The PathPatternRequestMatcher has been introduced since spring security 6.5. However the equals() method only takes into account the pattern, while extra criteria exists like method, servlet path. Shouldn't the equals() and hashCode() be extended to use these extra fields as well ?
This equals() logic might give issues, a dummy example could be to use a websecurity customizer, and ignore 2 entries e.g. path pattern(/foobar/, HEAD) and path pattern (/foobar/, PUT). Such config can lead to errors like UnreachableFilterChainException due to duplicates (both have same pattern and http method is ignored).
With an adapted equals() method, these would be seen as different request matchers. And hence no errors like UnreachableFilterchainException will be raised. Also see some other implementations like the mvc request matcher that does take into account the method.
Comment From: therepanic
Don't you think it's enough to just take into account the additional method field? The way I see it, because of PathPatternParser#parse, we don't need to add the servletPath field to equals & hashCode additionally, only pattern (as it is now) and method. @jzheaux wdyt? If that's the case, I would definitely like to work on it.
Comment From: bartvr
Also think that adding the method would be sufficient, since as I understand it, currently the servlet path is not really used since it is always linking to the any request matcher.
Comment From: jzheaux
Sure, @therepanic, a PR would be most welcome. Will you please base the PR off the 6.5.x branch?
Comment From: therepanic
Thanks, @jzheaux, no problem