Spring Security PathPatternRequestMatcher is not a suitable replacement for the deprecated MvcRequestMatcher

Describe the bug Due to the deprecation of MvcRequestMatcher, its replacement 'PathPatternRequestMatcher' requires to know the servlet path(s) beforehand. In my usecase i cannot know this.

To Reproduce 1. Have the security chain defined in a seperate autoconfigure module. With a permitAll path. 2. Have a servlet path defined in the application that uses the autoconfigure module. 3. In the old (mvcrequestmatcher) situation: request /servlet-path/permit-all-path = 200 4. In the new (pathpatternrequestmatcher) situation: request /servlet-path/permit-all-path = Err

Expected behavior Another matcher that can dynamically add the requestMatchers to each registered servlet within the applcation, without requiring me to know the servlet paths beforehand.

Sample

See a sample in this repo: https://github.com/genie137/demo-depr-webmvc-matcher I have taken the important parts from closed source libraries to reproduce.

Comment From: jzheaux

Hi, @genie137, thanks for reaching out. This concern was also raised by the Boot team.

As of Security 7.0.0-M2 the following should work, if not already applied by Boot:

@Bean 
PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder(DispatcherServletPath servletPath) {
    PathPatternRequestMatcherBuilderFactoryBean bean = new PathPatternRequestMatcherBuilderFactoryBean();
    String path = servletPath.getPath();
    if (!"/".equals(path)) {
        bean.setBasePath(path);
    }
    return bean;
}

With Boot 3.5, can you please add the following to your auto-configuration:

@Bean
PathPatternRequestMatcher.Builder requestMatcherBuilder(PathPatternParser mvcPatternParser, DispatcherServletPath servletPath) {
    PathPatternRequestMatcher.Builder builder = new PathPatternRequestMatcher.withPathPatternParser(mvcPatternParser);
    String path = servletPath.getPath();
    return ("/".equals(path)) ? builder : builder.basePath(path);
}

This snippet should do the following:

1. Pick up the PathPatternParser bean configured by Spring Web
2. Pick up the servlet path configured in your application properties
3. Publish a bean that the DSL will use to prefix all URI patterns

I've added https://github.com/spring-projects/spring-security/issues/17811 to add this to the migration guide.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.