcher.Builder that correctly configures the servlet path #37917

Open
jzheaux opened this issue Oct 17, 2023 · 0 comments
Open

Provide MvcRequestMatcher.Builder that correctly configures the servlet path #37917

jzheaux opened this issue Oct 17, 2023 · 0 comments
Labels
status: pending-design-work Needs design work before any code can be developed type: enhancement A general enhancement
Milestone
3.5.x

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Oct 17, 2023
edited
Loading

If there is only one dispatcher servlet in the servlet context, then it would be nice to have a simpler way to construct MvcRequestMatcher instances.

As it is, an application that is constructing an MvcRequestMatcher must do:

@Bean 
SecurityFilterChain appSecurity(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
    MvcRequestMatcher.Builder mvc = new MvcRequestMatcher.Builder(introspector);
    http
        .securityMatchers((security) -> security.requestMatchers(mvc.pattern("/controller/**")))
        /// ...

If they have configured spring.mvc.servlet.path, then they additionally need to provide that to the matcher as well like so:

@Bean 
SecurityFilterChain appSecurity(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
    MvcRequestMatcher.Builder mvc = new MvcRequestMatcher.Builder(introspector).servletPath("/mvc");
    http
        .securityMatchers((security) -> security.requestMatchers(mvc.pattern("/controller/**")))
        /// ...

These two values, the HandlerMappingIntrospector and the servlet path configuration, Spring Boot already knows. Given that, it would be nice if a Boot application could instead do:

@Bean 
SecurityFilterChain appSecurity(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
    http
        .securityMatchers((security) -> security.requestMatchers(mvc.pattern("/controller/**")))
        /// ...

I think it best to publish this bean in the event that there is only one DispatcherServlet servlet mapping.

The logic would be something like this (pseudocode follows):

@Conditional(ExactlyOneDispatcherServlet.class)
@Bean 
MvcRequestMatcher.Builder mvcRequestMatcherBuilder(HandlerMappingIntrospector introspector, WebMvcProperties properties) {
    String servletPath = properties.getServlet().getPath();
    MvcRequestMatcher.Builder mvc = new MvcRequestMatcher.Builder(introspector)
    return ("/".equals(servletPath)) ? mvc : mvc.servletPath(servletPath);
}

where ExactlyOneDispatcherServlet checks the servlet configuration for multiple servlet mappings tied to servlets of type DispatcherServlet.

In Spring Security 6.2, the need for an MvcRequestMatcher when using authorizeHttpRequests is greatly reduced. That said, it will still be needed for the foreseeable future when activating the default servlet or when using the securityMatchers, csrf#ignoringRequestMatchers, and requiresSecure DSLs.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 17, 2023
@mhalbritter mhalbritter added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 19, 2023
@mhalbritter mhalbritter added this to the 3.x milestone Oct 19, 2023
@mhalbritter mhalbritter modified the milestones: 3.x, 3.3.x Nov 15, 2023
Wzy19930507 added a commit to Wzy19930507/spring-boot that referenced this issue Jan 26, 2024
@Wzy19930507
Provide MvcRequestMatcher.Builder that correctly configures the servl…
3805a68 
…et path

When only one `DispatcherServlet` servlet mapping, publish `MvcRequestMatcher.Builder` bean

Closes spring-projects#37917
@Wzy19930507 Wzy19930507 mentioned this issue Jan 26, 2024
Closed
Wzy19930507 added a commit to Wzy19930507/spring-boot that referenced this issue Jan 26, 2024
@Wzy19930507
Provide MvcRequestMatcher.Builder that correctly configures the servl…
eccc9d9 
…et path

When only one `DispatcherServlet` servlet mapping, publish `MvcRequestMatcher.Builder` bean

Closes spring-projects#37917
@wilkinsona wilkinsona added the status: pending-design-work Needs design work before any code can be developed label Jan 26, 2024
@philwebb philwebb modified the milestones: 3.3.x, 3.4.x May 6, 2024
@philwebb philwebb modified the milestones: 3.4.x, 3.5.x Jun 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: pending-design-work Needs design work before any code can be developed type: enhancement A general enhancement
Projects
None yet
Milestone
3.5.x
Development

Successfully merging a pull request may close this issue.

Provide MvcRequestMatcher.Builder that correctly configures the servlet path Wzy19930507/spring-boot
5 participants
@philwebb @wilkinsona @jzheaux @spring-projects-issues @mhalbritter