Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Favor PathPatternParser Over HandlerMappingIntrospector #16408

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Favor PathPatternParser Over HandlerMappingIntrospector #16408

wants to merge 4 commits into from

Conversation

jzheaux
Copy link
Contributor

@jzheaux jzheaux commented Jan 13, 2025
edited
Loading

Closes #13562

Instead of needing a HandlerMappingIntrospector instance, applications can now do the following to simplify specifying the servlet path in the Java DSL:

import static org.springframework.security.web.util.matcher.ServletRequestMatcherBuilders.servletPath;

@Bean 
SecurityFilterChain webSecurity(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests((authorize) -> authorize
            .requestMatchers(servletPath("/graphql").anyRequest()).hasRole("GRAPHQL")
            .requestMatchers(servletPath("/mvc").pattern("/these/**", "/endpoints/**")).hasRole("USER")
            .requestMatchers(servletPath("/mvc").pattern("/admin/**")).hasRole("ADMIN")
        // ....

    return http.build();
}

To apply one across all DSL instances, do:

@Bean 
RequestMatcherBuilder mvcOnly() {
    return ServletRequestMatcherBuilders.servletPath("/mvc");
}

@Bean 
SecurityFilterChain webSecurity(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests((authorize) -> authorize
            .requestMatchers(antPattern("/graphql/**")).hasRole("GRAPHQL")
            .requestMatchers("/these/**", "/endpoints/**").hasRole("USER")
            .requestMatchers("/admin/**").hasRole("ADMIN")
        // ....

    return http.build();
}

This second one is quite handy for when Spring MVC has a non-root servlet path. For example, there may be an option for Spring Boot to publish this bean since it knows when a servlet path has been specified in Boot properties

This PR also produces PathPatternRequestMatcher, which allows for specifying a PathPatternParser.

Questions:

  • Can we favor PathPatternRequestMatcher in a minor release? MvcRequestMatcher post-processors added to the ObjectPostProcessor<Object> would not have an effect in that case, meaning that the change isn't passive.

@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Jan 13, 2025
@jzheaux jzheaux self-assigned this Jan 13, 2025
@jzheaux jzheaux changed the title Simply MVC Request Matcher Construction Simplify MVC Request Matcher Construction Jan 13, 2025
@jzheaux jzheaux changed the title Simplify MVC Request Matcher Construction Simplify Spring MVC Request Matcher Construction Jan 13, 2025
@jzheaux jzheaux changed the title Simplify Spring MVC Request Matcher Construction Favor PathPatternParser Over HandlerMappingIntrospector Jan 15, 2025
@jzheaux jzheaux mentioned this pull request Jan 15, 2025
Open
8 tasks
@jzheaux jzheaux force-pushed the request-matcher-builder branch 2 times, most recently from 9c12df8 to aceb953 Compare January 16, 2025 20:01
@jzheaux jzheaux force-pushed the request-matcher-builder branch from aceb953 to 25cfbe8 Compare January 16, 2025 21:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
Spring Security Team
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Simplify MvcRequestMatcher construction
1 participant
@jzheaux