From d43c28348a7788ce12f05f6498ed677f078a45df Mon Sep 17 00:00:00 2001 From: Joe Grandja <10884212+jgrandja@users.noreply.github.com> Date: Wed, 9 Jul 2025 12:25:23 -0400 Subject: [PATCH] Fix breaking changes with AntPathRequestMatcher being removed Related https://github.com/spring-projects/spring-security/issues/16887 Closes gh-2086 --- ...OAuth2AuthorizationEndpointConfigurer.java | 12 +-- .../OAuth2AuthorizationServerConfigurer.java | 8 +- ...ationServerMetadataEndpointConfigurer.java | 4 +- .../OAuth2ClientAuthenticationConfigurer.java | 22 ++--- .../configurers/OAuth2ConfigurerUtils.java | 8 +- ...DeviceAuthorizationEndpointConfigurer.java | 8 +- ...2DeviceVerificationEndpointConfigurer.java | 10 +- ...uthorizationRequestEndpointConfigurer.java | 8 +- .../OAuth2TokenEndpointConfigurer.java | 8 +- ...2TokenIntrospectionEndpointConfigurer.java | 8 +- ...uth2TokenRevocationEndpointConfigurer.java | 8 +- ...cClientRegistrationEndpointConfigurer.java | 10 +- .../OidcLogoutEndpointConfigurer.java | 10 +- ...oviderConfigurationEndpointConfigurer.java | 4 +- .../OidcUserInfoEndpointConfigurer.java | 13 +-- .../OidcClientRegistrationEndpointFilter.java | 10 +- .../oidc/web/OidcLogoutEndpointFilter.java | 8 +- ...dcProviderConfigurationEndpointFilter.java | 11 ++- .../oidc/web/OidcUserInfoEndpointFilter.java | 8 +- .../web/NimbusJwkSetEndpointFilter.java | 6 +- .../OAuth2AuthorizationEndpointFilter.java | 10 +- ...orizationServerMetadataEndpointFilter.java | 10 +- ...uth2DeviceAuthorizationEndpointFilter.java | 6 +- ...Auth2DeviceVerificationEndpointFilter.java | 10 +- ...hedAuthorizationRequestEndpointFilter.java | 6 +- .../web/OAuth2TokenEndpointFilter.java | 4 +- ...Auth2TokenIntrospectionEndpointFilter.java | 8 +- .../OAuth2TokenRevocationEndpointFilter.java | 5 +- .../web/util/matcher/RequestMatcherUtils.java | 92 +++++++++++++++++++ ...OAuth2ClientAuthenticationFilterTests.java | 6 +- ...eviceAuthorizationEndpointFilterTests.java | 4 +- .../DeviceClientAuthenticationConverter.java | 8 +- 32 files changed, 217 insertions(+), 136 deletions(-) create mode 100644 oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/util/matcher/RequestMatcherUtils.java diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java index 4d6b2786..4f1251b5 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java @@ -39,13 +39,13 @@ import org.springframework.security.oauth2.server.authorization.settings.Authori import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeRequestAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationConsentAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -238,12 +238,11 @@ public final class OAuth2AuthorizationEndpointConfigurer extends AbstractOAuth2C AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String authorizationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils - .withMultipleIssuersPattern(authorizationServerSettings.getAuthorizationEndpoint()) + ? RequestMatcherUtils.withMultipleIssuersPattern(authorizationServerSettings.getAuthorizationEndpoint()) : authorizationServerSettings.getAuthorizationEndpoint(); this.requestMatcher = new OrRequestMatcher( - new AntPathRequestMatcher(authorizationEndpointUri, HttpMethod.GET.name()), - new AntPathRequestMatcher(authorizationEndpointUri, HttpMethod.POST.name())); + RequestMatcherUtils.matcher(authorizationEndpointUri, HttpMethod.GET), + RequestMatcherUtils.matcher(authorizationEndpointUri, HttpMethod.POST)); List authenticationProviders = createDefaultAuthenticationProviders(httpSecurity); if (!this.authenticationProviders.isEmpty()) { authenticationProviders.addAll(0, this.authenticationProviders); @@ -259,8 +258,7 @@ public final class OAuth2AuthorizationEndpointConfigurer extends AbstractOAuth2C AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String authorizationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils - .withMultipleIssuersPattern(authorizationServerSettings.getAuthorizationEndpoint()) + ? RequestMatcherUtils.withMultipleIssuersPattern(authorizationServerSettings.getAuthorizationEndpoint()) : authorizationServerSettings.getAuthorizationEndpoint(); OAuth2AuthorizationEndpointFilter authorizationEndpointFilter = new OAuth2AuthorizationEndpointFilter( authenticationManager, authorizationEndpointUri); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java index 094fc581..741f158b 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java @@ -50,10 +50,10 @@ import org.springframework.security.oauth2.server.authorization.client.Registere import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator; import org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.HttpStatusEntryPoint; import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; import org.springframework.security.web.context.SecurityContextHolderFilter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -368,9 +368,9 @@ public final class OAuth2AuthorizationServerConfigurer requestMatchers.add(configurer.getRequestMatcher()); }); String jwkSetEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils.withMultipleIssuersPattern(authorizationServerSettings.getJwkSetEndpoint()) + ? RequestMatcherUtils.withMultipleIssuersPattern(authorizationServerSettings.getJwkSetEndpoint()) : authorizationServerSettings.getJwkSetEndpoint(); - requestMatchers.add(new AntPathRequestMatcher(jwkSetEndpointUri, HttpMethod.GET.name())); + requestMatchers.add(RequestMatcherUtils.matcher(jwkSetEndpointUri, HttpMethod.GET)); this.endpointsMatcher = new OrRequestMatcher(requestMatchers); ExceptionHandlingConfigurer exceptionHandling = httpSecurity @@ -419,7 +419,7 @@ public final class OAuth2AuthorizationServerConfigurer JWKSource jwkSource = OAuth2ConfigurerUtils.getJwkSource(httpSecurity); if (jwkSource != null) { String jwkSetEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils.withMultipleIssuersPattern(authorizationServerSettings.getJwkSetEndpoint()) + ? RequestMatcherUtils.withMultipleIssuersPattern(authorizationServerSettings.getJwkSetEndpoint()) : authorizationServerSettings.getJwkSetEndpoint(); NimbusJwkSetEndpointFilter jwkSetEndpointFilter = new NimbusJwkSetEndpointFilter(jwkSource, jwkSetEndpointUri); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerMetadataEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerMetadataEndpointConfigurer.java index 76210739..c4a57081 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerMetadataEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerMetadataEndpointConfigurer.java @@ -23,8 +23,8 