Use PathPatternRequestMatcher in web

Issue gh-16887

Author: jzheaux

web/src/main/java/org/springframework/security/web/access/HandlerMappingIntrospectorRequestTransformer.java

@@ -46,11 +46,12 @@
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.GenericFilterBean;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 /**
  * Abstract processor of browser-based HTTP-based authentication requests.
  *
@@ -395,7 +396,7 @@ public void setAuthenticationManager(AuthenticationManager authenticationManager
 	 * @param filterProcessesUrl
 	 */
 	public void setFilterProcessesUrl(String filterProcessesUrl) {
-		setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher(filterProcessesUrl));
+		setRequiresAuthenticationRequestMatcher(pathPattern(filterProcessesUrl));
 	}
 
 	public final void setRequiresAuthenticationRequestMatcher(RequestMatcher requestMatcher) {

web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java

@@ -29,13 +29,14 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
-import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 import org.springframework.web.filter.GenericFilterBean;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 /**
  * Logs a principal out.
  * <p>
@@ -140,7 +141,7 @@ public void setLogoutRequestMatcher(RequestMatcher logoutRequestMatcher) {
 	}
 
 	public void setFilterProcessesUrl(String filterProcessesUrl) {
-		this.logoutRequestMatcher = PathPatternRequestMatcher.withDefaults().matcher(filterProcessesUrl);
+		this.logoutRequestMatcher = pathPattern(filterProcessesUrl);
 	}
 
 }

web/src/main/java/org/springframework/security/web/authentication/logout/LogoutFilter.java

@@ -18,7 +18,8 @@
 
 import org.springframework.http.HttpMethod;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
-import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
+
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
 
 /**
  * Filter that processes a one-time token for log in.
@@ -34,7 +35,7 @@ public final class OneTimeTokenAuthenticationFilter extends AbstractAuthenticati
 	public static final String DEFAULT_LOGIN_PROCESSING_URL = "/login/ott";
 
 	public OneTimeTokenAuthenticationFilter() {
-		super(PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, DEFAULT_LOGIN_PROCESSING_URL));
+		super(pathPattern(HttpMethod.POST, DEFAULT_LOGIN_PROCESSING_URL));
 		setAuthenticationConverter(new OneTimeTokenAuthenticationConverter());
 	}
 

web/src/main/java/org/springframework/security/web/authentication/ott/OneTimeTokenAuthenticationFilter.java

@@ -63,13 +63,12 @@
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
-import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.UrlUtils;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.GenericFilterBean;
-import org.springframework.web.util.UrlPathHelper;
+
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
 
 /**
  * Switch User processing filter responsible for user context switching.
@@ -129,9 +128,9 @@ public class SwitchUserFilter extends GenericFilterBean implements ApplicationEv
 
 	protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
 
-	private RequestMatcher exitUserMatcher = createMatcher("/logout/impersonate", true);
+	private RequestMatcher exitUserMatcher = createMatcher("/logout/impersonate");
 
-	private RequestMatcher switchUserMatcher = createMatcher("/login/impersonate", true);
+	private RequestMatcher switchUserMatcher = createMatcher("/login/impersonate");
 
 	private String targetUrl;
 
@@ -408,7 +407,7 @@ public void setUserDetailsService(UserDetailsService userDetailsService) {
 	public void setExitUserUrl(String exitUserUrl) {
 		Assert.isTrue(UrlUtils.isValidRedirectUrl(exitUserUrl),
 				"exitUserUrl cannot be empty and must be a valid redirect URL");
-		this.exitUserMatcher = createMatcher(exitUserUrl, false);
+		this.exitUserMatcher = createMatcher(exitUserUrl);
 	}
 
 	/**
@@ -428,7 +427,7 @@ public void setExitUserMatcher(RequestMatcher exitUserMatcher) {
 	public void setSwitchUserUrl(String switchUserUrl) {
 		Assert.isTrue(UrlUtils.isValidRedirectUrl(switchUserUrl),
 				"switchUserUrl cannot be empty and must be a valid redirect URL");
-		this.switchUserMatcher = createMatcher(switchUserUrl, false);
+		this.switchUserMatcher = createMatcher(switchUserUrl);
 	}
 
 	/**
@@ -547,11 +546,8 @@ public void setSecurityContextRepository(SecurityContextRepository securityConte
 		this.securityContextRepository = securityContextRepository;
 	}
 
-	private static RequestMatcher createMatcher(String pattern, boolean usePathPatterns) {
-		if (usePathPatterns) {
-			return PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, pattern);
-		}
-		return new AntPathRequestMatcher(pattern, "POST", true, new UrlPathHelper());
+	private static RequestMatcher createMatcher(String pattern) {
+		return pathPattern(HttpMethod.POST, pattern);
 	}
 
 }

web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java

@@ -28,11 +28,12 @@
 
 import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpMethod;
-import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.OncePerRequestFilter;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 /**
  * Generates a default log out page.
  *
@@ -41,7 +42,7 @@
  */
 public class DefaultLogoutPageGeneratingFilter extends OncePerRequestFilter {
 
-	private RequestMatcher matcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, "/logout");
+	private RequestMatcher matcher = pathPattern(HttpMethod.GET, "/logout");
 
 	private Function<HttpServletRequest, Map<String, String>> resolveHiddenInputs = (request) -> Collections.emptyMap();
 

web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLogoutPageGeneratingFilter.java

@@ -28,11 +28,12 @@
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.MediaType;
-import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.GenericFilterBean;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 /**
  * Serve common static assets used in default UIs, such as CSS or Javascript files. For
  * internal use only.
@@ -89,8 +90,7 @@ public String toString() {
 	 * @return -
 	 */
 	public static DefaultResourcesFilter css() {
-		return new DefaultResourcesFilter(
-				PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, "/default-ui.css"),
+		return new DefaultResourcesFilter(pathPattern(HttpMethod.GET, "/default-ui.css"),
 				new ClassPathResource("org/springframework/security/default-ui.css"),
 				new MediaType("text", "css", StandardCharsets.UTF_8));
 	}
@@ -107,8 +107,7 @@ public static DefaultResourcesFilter css() {
 	 * @return -
 	 */
 	public static DefaultResourcesFilter webauthn() {
-		return new DefaultResourcesFilter(
-				PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, "/login/webauthn.js"),
+		return new DefaultResourcesFilter(pathPattern(HttpMethod.GET, "/login/webauthn.js"),
 				new ClassPathResource("org/springframework/security/spring-security-webauthn.js"),
 				new MediaType("text", "javascript", StandardCharsets.UTF_8));
 	}

web/src/main/java/org/springframework/security/web/authentication/ui/DefaultResourcesFilter.java

@@ -202,7 +202,7 @@ public String toString() {
 	 * <p>
 	 * To match a request URI like {@code /app/servlet/my/resource/**} where {@code /app}
 	 * is the context path, you can do
-	 * {@code PathPatternRequestMatcher.withDefaults().matcher("/servlet/my/resource/**")}
+	 * {@code PathPatternRequestMatcher.pathPattern("/servlet/my/resource/**")}
 	 *
 	 * <p>
 	 * If you have many paths that have a common path prefix, you can use

web/src/main/java/org/springframework/security/web/servlet/util/matcher/PathPatternRequestMatcher.java

@@ -37,14 +37,15 @@
 import org.springframework.security.web.authentication.HttpMessageConverterAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
-import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
 import org.springframework.security.web.webauthn.api.PublicKeyCredential;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
 import org.springframework.security.web.webauthn.jackson.WebauthnJackson2Module;
 import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest;
 import org.springframework.util.Assert;
 
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
 /**
  * Authenticates {@code PublicKeyCredential<AuthenticatorAssertionResponse>} that is
  * parsed from the body of the {@link HttpServletRequest} using the
@@ -77,7 +78,7 @@ public class WebAuthnAuthenticationFilter extends AbstractAuthenticationProcessi
 	private PublicKeyCredentialRequestOptionsRepository requestOptionsRepository = new HttpSessionPublicKeyCredentialRequestOptionsRepository();
 
 	public WebAuthnAuthenticationFilter() {
-		super(PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, "/login/webauthn"));
+		super(pathPattern(HttpMethod.POST, "/login/webauthn"));
 		setSecurityContextRepository(new HttpSessionSecurityContextRepository());
 		setAuthenticationFailureHandler(
 				new AuthenticationEntryPointFailureHandler(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)));

web/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java

@@ -22,14 +22,14 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.springframework.security.web.servlet.TestMockHttpServletRequests.get;
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
 
 /**
  * Tests for {@link RequestMatcherRedirectFilter}.
@@ -40,8 +40,7 @@ public class RequestMatcherRedirectFilterTests {
 
 	@Test
 	public void doFilterWhenRequestMatchThenRedirectToSpecifiedUrl() throws Exception {
-		RequestMatcherRedirectFilter filter = new RequestMatcherRedirectFilter(new AntPathRequestMatcher("/context"),
-				"/test");
+		RequestMatcherRedirectFilter filter = new RequestMatcherRedirectFilter(pathPattern("/context"), "/test");
 
 		MockHttpServletRequest request = get("/context").build();
 		MockHttpServletResponse response = new MockHttpServletResponse();
@@ -57,8 +56,7 @@ public void doFilterWhenRequestMatchThenRedirectToSpecifiedUrl() throws Exceptio
 
 	@Test
 	public void doFilterWhenRequestNotMatchThenNextFilter() throws Exception {
-		RequestMatcherRedirectFilter filter = new RequestMatcherRedirectFilter(new AntPathRequestMatcher("/context"),
-				"/test");
+		RequestMatcherRedirectFilter filter = new RequestMatcherRedirectFilter(pathPattern("/context"), "/test");
 
 		MockHttpServletRequest request = get("/test").build();
 
@@ -81,21 +79,19 @@ public void constructWhenRequestMatcherNull() {
 	@Test
 	public void constructWhenRedirectUrlNull() {
 		assertThatIllegalArgumentException()
-			.isThrownBy(() -> new RequestMatcherRedirectFilter(new AntPathRequestMatcher("/**"), null))
+			.isThrownBy(() -> new RequestMatcherRedirectFilter(pathPattern("/**"), null))
 			.withMessage("redirectUrl cannot be empty");
 	}
 
 	@Test
 	public void constructWhenRedirectUrlEmpty() {
-		assertThatIllegalArgumentException()
-			.isThrownBy(() -> new RequestMatcherRedirectFilter(new AntPathRequestMatcher("/**"), ""))
+		assertThatIllegalArgumentException().isThrownBy(() -> new RequestMatcherRedirectFilter(pathPattern("/**"), ""))
 			.withMessage("redirectUrl cannot be empty");
 	}
 
 	@Test
 	public void constructWhenRedirectUrlBlank() {
-		assertThatIllegalArgumentException()
-			.isThrownBy(() -> new RequestMatcherRedirectFilter(new AntPathRequestMatcher("/**"), " "))
+		assertThatIllegalArgumentException().isThrownBy(() -> new RequestMatcherRedirectFilter(pathPattern("/**"), " "))
 			.withMessage("redirectUrl cannot be empty");
 	}