sjohnr
commented
1 week ago @Auroraol, thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it).
Having said that, note that Spring Security integrates with Spring MVC for pattern matching when it is on the classpath, specifically through the HandlerMappingIntrospector class. You can read more about pattern matching in the core framework. Specifically, see the javadoc for PathPattern, which states:
Note: In contrast to AntPathMatcher,
**is supported only at the end of a pattern. For example/pages/{**}is valid but/pages/{**}/detailsis not. The same applies also to the capturing variant{*spring}. The aim is to eliminate ambiguity when comparing patterns for specificity.
So patterns like /**/*.html are not valid. You may consider using AntPathRequestMatcher for cases like this, as I think it behaves like you are expecting. For example:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
private static final List<String> IGNORED_PATHS = List.of(
"/*.html",
"/favicon.ico",
"/**/*.html",
"/**/*.css",
"/**/*.js"
);
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
RequestMatcher[] requestMatchers = IGNORED_PATHS.stream()
.map(path -> AntPathRequestMatcher.antMatcher(HttpMethod.GET, path))
.toList()
.toArray(new RequestMatcher[0]);
return (web) -> web.ignoring().requestMatchers(requestMatchers);
}
...
}I'm going to close this issue with the above explanation.
Describe the bug
Use sprinboot 3.1.3 and Spring Security 6.1.3.
Adding the following code to the WebSecurityConfig file causes this problem