Print ignore message DefaultSecurityFilterChain

When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.

Closes gh-9334

Author: Manuel Jordan

config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java

@@ -54,7 +54,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 
 	private ApplicationContext context;
 
-	private boolean anyRequestConfigured = false;
+	protected boolean anyRequestConfigured = false;
 
 	protected final void setApplicationContext(ApplicationContext context) {
 		this.context = context;
@@ -166,7 +166,8 @@ protected final List<MvcRequestMatcher> createMvcMatchers(HttpMethod method, Str
 		if (!this.context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
 			throw new NoSuchBeanDefinitionException("A Bean named " + HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME
 					+ " of type " + HandlerMappingIntrospector.class.getName()
-					+ " is required to use MvcRequestMatcher. Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
+					+ " is required to use MvcRequestMatcher."
+					+ " Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
 		}
 		HandlerMappingIntrospector introspector = this.context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME,
 				HandlerMappingIntrospector.class);
@@ -266,7 +267,7 @@ public C requestMatchers(RequestMatcher... requestMatchers) {
 	 * @author Rob Winch
 	 * @since 3.2
 	 */
-	private static final class RequestMatchers {
+	public static final class RequestMatchers {
 
 		private RequestMatchers() {
 		}
@@ -279,7 +280,7 @@ private RequestMatchers() {
 		 * from
 		 * @return a {@link List} of {@link AntPathRequestMatcher} instances
 		 */
-		static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
+		public static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
 			String method = (httpMethod != null) ? httpMethod.toString() : null;
 			List<RequestMatcher> matchers = new ArrayList<>();
 			for (String pattern : antPatterns) {
@@ -295,7 +296,7 @@ static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatt
 		 * from
 		 * @return a {@link List} of {@link AntPathRequestMatcher} instances
 		 */
-		static List<RequestMatcher> antMatchers(String... antPatterns) {
+		public static List<RequestMatcher> antMatchers(String... antPatterns) {
 			return antMatchers(null, antPatterns);
 		}
 

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -17,6 +17,7 @@
 package org.springframework.security.config.annotation.web.builders;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 
 import javax.servlet.Filter;
@@ -30,6 +31,7 @@
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
+import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
@@ -60,6 +62,7 @@
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.firewall.RequestRejectedHandler;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
+import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
 import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcherEntry;
@@ -108,7 +111,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
 	private WebInvocationPrivilegeEvaluator privilegeEvaluator;
 
-	private DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
+	private final DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
 
 	private SecurityExpressionHandler<FilterInvocation> expressionHandler = this.defaultWebSecurityExpressionHandler;
 
@@ -420,6 +423,8 @@ public class IgnoredRequestConfigurer extends AbstractRequestMatcherRegistry<Ign
 		@Override
 		public MvcMatchersIgnoredRequestConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
 			List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
+			Arrays.asList(mvcPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
+			mvcMatchers.stream().forEach((t) -> t.ignore());
 			WebSecurity.this.ignoredRequests.addAll(mvcMatchers);
 			return new MvcMatchersIgnoredRequestConfigurer(getApplicationContext(), mvcMatchers);
 		}
@@ -429,6 +434,38 @@ public MvcMatchersIgnoredRequestConfigurer mvcMatchers(String... mvcPatterns) {
 			return mvcMatchers(null, mvcPatterns);
 		}
 
+		/**
+		 * @since 5.5
+		 */
+		@Override
+		public IgnoredRequestConfigurer antMatchers(HttpMethod method) {
+			return antMatchers(method, "/**");
+		}
+
+		/**
+		 * @since 5.5
+		 */
+		@Override
+		public IgnoredRequestConfigurer antMatchers(HttpMethod method, String... antPatterns) {
+			Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
+			List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(method, antPatterns);
+			Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
+			antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
+			return chainRequestMatchers(antMatchers);
+		}
+
+		/**
+		 * @since 5.5
+		 */
+		@Override
+		public IgnoredRequestConfigurer antMatchers(String... antPatterns) {
+			Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
+			List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(antPatterns);
+			Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(null, t));
+			antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
+			return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
+		}
+
 		@Override
 		protected IgnoredRequestConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) {
 			WebSecurity.this.ignoredRequests.addAll(requestMatchers);
@@ -442,6 +479,33 @@ public WebSecurity and() {
 			return WebSecurity.this;
 		}
 
+		/**
+		 * @param method the HttpMethod, it could be null too.
+		 * @param pathPattern the path pattern to be ignored
+		 * @since 5.5
+		 */
+		private void printWarnSecurityMessage(HttpMethod method, String pathPattern) {
+			if (pathPattern.equals("/**")) {
+				WebSecurity.this.logger
+						.warn("**********************************************************************************");
+				if (method != null) {
+					WebSecurity.this.logger.warn(LogMessage.format(
+							"Applying explicit instruction to ignore the '/**' path for the HttpMethod: %s", method));
+					WebSecurity.this.logger.warn("You're disabling practically all the paths for that HttpMethod");
+					WebSecurity.this.logger
+							.warn("Therefore any path for that HttpMethod is completely ignored by Spring Security");
+				}
+				else {
+					WebSecurity.this.logger.warn("Applying explicit instruction to ignore the '/**' path");
+					WebSecurity.this.logger.warn("You're disabling practically all the paths");
+					WebSecurity.this.logger.warn("Therefore any path is completely ignored by Spring Security");
+				}
+				WebSecurity.this.logger.warn("It is not recomended for production");
+				WebSecurity.this.logger
+						.warn("**********************************************************************************");
+			}
+		}
+
 	}
 
 }