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationServerMetadata; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationServerMetadataEndpointFilter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; /** @@ -79,7 +79,7 @@ public final class OAuth2AuthorizationServerMetadataEndpointConfigurer extends A .getAuthorizationServerSettings(httpSecurity); String authorizationServerMetadataEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() ? "/.well-known/oauth-authorization-server/**" : "/.well-known/oauth-authorization-server"; - this.requestMatcher = new AntPathRequestMatcher(authorizationServerMetadataEndpointUri, HttpMethod.GET.name()); + this.requestMatcher = RequestMatcherUtils.matcher(authorizationServerMetadataEndpointUri, HttpMethod.GET); } @Override diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2ClientAuthenticationConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2ClientAuthenticationConfigurer.java index 31685233..d813a7fd 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2ClientAuthenticationConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2ClientAuthenticationConfigurer.java @@ -43,12 +43,12 @@ import org.springframework.security.oauth2.server.authorization.web.authenticati import org.springframework.security.oauth2.server.authorization.web.authentication.JwtClientAssertionAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.PublicClientAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.X509ClientCertificateAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -182,29 +182,29 @@ public final class OAuth2ClientAuthenticationConfigurer extends AbstractOAuth2Co AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String tokenEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils.withMultipleIssuersPattern(authorizationServerSettings.getTokenEndpoint()) + ? RequestMatcherUtils.withMultipleIssuersPattern(authorizationServerSettings.getTokenEndpoint()) : authorizationServerSettings.getTokenEndpoint(); String tokenIntrospectionEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getTokenIntrospectionEndpoint()) : authorizationServerSettings.getTokenIntrospectionEndpoint(); String tokenRevocationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getTokenRevocationEndpoint()) : authorizationServerSettings.getTokenRevocationEndpoint(); String deviceAuthorizationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getDeviceAuthorizationEndpoint()) : authorizationServerSettings.getDeviceAuthorizationEndpoint(); String pushedAuthorizationRequestEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getPushedAuthorizationRequestEndpoint()) : authorizationServerSettings.getPushedAuthorizationRequestEndpoint(); - this.requestMatcher = new OrRequestMatcher(new AntPathRequestMatcher(tokenEndpointUri, HttpMethod.POST.name()), - new AntPathRequestMatcher(tokenIntrospectionEndpointUri, HttpMethod.POST.name()), - new AntPathRequestMatcher(tokenRevocationEndpointUri, HttpMethod.POST.name()), - new AntPathRequestMatcher(deviceAuthorizationEndpointUri, HttpMethod.POST.name()), - new AntPathRequestMatcher(pushedAuthorizationRequestEndpointUri, HttpMethod.POST.name())); + this.requestMatcher = new OrRequestMatcher(RequestMatcherUtils.matcher(tokenEndpointUri, HttpMethod.POST), + RequestMatcherUtils.matcher(tokenIntrospectionEndpointUri, HttpMethod.POST), + RequestMatcherUtils.matcher(tokenRevocationEndpointUri, HttpMethod.POST), + RequestMatcherUtils.matcher(deviceAuthorizationEndpointUri, HttpMethod.POST), + RequestMatcherUtils.matcher(pushedAuthorizationRequestEndpointUri, HttpMethod.POST)); List authenticationProviders = createDefaultAuthenticationProviders(httpSecurity); if (!this.authenticationProviders.isEmpty()) { authenticationProviders.addAll(0, this.authenticationProviders); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2ConfigurerUtils.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2ConfigurerUtils.java index dd9bf859..acbd5c5a 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2ConfigurerUtils.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2ConfigurerUtils.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2024 the original author or authors. + * Copyright 2020-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -43,7 +43,6 @@ import org.springframework.security.oauth2.server.authorization.token.OAuth2Refr import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimsContext; import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer; import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator; -import org.springframework.util.Assert; import org.springframework.util.StringUtils; /** @@ -57,11 +56,6 @@ final class OAuth2ConfigurerUtils { private OAuth2ConfigurerUtils() { } - static String withMultipleIssuersPattern(String endpointUri) { - Assert.hasText(endpointUri, "endpointUri cannot be empty"); - return endpointUri.startsWith("/") ? "/**" + endpointUri : "/**/" + endpointUri; - } - static RegisteredClientRepository getRegisteredClientRepository(HttpSecurity httpSecurity) { RegisteredClientRepository registeredClientRepository = httpSecurity .getSharedObject(RegisteredClientRepository.class); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceAuthorizationEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceAuthorizationEndpointConfigurer.java index 4e6e3860..10740817 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceAuthorizationEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceAuthorizationEndpointConfigurer.java @@ -35,12 +35,12 @@ import org.springframework.security.oauth2.server.authorization.authentication.O import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.oauth2.server.authorization.web.OAuth2DeviceAuthorizationEndpointFilter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2DeviceAuthorizationRequestAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.access.intercept.AuthorizationFilter; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.util.StringUtils; @@ -199,10 +199,10 @@ public final class OAuth2DeviceAuthorizationEndpointConfigurer extends AbstractO AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(builder); String deviceAuthorizationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getDeviceAuthorizationEndpoint()) : authorizationServerSettings.getDeviceAuthorizationEndpoint(); - this.requestMatcher = new AntPathRequestMatcher(deviceAuthorizationEndpointUri, HttpMethod.POST.name()); + this.requestMatcher = RequestMatcherUtils.matcher(deviceAuthorizationEndpointUri, HttpMethod.POST); List authenticationProviders = createDefaultAuthenticationProviders(builder); if (!this.authenticationProviders.isEmpty()) { @@ -220,7 +220,7 @@ public final class OAuth2DeviceAuthorizationEndpointConfigurer extends AbstractO .getAuthorizationServerSettings(builder); String deviceAuthorizationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getDeviceAuthorizationEndpoint()) : authorizationServerSettings.getDeviceAuthorizationEndpoint(); OAuth2DeviceAuthorizationEndpointFilter deviceAuthorizationEndpointFilter = new OAuth2DeviceAuthorizationEndpointFilter( diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceVerificationEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceVerificationEndpointConfigurer.java index 993c0b83..c7e5f194 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceVerificationEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceVerificationEndpointConfigurer.java @@ -39,12 +39,12 @@ import org.springframework.security.oauth2.server.authorization.settings.Authori import org.springframework.security.oauth2.server.authorization.web.OAuth2DeviceVerificationEndpointFilter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2DeviceAuthorizationConsentAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2DeviceVerificationAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -234,12 +234,12 @@ public final class OAuth2DeviceVerificationEndpointConfigurer extends AbstractOA AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(builder); String deviceVerificationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getDeviceVerificationEndpoint()) : authorizationServerSettings.getDeviceVerificationEndpoint(); this.requestMatcher = new OrRequestMatcher( - new AntPathRequestMatcher(deviceVerificationEndpointUri, HttpMethod.GET.name()), - new AntPathRequestMatcher(deviceVerificationEndpointUri, HttpMethod.POST.name())); + RequestMatcherUtils.matcher(deviceVerificationEndpointUri, HttpMethod.GET), + RequestMatcherUtils.matcher(deviceVerificationEndpointUri, HttpMethod.POST)); List authenticationProviders = createDefaultAuthenticationProviders(builder); if (!this.authenticationProviders.isEmpty()) { @@ -257,7 +257,7 @@ public final class OAuth2DeviceVerificationEndpointConfigurer extends AbstractOA .getAuthorizationServerSettings(builder); String deviceVerificationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getDeviceVerificationEndpoint()) : authorizationServerSettings.getDeviceVerificationEndpoint(); OAuth2DeviceVerificationEndpointFilter deviceVerificationEndpointFilter = new OAuth2DeviceVerificationEndpointFilter( diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2PushedAuthorizationRequestEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2PushedAuthorizationRequestEndpointConfigurer.java index 42d8a2e0..cfafc9ee 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2PushedAuthorizationRequestEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2PushedAuthorizationRequestEndpointConfigurer.java @@ -35,12 +35,12 @@ import org.springframework.security.oauth2.server.authorization.authentication.O import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.oauth2.server.authorization.web.OAuth2PushedAuthorizationRequestEndpointFilter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeRequestAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.access.intercept.AuthorizationFilter; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -193,10 +193,10 @@ public final class OAuth2PushedAuthorizationRequestEndpointConfigurer extends Ab AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String pushedAuthorizationRequestEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getPushedAuthorizationRequestEndpoint()) : authorizationServerSettings.getPushedAuthorizationRequestEndpoint(); - this.requestMatcher = new AntPathRequestMatcher(pushedAuthorizationRequestEndpointUri, HttpMethod.POST.name()); + this.requestMatcher = RequestMatcherUtils.matcher(pushedAuthorizationRequestEndpointUri, HttpMethod.POST); List authenticationProviders = createDefaultAuthenticationProviders(httpSecurity); if (!this.authenticationProviders.isEmpty()) { authenticationProviders.addAll(0, this.authenticationProviders); @@ -212,7 +212,7 @@ public final class OAuth2PushedAuthorizationRequestEndpointConfigurer extends Ab AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String pushedAuthorizationRequestEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getPushedAuthorizationRequestEndpoint()) : authorizationServerSettings.getPushedAuthorizationRequestEndpoint(); OAuth2PushedAuthorizationRequestEndpointFilter pushedAuthorizationRequestEndpointFilter = new OAuth2PushedAuthorizationRequestEndpointFilter( diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenEndpointConfigurer.java index 81dc26ed..f5a5fdb8 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenEndpointConfigurer.java @@ -47,12 +47,12 @@ import org.springframework.security.oauth2.server.authorization.web.authenticati import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2DeviceCodeAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2RefreshTokenAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2TokenExchangeAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.access.intercept.AuthorizationFilter; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -187,9 +187,9 @@ public final class OAuth2TokenEndpointConfigurer extends AbstractOAuth2Configure AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String tokenEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils.withMultipleIssuersPattern(authorizationServerSettings.getTokenEndpoint()) + ? RequestMatcherUtils.withMultipleIssuersPattern(authorizationServerSettings.getTokenEndpoint()) : authorizationServerSettings.getTokenEndpoint(); - this.requestMatcher = new AntPathRequestMatcher(tokenEndpointUri, HttpMethod.POST.name()); + this.requestMatcher = RequestMatcherUtils.matcher(tokenEndpointUri, HttpMethod.POST); List authenticationProviders = createDefaultAuthenticationProviders(httpSecurity); if (!this.authenticationProviders.isEmpty()) { @@ -207,7 +207,7 @@ public final class OAuth2TokenEndpointConfigurer extends AbstractOAuth2Configure .getAuthorizationServerSettings(httpSecurity); String tokenEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils.withMultipleIssuersPattern(authorizationServerSettings.getTokenEndpoint()) + ? RequestMatcherUtils.withMultipleIssuersPattern(authorizationServerSettings.getTokenEndpoint()) : authorizationServerSettings.getTokenEndpoint(); OAuth2TokenEndpointFilter tokenEndpointFilter = new OAuth2TokenEndpointFilter(authenticationManager, tokenEndpointUri); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenIntrospectionEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenIntrospectionEndpointConfigurer.java index 58083f9f..6e2f05f1 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenIntrospectionEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenIntrospectionEndpointConfigurer.java @@ -34,12 +34,12 @@ import org.springframework.security.oauth2.server.authorization.authentication.O import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2TokenIntrospectionAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.access.intercept.AuthorizationFilter; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -182,10 +182,10 @@ public final class OAuth2TokenIntrospectionEndpointConfigurer extends AbstractOA AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String tokenIntrospectionEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getTokenIntrospectionEndpoint()) : authorizationServerSettings.getTokenIntrospectionEndpoint(); - this.requestMatcher = new AntPathRequestMatcher(tokenIntrospectionEndpointUri, HttpMethod.POST.name()); + this.requestMatcher = RequestMatcherUtils.matcher(tokenIntrospectionEndpointUri, HttpMethod.POST); List authenticationProviders = createDefaultAuthenticationProviders(httpSecurity); if (!this.authenticationProviders.isEmpty()) { @@ -202,7 +202,7 @@ public final class OAuth2TokenIntrospectionEndpointConfigurer extends AbstractOA AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String tokenIntrospectionEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getTokenIntrospectionEndpoint()) : authorizationServerSettings.getTokenIntrospectionEndpoint(); OAuth2TokenIntrospectionEndpointFilter introspectionEndpointFilter = new OAuth2TokenIntrospectionEndpointFilter( diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenRevocationEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenRevocationEndpointConfigurer.java index a918447e..3333447c 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenRevocationEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenRevocationEndpointConfigurer.java @@ -33,12 +33,12 @@ import org.springframework.security.oauth2.server.authorization.authentication.O import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2TokenRevocationAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.access.intercept.AuthorizationFilter; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -181,10 +181,10 @@ public final class OAuth2TokenRevocationEndpointConfigurer extends AbstractOAuth AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String tokenRevocationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getTokenRevocationEndpoint()) : authorizationServerSettings.getTokenRevocationEndpoint(); - this.requestMatcher = new AntPathRequestMatcher(tokenRevocationEndpointUri, HttpMethod.POST.name()); + this.requestMatcher = RequestMatcherUtils.matcher(tokenRevocationEndpointUri, HttpMethod.POST); List authenticationProviders = createDefaultAuthenticationProviders(httpSecurity); if (!this.authenticationProviders.isEmpty()) { @@ -202,7 +202,7 @@ public final class OAuth2TokenRevocationEndpointConfigurer extends AbstractOAuth .getAuthorizationServerSettings(httpSecurity); String tokenRevocationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getTokenRevocationEndpoint()) : authorizationServerSettings.getTokenRevocationEndpoint(); OAuth2TokenRevocationEndpointFilter revocationEndpointFilter = new OAuth2TokenRevocationEndpointFilter( diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcClientRegistrationEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcClientRegistrationEndpointConfigurer.java index be9113ff..453a183d 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcClientRegistrationEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcClientRegistrationEndpointConfigurer.java @@ -36,12 +36,12 @@ import org.springframework.security.oauth2.server.authorization.oidc.authenticat import org.springframework.security.oauth2.server.authorization.oidc.web.OidcClientRegistrationEndpointFilter; import org.springframework.security.oauth2.server.authorization.oidc.web.authentication.OidcClientRegistrationAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.access.intercept.AuthorizationFilter; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -192,12 +192,12 @@ public final class OidcClientRegistrationEndpointConfigurer extends AbstractOAut AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String clientRegistrationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getOidcClientRegistrationEndpoint()) : authorizationServerSettings.getOidcClientRegistrationEndpoint(); this.requestMatcher = new OrRequestMatcher( - new AntPathRequestMatcher(clientRegistrationEndpointUri, HttpMethod.POST.name()), - new AntPathRequestMatcher(clientRegistrationEndpointUri, HttpMethod.GET.name())); + RequestMatcherUtils.matcher(clientRegistrationEndpointUri, HttpMethod.POST), + RequestMatcherUtils.matcher(clientRegistrationEndpointUri, HttpMethod.GET)); List authenticationProviders = createDefaultAuthenticationProviders(httpSecurity); if (!this.authenticationProviders.isEmpty()) { @@ -215,7 +215,7 @@ public final class OidcClientRegistrationEndpointConfigurer extends AbstractOAut .getAuthorizationServerSettings(httpSecurity); String clientRegistrationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils + ? RequestMatcherUtils .withMultipleIssuersPattern(authorizationServerSettings.getOidcClientRegistrationEndpoint()) : authorizationServerSettings.getOidcClientRegistrationEndpoint(); OidcClientRegistrationEndpointFilter oidcClientRegistrationEndpointFilter = new OidcClientRegistrationEndpointFilter( diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcLogoutEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcLogoutEndpointConfigurer.java index 31457c9b..6dbed182 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcLogoutEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcLogoutEndpointConfigurer.java @@ -34,12 +34,12 @@ import org.springframework.security.oauth2.server.authorization.oidc.authenticat import org.springframework.security.oauth2.server.authorization.oidc.web.OidcLogoutEndpointFilter; import org.springframework.security.oauth2.server.authorization.oidc.web.authentication.OidcLogoutAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; import org.springframework.security.web.authentication.logout.LogoutFilter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -167,10 +167,10 @@ public final class OidcLogoutEndpointConfigurer extends AbstractOAuth2Configurer AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String logoutEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils.withMultipleIssuersPattern(authorizationServerSettings.getOidcLogoutEndpoint()) + ? RequestMatcherUtils.withMultipleIssuersPattern(authorizationServerSettings.getOidcLogoutEndpoint()) : authorizationServerSettings.getOidcLogoutEndpoint(); - this.requestMatcher = new OrRequestMatcher(new AntPathRequestMatcher(logoutEndpointUri, HttpMethod.GET.name()), - new AntPathRequestMatcher(logoutEndpointUri, HttpMethod.POST.name())); + this.requestMatcher = new OrRequestMatcher(RequestMatcherUtils.matcher(logoutEndpointUri, HttpMethod.GET), + RequestMatcherUtils.matcher(logoutEndpointUri, HttpMethod.POST)); List authenticationProviders = createDefaultAuthenticationProviders(httpSecurity); if (!this.authenticationProviders.isEmpty()) { @@ -188,7 +188,7 @@ public final class OidcLogoutEndpointConfigurer extends AbstractOAuth2Configurer .getAuthorizationServerSettings(httpSecurity); String logoutEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils.withMultipleIssuersPattern(authorizationServerSettings.getOidcLogoutEndpoint()) + ? RequestMatcherUtils.withMultipleIssuersPattern(authorizationServerSettings.getOidcLogoutEndpoint()) : authorizationServerSettings.getOidcLogoutEndpoint(); OidcLogoutEndpointFilter oidcLogoutEndpointFilter = new OidcLogoutEndpointFilter(authenticationManager, logoutEndpointUri); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationEndpointConfigurer.java index 635d328b..59c72976 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationEndpointConfigurer.java @@ -23,8 +23,8 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.oauth2.server.authorization.oidc.OidcProviderConfiguration; import org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; /** @@ -79,7 +79,7 @@ public final class OidcProviderConfigurationEndpointConfigurer extends AbstractO .getAuthorizationServerSettings(httpSecurity); String oidcProviderConfigurationEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() ? "/**/.well-known/openid-configuration" : "/.well-known/openid-configuration"; - this.requestMatcher = new AntPathRequestMatcher(oidcProviderConfigurationEndpointUri, HttpMethod.GET.name()); + this.requestMatcher = RequestMatcherUtils.matcher(oidcProviderConfigurationEndpointUri, HttpMethod.GET); } @Override diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcUserInfoEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcUserInfoEndpointConfigurer.java index 880affd3..f476519a 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcUserInfoEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcUserInfoEndpointConfigurer.java @@ -39,12 +39,12 @@ import org.springframework.security.oauth2.server.authorization.oidc.authenticat import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationToken; import org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.access.intercept.AuthorizationFilter; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -210,12 +210,10 @@ public final class OidcUserInfoEndpointConfigurer extends AbstractOAuth2Configur AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); String userInfoEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils - .withMultipleIssuersPattern(authorizationServerSettings.getOidcUserInfoEndpoint()) + ? RequestMatcherUtils.withMultipleIssuersPattern(authorizationServerSettings.getOidcUserInfoEndpoint()) : authorizationServerSettings.getOidcUserInfoEndpoint(); - this.requestMatcher = new OrRequestMatcher( - new AntPathRequestMatcher(userInfoEndpointUri, HttpMethod.GET.name()), - new AntPathRequestMatcher(userInfoEndpointUri, HttpMethod.POST.name())); + this.requestMatcher = new OrRequestMatcher(RequestMatcherUtils.matcher(userInfoEndpointUri, HttpMethod.GET), + RequestMatcherUtils.matcher(userInfoEndpointUri, HttpMethod.POST)); List authenticationProviders = createDefaultAuthenticationProviders(httpSecurity); if (!this.authenticationProviders.isEmpty()) { @@ -233,8 +231,7 @@ public final class OidcUserInfoEndpointConfigurer extends AbstractOAuth2Configur .getAuthorizationServerSettings(httpSecurity); String userInfoEndpointUri = authorizationServerSettings.isMultipleIssuersAllowed() - ? OAuth2ConfigurerUtils - .withMultipleIssuersPattern(authorizationServerSettings.getOidcUserInfoEndpoint()) + ? RequestMatcherUtils.withMultipleIssuersPattern(authorizationServerSettings.getOidcUserInfoEndpoint()) : authorizationServerSettings.getOidcUserInfoEndpoint(); OidcUserInfoEndpointFilter oidcUserInfoEndpointFilter = new OidcUserInfoEndpointFilter(authenticationManager, userInfoEndpointUri); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcClientRegistrationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcClientRegistrationEndpointFilter.java index 88b32848..625cc03c 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcClientRegistrationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcClientRegistrationEndpointFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -42,11 +42,11 @@ import org.springframework.security.oauth2.server.authorization.oidc.authenticat import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationToken; import org.springframework.security.oauth2.server.authorization.oidc.http.converter.OidcClientRegistrationHttpMessageConverter; import org.springframework.security.oauth2.server.authorization.oidc.web.authentication.OidcClientRegistrationAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.util.matcher.AndRequestMatcher; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -115,13 +115,13 @@ public final class OidcClientRegistrationEndpointFilter extends OncePerRequestFi Assert.hasText(clientRegistrationEndpointUri, "clientRegistrationEndpointUri cannot be empty"); this.authenticationManager = authenticationManager; this.clientRegistrationEndpointMatcher = new OrRequestMatcher( - new AntPathRequestMatcher(clientRegistrationEndpointUri, HttpMethod.POST.name()), + RequestMatcherUtils.matcher(clientRegistrationEndpointUri, HttpMethod.POST), createClientConfigurationMatcher(clientRegistrationEndpointUri)); } private static RequestMatcher createClientConfigurationMatcher(String clientRegistrationEndpointUri) { - RequestMatcher clientConfigurationGetMatcher = new AntPathRequestMatcher(clientRegistrationEndpointUri, - HttpMethod.GET.name()); + RequestMatcher clientConfigurationGetMatcher = RequestMatcherUtils.matcher(clientRegistrationEndpointUri, + HttpMethod.GET); RequestMatcher clientIdMatcher = (request) -> { String clientId = request.getParameter(OAuth2ParameterNames.CLIENT_ID); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcLogoutEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcLogoutEndpointFilter.java index 4921bc83..b8d3e42e 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcLogoutEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcLogoutEndpointFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2024 the original author or authors. + * Copyright 2020-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,10 +35,10 @@ import org.springframework.security.oauth2.server.authorization.oidc.authenticat import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcLogoutAuthenticationToken; import org.springframework.security.oauth2.server.authorization.oidc.web.authentication.OidcLogoutAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.oidc.web.authentication.OidcLogoutAuthenticationSuccessHandler; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -92,8 +92,8 @@ public final class OidcLogoutEndpointFilter extends OncePerRequestFilter { Assert.hasText(logoutEndpointUri, "logoutEndpointUri cannot be empty"); this.authenticationManager = authenticationManager; this.logoutEndpointMatcher = new OrRequestMatcher( - new AntPathRequestMatcher(logoutEndpointUri, HttpMethod.GET.name()), - new AntPathRequestMatcher(logoutEndpointUri, HttpMethod.POST.name())); + RequestMatcherUtils.matcher(logoutEndpointUri, HttpMethod.GET), + RequestMatcherUtils.matcher(logoutEndpointUri, HttpMethod.POST)); this.authenticationConverter = new OidcLogoutAuthenticationConverter(); } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcProviderConfigurationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcProviderConfigurationEndpointFilter.java index 43dffe51..d09f9489 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcProviderConfigurationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcProviderConfigurationEndpointFilter.java @@ -38,7 +38,7 @@ import org.springframework.security.oauth2.server.authorization.context.Authoriz import org.springframework.security.oauth2.server.authorization.oidc.OidcProviderConfiguration; import org.springframework.security.oauth2.server.authorization.oidc.http.converter.OidcProviderConfigurationHttpMessageConverter; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; @@ -134,10 +134,11 @@ public final class OidcProviderConfigurationEndpointFilter extends OncePerReques } private static RequestMatcher createRequestMatcher() { - final RequestMatcher defaultRequestMatcher = new AntPathRequestMatcher( - DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI, HttpMethod.GET.name()); - final RequestMatcher multipleIssuersRequestMatcher = new AntPathRequestMatcher( - "/**" + DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI, HttpMethod.GET.name()); + final RequestMatcher defaultRequestMatcher = RequestMatcherUtils + .matcher(DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI, HttpMethod.GET); + final RequestMatcher multipleIssuersRequestMatcher = RequestMatcherUtils.matcher( + RequestMatcherUtils.withMultipleIssuersPattern(DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI), + HttpMethod.GET); return (request) -> AuthorizationServerContextHolder.getContext() .getAuthorizationServerSettings() .isMultipleIssuersAllowed() ? multipleIssuersRequestMatcher.matches(request) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcUserInfoEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcUserInfoEndpointFilter.java index bafa3dc8..ceebc625 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcUserInfoEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcUserInfoEndpointFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,10 +39,10 @@ import org.springframework.security.oauth2.core.oidc.OidcUserInfo; import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationProvider; import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationToken; import org.springframework.security.oauth2.server.authorization.oidc.http.converter.OidcUserInfoHttpMessageConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -100,8 +100,8 @@ public final class OidcUserInfoEndpointFilter extends OncePerRequestFilter { Assert.hasText(userInfoEndpointUri, "userInfoEndpointUri cannot be empty"); this.authenticationManager = authenticationManager; this.userInfoEndpointMatcher = new OrRequestMatcher( - new AntPathRequestMatcher(userInfoEndpointUri, HttpMethod.GET.name()), - new AntPathRequestMatcher(userInfoEndpointUri, HttpMethod.POST.name())); + RequestMatcherUtils.matcher(userInfoEndpointUri, HttpMethod.GET), + RequestMatcherUtils.matcher(userInfoEndpointUri, HttpMethod.POST)); } @Override diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/NimbusJwkSetEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/NimbusJwkSetEndpointFilter.java index feec0e1f..54c49fc7 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/NimbusJwkSetEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/NimbusJwkSetEndpointFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,7 +30,7 @@ import jakarta.servlet.http.HttpServletResponse; import org.springframework.http.HttpMethod; import org.springframework.http.MediaType; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; @@ -77,7 +77,7 @@ public final class NimbusJwkSetEndpointFilter extends OncePerRequestFilter { Assert.hasText(jwkSetEndpointUri, "jwkSetEndpointUri cannot be empty"); this.jwkSource = jwkSource; this.jwkSelector = new JWKSelector(new JWKMatcher.Builder().build()); - this.requestMatcher = new AntPathRequestMatcher(jwkSetEndpointUri, HttpMethod.GET.name()); + this.requestMatcher = RequestMatcherUtils.matcher(jwkSetEndpointUri, HttpMethod.GET); } @Override diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java index cda3548b..53b463e8 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java @@ -46,6 +46,7 @@ import org.springframework.security.oauth2.server.authorization.authentication.O import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationConsentAuthenticationToken; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeRequestAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationConsentAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.DefaultRedirectStrategy; import org.springframework.security.web.RedirectStrategy; import org.springframework.security.web.authentication.AuthenticationConverter; @@ -57,7 +58,6 @@ import org.springframework.security.web.authentication.session.SessionAuthentica import org.springframework.security.web.util.RedirectUrlBuilder; import org.springframework.security.web.util.UrlUtils; import org.springframework.security.web.util.matcher.AndRequestMatcher; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.NegatedRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; @@ -146,10 +146,10 @@ public final class OAuth2AuthorizationEndpointFilter extends OncePerRequestFilte } private static RequestMatcher createDefaultRequestMatcher(String authorizationEndpointUri) { - RequestMatcher authorizationRequestGetMatcher = new AntPathRequestMatcher(authorizationEndpointUri, - HttpMethod.GET.name()); - RequestMatcher authorizationRequestPostMatcher = new AntPathRequestMatcher(authorizationEndpointUri, - HttpMethod.POST.name()); + RequestMatcher authorizationRequestGetMatcher = RequestMatcherUtils.matcher(authorizationEndpointUri, + HttpMethod.GET); + RequestMatcher authorizationRequestPostMatcher = RequestMatcherUtils.matcher(authorizationEndpointUri, + HttpMethod.POST); RequestMatcher responseTypeParameterMatcher = ( request) -> request.getParameter(OAuth2ParameterNames.RESPONSE_TYPE) != null; diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java index c2f9e067..932e0aa4 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java @@ -36,7 +36,7 @@ import org.springframework.security.oauth2.server.authorization.context.Authoriz import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder; import org.springframework.security.oauth2.server.authorization.http.converter.OAuth2AuthorizationServerMetadataHttpMessageConverter; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; @@ -129,10 +129,10 @@ public final class OAuth2AuthorizationServerMetadataEndpointFilter extends OnceP } private static RequestMatcher createRequestMatcher() { - final RequestMatcher defaultRequestMatcher = new AntPathRequestMatcher( - DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI, HttpMethod.GET.name()); - final RequestMatcher multipleIssuersRequestMatcher = new AntPathRequestMatcher( - DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI + "/**", HttpMethod.GET.name()); + final RequestMatcher defaultRequestMatcher = RequestMatcherUtils + .matcher(DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI, HttpMethod.GET); + final RequestMatcher multipleIssuersRequestMatcher = RequestMatcherUtils + .matcher(DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI + "/**", HttpMethod.GET); return (request) -> AuthorizationServerContextHolder.getContext() .getAuthorizationServerSettings() .isMultipleIssuersAllowed() ? multipleIssuersRequestMatcher.matches(request) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilter.java index e98d43b7..6daec75f 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilter.java @@ -42,13 +42,13 @@ import org.springframework.security.oauth2.server.authorization.authentication.O import org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceAuthorizationRequestAuthenticationToken; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2DeviceAuthorizationRequestAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ErrorAuthenticationFailureHandler; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.security.web.util.RedirectUrlBuilder; import org.springframework.security.web.util.UrlUtils; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; @@ -113,8 +113,8 @@ public final class OAuth2DeviceAuthorizationEndpointFilter extends OncePerReques Assert.notNull(authenticationManager, "authenticationManager cannot be null"); Assert.hasText(deviceAuthorizationEndpointUri, "deviceAuthorizationEndpointUri cannot be empty"); this.authenticationManager = authenticationManager; - this.deviceAuthorizationEndpointMatcher = new AntPathRequestMatcher(deviceAuthorizationEndpointUri, - HttpMethod.POST.name()); + this.deviceAuthorizationEndpointMatcher = RequestMatcherUtils.matcher(deviceAuthorizationEndpointUri, + HttpMethod.POST); this.authenticationConverter = new OAuth2DeviceAuthorizationRequestAuthenticationConverter(); } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.java index a479bfc3..d8ec987b 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.java @@ -43,6 +43,7 @@ import org.springframework.security.oauth2.server.authorization.authentication.O import org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceVerificationAuthenticationToken; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2DeviceAuthorizationConsentAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2DeviceVerificationAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.DefaultRedirectStrategy; import org.springframework.security.web.RedirectStrategy; import org.springframework.security.web.authentication.AuthenticationConverter; @@ -54,7 +55,6 @@ import org.springframework.security.web.authentication.WebAuthenticationDetailsS import org.springframework.security.web.util.RedirectUrlBuilder; import org.springframework.security.web.util.UrlUtils; import org.springframework.security.web.util.matcher.AndRequestMatcher; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -132,10 +132,10 @@ public final class OAuth2DeviceVerificationEndpointFilter extends OncePerRequest } private RequestMatcher createDefaultRequestMatcher(String deviceVerificationEndpointUri) { - RequestMatcher verificationRequestGetMatcher = new AntPathRequestMatcher(deviceVerificationEndpointUri, - HttpMethod.GET.name()); - RequestMatcher verificationRequestPostMatcher = new AntPathRequestMatcher(deviceVerificationEndpointUri, - HttpMethod.POST.name()); + RequestMatcher verificationRequestGetMatcher = RequestMatcherUtils.matcher(deviceVerificationEndpointUri, + HttpMethod.GET); + RequestMatcher verificationRequestPostMatcher = RequestMatcherUtils.matcher(deviceVerificationEndpointUri, + HttpMethod.POST); RequestMatcher userCodeParameterMatcher = ( request) -> request.getParameter(OAuth2ParameterNames.USER_CODE) != null; diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2PushedAuthorizationRequestEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2PushedAuthorizationRequestEndpointFilter.java index fe9f3cce..0187adbf 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2PushedAuthorizationRequestEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2PushedAuthorizationRequestEndpointFilter.java @@ -44,11 +44,11 @@ import org.springframework.security.oauth2.server.authorization.authentication.O import org.springframework.security.oauth2.server.authorization.authentication.OAuth2PushedAuthorizationRequestAuthenticationToken; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeRequestAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ErrorAuthenticationFailureHandler; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; @@ -117,8 +117,8 @@ public final class OAuth2PushedAuthorizationRequestEndpointFilter extends OncePe