Spring Security
  1. Spring Security
  2. SEC-1634

Syntax and semantics of AntPathRequestMatcher undocumented

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.0.M1, 3.0.5
    • Fix Version/s: 3.1.0.M2, 3.0.6
    • Component/s: Docs and Website
    • Labels:
      None

      Description

      The syntax and semantics of org.springframework.security.web.util.AntPathRequestMatcher (AntUrlPathMatcher in 3.0) are undocumented. The reference manual loosely refers to "Ant style" and states about the request-matcher attribute in the <http> section:
      "See the Javadoc for these classes for more details on exactly how the matching is preformed." (quote includes typo) However, the Javadoc says nothing about it.

      The RequestMatcher syntax and semantics is an important contract between a user and Spring Security. Any misunderstanding from the user's side likely results in vulnerabilities.

        Activity

        Hide
        Luke Taylor added a comment - - edited

        I've updated the Javadoc as part of SEC-1636 to indicate that Spring's AntPathMatcher is used except in the case of simple wildcard patterns.

        Show
        Luke Taylor added a comment - - edited I've updated the Javadoc as part of SEC-1636 to indicate that Spring's AntPathMatcher is used except in the case of simple wildcard patterns.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Hakan Soderstrom
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: