Use PathPatternRequestMatcher in saml2

Issue gh-16887

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -29,7 +29,6 @@
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
-import org.springframework.security.config.annotation.web.RequestMatcherFactory;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -237,7 +236,7 @@ public Saml2LoginConfigurer<B> authenticationRequestUriQuery(String authenticati
 		this.authenticationRequestParams = new String[parts.length - 1];
 		System.arraycopy(parts, 1, this.authenticationRequestParams, 0, parts.length - 1);
 		this.authenticationRequestMatcher = new PathQueryRequestMatcher(
-				RequestMatcherFactory.matcher(this.authenticationRequestUri), this.authenticationRequestParams);
+				getRequestMatcherBuilder().matcher(this.authenticationRequestUri), this.authenticationRequestParams);
 		return this;
 	}
 
@@ -254,13 +253,13 @@ public Saml2LoginConfigurer<B> authenticationRequestUriQuery(String authenticati
 	@Override
 	public Saml2LoginConfigurer<B> loginProcessingUrl(String loginProcessingUrl) {
 		Assert.hasText(loginProcessingUrl, "loginProcessingUrl cannot be empty");
-		this.loginProcessingUrl = RequestMatcherFactory.matcher(loginProcessingUrl);
+		this.loginProcessingUrl = getRequestMatcherBuilder().matcher(loginProcessingUrl);
 		return this;
 	}
 
 	@Override
 	protected RequestMatcher createLoginProcessingUrlMatcher(String loginProcessingUrl) {
-		return RequestMatcherFactory.matcher(loginProcessingUrl);
+		return getRequestMatcherBuilder().matcher(loginProcessingUrl);
 	}
 
 	/**
@@ -338,8 +337,8 @@ RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(B http) {
 	}
 
 	private AuthenticationEntryPoint getLoginEntryPoint(B http, String providerLoginPage) {
-		RequestMatcher loginPageMatcher = RequestMatcherFactory.matcher(this.getLoginPage());
-		RequestMatcher faviconMatcher = RequestMatcherFactory.matcher("/favicon.ico");
+		RequestMatcher loginPageMatcher = getRequestMatcherBuilder().matcher(this.getLoginPage());
+		RequestMatcher faviconMatcher = getRequestMatcherBuilder().matcher("/favicon.ico");
 		RequestMatcher defaultEntryPointMatcher = this.getAuthenticationEntryPointMatcher(http);
 		RequestMatcher defaultLoginPageMatcher = new AndRequestMatcher(
 				new OrRequestMatcher(loginPageMatcher, faviconMatcher), defaultEntryPointMatcher);
@@ -393,9 +392,9 @@ private Saml2AuthenticationRequestResolver getAuthenticationRequestResolver(B ht
 	private RequestMatcher getAuthenticationRequestMatcher() {
 		if (this.authenticationRequestMatcher == null) {
 			this.authenticationRequestMatcher = RequestMatchers.anyOf(
-					RequestMatcherFactory
+					getRequestMatcherBuilder()
 						.matcher(Saml2AuthenticationRequestResolver.DEFAULT_AUTHENTICATION_REQUEST_URI),
-					new PathQueryRequestMatcher(RequestMatcherFactory.matcher(this.authenticationRequestUri),
+					new PathQueryRequestMatcher(getRequestMatcherBuilder().matcher(this.authenticationRequestUri),
 							this.authenticationRequestParams));
 		}
 		return this.authenticationRequestMatcher;
@@ -404,8 +403,8 @@ private RequestMatcher getAuthenticationRequestMatcher() {
 	private RequestMatcher getLoginProcessingEndpoint() {
 		if (this.loginProcessingUrl == null) {
 			this.loginProcessingUrl = RequestMatchers.anyOf(
-					RequestMatcherFactory.matcher(Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI),
-					RequestMatcherFactory.matcher("/login/saml2/sso"));
+					getRequestMatcherBuilder().matcher(Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI),
+					getRequestMatcherBuilder().matcher("/login/saml2/sso"));
 		}
 
 		return this.loginProcessingUrl;

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java

@@ -27,7 +27,6 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
-import org.springframework.security.config.annotation.web.RequestMatcherFactory;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
@@ -279,19 +278,19 @@ private Saml2RelyingPartyInitiatedLogoutFilter createRelyingPartyLogoutFilter(
 	}
 
 	private RequestMatcher createLogoutMatcher() {
-		RequestMatcher logout = RequestMatcherFactory.matcher(HttpMethod.POST, this.logoutUrl);
+		RequestMatcher logout = getRequestMatcherBuilder().matcher(HttpMethod.POST, this.logoutUrl);
 		RequestMatcher saml2 = new Saml2RequestMatcher(getSecurityContextHolderStrategy());
 		return new AndRequestMatcher(logout, saml2);
 	}
 
 	private RequestMatcher createLogoutRequestMatcher() {
-		RequestMatcher logout = RequestMatcherFactory.matcher(this.logoutRequestConfigurer.logoutUrl);
+		RequestMatcher logout = getRequestMatcherBuilder().matcher(this.logoutRequestConfigurer.logoutUrl);
 		RequestMatcher samlRequest = new ParameterRequestMatcher("SAMLRequest");
 		return new AndRequestMatcher(logout, samlRequest);
 	}
 
 	private RequestMatcher createLogoutResponseMatcher() {
-		RequestMatcher logout = RequestMatcherFactory.matcher(this.logoutResponseConfigurer.logoutUrl);
+		RequestMatcher logout = getRequestMatcherBuilder().matcher(this.logoutResponseConfigurer.logoutUrl);
 		RequestMatcher samlResponse = new ParameterRequestMatcher("SAMLResponse");
 		return new AndRequestMatcher(logout, samlResponse);
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2MetadataConfigurer.java

@@ -22,7 +22,6 @@
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
-import org.springframework.security.config.annotation.web.RequestMatcherFactory;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.saml2.provider.service.metadata.OpenSaml4MetadataResolver;
@@ -111,12 +110,12 @@ public Saml2MetadataConfigurer<H> metadataUrl(String metadataUrl) {
 			if (USE_OPENSAML_5) {
 				RequestMatcherMetadataResponseResolver metadata = new RequestMatcherMetadataResponseResolver(
 						registrations, new OpenSaml5MetadataResolver());
-				metadata.setRequestMatcher(RequestMatcherFactory.matcher(metadataUrl));
+				metadata.setRequestMatcher(getRequestMatcherBuilder().matcher(metadataUrl));
 				return metadata;
 			}
 			RequestMatcherMetadataResponseResolver metadata = new RequestMatcherMetadataResponseResolver(registrations,
 					new OpenSaml4MetadataResolver());
-			metadata.setRequestMatcher(RequestMatcherFactory.matcher(metadataUrl));
+			metadata.setRequestMatcher(getRequestMatcherBuilder().matcher(metadataUrl));
 			return metadata;
 		};
 		return this;

config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurerTests.java

@@ -38,6 +38,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
+import org.springframework.http.HttpMethod;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
@@ -77,7 +78,6 @@
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 import org.springframework.security.web.servlet.TestMockHttpServletRequests;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.request.RequestPostProcessor;
@@ -97,6 +97,7 @@
 import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
@@ -620,7 +621,7 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
 				.saml2Logout((saml2) -> saml2.addObjectPostProcessor(new ObjectPostProcessor<LogoutFilter>() {
 					@Override
 					public <O extends LogoutFilter> O postProcess(O filter) {
-						filter.setLogoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"));
+						filter.setLogoutRequestMatcher(pathPattern(HttpMethod.GET, "/logout"));
 						return filter;
 					}
 				}));

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/BaseOpenSamlAuthenticationTokenConverter.java

@@ -30,11 +30,12 @@
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers.UriResolver;
 import org.springframework.security.web.authentication.AuthenticationConverter;
-import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 final class BaseOpenSamlAuthenticationTokenConverter implements AuthenticationConverter {
 
 	static {
@@ -45,9 +46,8 @@ final class BaseOpenSamlAuthenticationTokenConverter implements AuthenticationCo
 
 	private final RelyingPartyRegistrationRepository registrations;
 
-	private RequestMatcher requestMatcher = new OrRequestMatcher(
-			PathPatternRequestMatcher.withDefaults().matcher("/login/saml2/sso/{registrationId}"),
-			PathPatternRequestMatcher.withDefaults().matcher("/login/saml2/sso"));
+	private RequestMatcher requestMatcher = new OrRequestMatcher(pathPattern("/login/saml2/sso/{registrationId}"),
+			pathPattern("/login/saml2/sso"));
 
 	private Saml2AuthenticationRequestRepository<?> authenticationRequests = new HttpSessionSaml2AuthenticationRequestRepository();
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/BaseOpenSamlAuthenticationRequestResolver.java

@@ -57,6 +57,8 @@
 import org.springframework.security.web.util.matcher.RequestMatchers;
 import org.springframework.util.Assert;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 /**
  * For internal use only. Intended for consolidating common behavior related to minting a
  * SAML 2.0 Authn Request.
@@ -222,7 +224,7 @@ private static final class PathPatternQueryRequestMatcher implements RequestMatc
 
 		PathPatternQueryRequestMatcher(String path, String... params) {
 			List<RequestMatcher> matchers = new ArrayList<>();
-			matchers.add(PathPatternRequestMatcher.withDefaults().matcher(path));
+			matchers.add(pathPattern(path));
 			for (String param : params) {
 				String[] parts = param.split("=");
 				if (parts.length == 1) {

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/Saml2WebSsoAuthenticationFilter.java

@@ -34,11 +34,12 @@
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
-import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 /**
  * @since 5.2
  */
@@ -47,8 +48,7 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce
 	public static final String DEFAULT_FILTER_PROCESSES_URI = "/login/saml2/sso/{registrationId}";
 
 	private static final RequestMatcher DEFAULT_REQUEST_MATCHER = new OrRequestMatcher(
-			PathPatternRequestMatcher.withDefaults().matcher(DEFAULT_FILTER_PROCESSES_URI),
-			PathPatternRequestMatcher.withDefaults().matcher("/login/saml2/sso"));
+			pathPattern(DEFAULT_FILTER_PROCESSES_URI), pathPattern("/login/saml2/sso"));
 
 	private final AuthenticationConverter authenticationConverter;
 
@@ -64,7 +64,7 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce
 	 */
 	public Saml2WebSsoAuthenticationFilter(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
 		this(relyingPartyRegistrationRepository, DEFAULT_FILTER_PROCESSES_URI);
-		RequestMatcher processUri = PathPatternRequestMatcher.withDefaults().matcher(DEFAULT_FILTER_PROCESSES_URI);
+		RequestMatcher processUri = pathPattern(DEFAULT_FILTER_PROCESSES_URI);
 		setRequiresAuthenticationRequestMatcher(processUri);
 	}
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/BaseOpenSamlLogoutRequestValidatorParametersResolver.java

@@ -33,11 +33,12 @@
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
-import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 /**
  * An OpenSAML-based implementation of
  * {@link Saml2LogoutRequestValidatorParametersResolver}
@@ -53,9 +54,8 @@ final class BaseOpenSamlLogoutRequestValidatorParametersResolver
 
 	private final RelyingPartyRegistrationRepository registrations;
 
-	private RequestMatcher requestMatcher = new OrRequestMatcher(
-			PathPatternRequestMatcher.withDefaults().matcher("/logout/saml2/slo/{registrationId}"),
-			PathPatternRequestMatcher.withDefaults().matcher("/logout/saml2/slo"));
+	private RequestMatcher requestMatcher = new OrRequestMatcher(pathPattern("/logout/saml2/slo/{registrationId}"),
+			pathPattern("/logout/saml2/slo"));
 
 	/**
 	 * Constructs a {@link BaseOpenSamlLogoutRequestValidatorParametersResolver}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutResponseFilter.java

@@ -41,11 +41,12 @@
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers.UriResolver;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
-import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.OncePerRequestFilter;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 /**
  * A filter for handling a <saml2:LogoutResponse> sent from the asserting party. A
  * <saml2:LogoutResponse> is sent in response to a <saml2:LogoutRequest>
@@ -72,7 +73,7 @@ public final class Saml2LogoutResponseFilter extends OncePerRequestFilter {
 
 	private Saml2LogoutRequestRepository logoutRequestRepository = new HttpSessionLogoutRequestRepository();
 
-	private RequestMatcher logoutRequestMatcher = PathPatternRequestMatcher.withDefaults().matcher("/logout/saml2/slo");
+	private RequestMatcher logoutRequestMatcher = pathPattern("/logout/saml2/slo");
 
 	public Saml2LogoutResponseFilter(RelyingPartyRegistrationRepository registrations,
 			Saml2LogoutResponseValidator logoutResponseValidator, LogoutSuccessHandler logoutSuccessHandler) {

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/metadata/RequestMatcherMetadataResponseResolver.java

@@ -34,11 +34,12 @@
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
-import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 /**
  * An implementation of {@link Saml2MetadataResponseResolver} that identifies which
  * {@link RelyingPartyRegistration}s to use with a {@link RequestMatcher}
@@ -51,9 +52,8 @@ public class RequestMatcherMetadataResponseResolver implements Saml2MetadataResp
 	private static final String DEFAULT_METADATA_FILENAME = "saml-{registrationId}-metadata.xml";
 
 	private RequestMatcher matcher = new OrRequestMatcher(
-			PathPatternRequestMatcher.withDefaults().matcher("/saml2/service-provider-metadata/{registrationId}"),
-			PathPatternRequestMatcher.withDefaults().matcher("/saml2/metadata/{registrationId}"),
-			PathPatternRequestMatcher.withDefaults().matcher("/saml2/metadata"));
+			pathPattern("/saml2/service-provider-metadata/{registrationId}"),
+			pathPattern("/saml2/metadata/{registrationId}"), pathPattern("/saml2/metadata"));
 
 	private String filename = DEFAULT_METADATA_FILENAME;