Assert.notNull(authenticationManager, "authenticationManager cannot be null"); Assert.hasText(pushedAuthorizationRequestEndpointUri, "pushedAuthorizationRequestEndpointUri cannot be empty"); this.authenticationManager = authenticationManager; - this.pushedAuthorizationRequestEndpointMatcher = new AntPathRequestMatcher( - pushedAuthorizationRequestEndpointUri, HttpMethod.POST.name()); + this.pushedAuthorizationRequestEndpointMatcher = RequestMatcherUtils + .matcher(pushedAuthorizationRequestEndpointUri, HttpMethod.POST); this.authenticationConverter = new OAuth2AuthorizationCodeRequestAuthenticationConverter(); } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java index 829b25a9..1dfd1b24 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java @@ -48,12 +48,12 @@ import org.springframework.security.oauth2.server.authorization.web.authenticati import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ErrorAuthenticationFailureHandler; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2RefreshTokenAuthenticationConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2TokenExchangeAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.DelegatingAuthenticationConverter; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; @@ -129,7 +129,7 @@ public final class OAuth2TokenEndpointFilter extends OncePerRequestFilter { Assert.notNull(authenticationManager, "authenticationManager cannot be null"); Assert.hasText(tokenEndpointUri, "tokenEndpointUri cannot be empty"); this.authenticationManager = authenticationManager; - this.tokenEndpointMatcher = new AntPathRequestMatcher(tokenEndpointUri, HttpMethod.POST.name()); + this.tokenEndpointMatcher = RequestMatcherUtils.matcher(tokenEndpointUri, HttpMethod.POST); // @formatter:off this.authenticationConverter = new DelegatingAuthenticationConverter( Arrays.asList( diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilter.java index ef8995dd..a6834282 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 the original author or authors. + * Copyright 2020-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -37,10 +37,10 @@ import org.springframework.security.oauth2.server.authorization.authentication.O import org.springframework.security.oauth2.server.authorization.http.converter.OAuth2TokenIntrospectionHttpMessageConverter; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ErrorAuthenticationFailureHandler; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2TokenIntrospectionAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; @@ -98,8 +98,8 @@ public final class OAuth2TokenIntrospectionEndpointFilter extends OncePerRequest Assert.notNull(authenticationManager, "authenticationManager cannot be null"); Assert.hasText(tokenIntrospectionEndpointUri, "tokenIntrospectionEndpointUri cannot be empty"); this.authenticationManager = authenticationManager; - this.tokenIntrospectionEndpointMatcher = new AntPathRequestMatcher(tokenIntrospectionEndpointUri, - HttpMethod.POST.name()); + this.tokenIntrospectionEndpointMatcher = RequestMatcherUtils.matcher(tokenIntrospectionEndpointUri, + HttpMethod.POST); this.authenticationConverter = new OAuth2TokenIntrospectionAuthenticationConverter(); } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenRevocationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenRevocationEndpointFilter.java index 506ce998..2ea16b9a 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenRevocationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenRevocationEndpointFilter.java @@ -36,11 +36,11 @@ import org.springframework.security.oauth2.server.authorization.authentication.O import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenRevocationAuthenticationToken; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ErrorAuthenticationFailureHandler; import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2TokenRevocationAuthenticationConverter; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; @@ -98,8 +98,7 @@ public final class OAuth2TokenRevocationEndpointFilter extends OncePerRequestFil Assert.notNull(authenticationManager, "authenticationManager cannot be null"); Assert.hasText(tokenRevocationEndpointUri, "tokenRevocationEndpointUri cannot be empty"); this.authenticationManager = authenticationManager; - this.tokenRevocationEndpointMatcher = new AntPathRequestMatcher(tokenRevocationEndpointUri, - HttpMethod.POST.name()); + this.tokenRevocationEndpointMatcher = RequestMatcherUtils.matcher(tokenRevocationEndpointUri, HttpMethod.POST); this.authenticationConverter = new OAuth2TokenRevocationAuthenticationConverter(); } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/util/matcher/RequestMatcherUtils.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/util/matcher/RequestMatcherUtils.java new file mode 100644 index 00000000..96e3b32c --- /dev/null +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/util/matcher/RequestMatcherUtils.java @@ -0,0 +1,92 @@ +/* + * Copyright 2020-2025 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.oauth2.server.authorization.web.util.matcher; + +import jakarta.servlet.http.HttpServletRequest; + +import org.springframework.http.HttpMethod; +import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.util.AntPathMatcher; +import org.springframework.util.Assert; +import org.springframework.util.StringUtils; + +/** + * Utility methods for {@link RequestMatcher}. + * + *

+ * NOTE: This utility is intended for internal use only. + * + * @author Joe Grandja + * @since 2.0 + */ +public final class RequestMatcherUtils { + + private RequestMatcherUtils() { + } + + public static RequestMatcher matcher(String pattern, HttpMethod httpMethod) { + Assert.hasText(pattern, "pattern cannot be empty"); + Assert.notNull(httpMethod, "httpMethod cannot be null"); + return containsMultipleIssuersPattern(pattern) ? new AntPathRequestMatcher(pattern, httpMethod) + : PathPatternRequestMatcher.withDefaults().matcher(httpMethod, pattern); + } + + public static String withMultipleIssuersPattern(String pattern) { + Assert.hasText(pattern, "pattern cannot be empty"); + return pattern.startsWith("/") ? "/**" + pattern : "/**/" + pattern; + } + + private static boolean containsMultipleIssuersPattern(String pattern) { + return pattern.startsWith("/**/"); + } + + private static final class AntPathRequestMatcher implements RequestMatcher { + + private final AntPathMatcher matcher; + + private final String pattern; + + private final HttpMethod httpMethod; + + private AntPathRequestMatcher(String pattern, HttpMethod httpMethod) { + this.matcher = new AntPathMatcher(); + this.pattern = pattern; + this.httpMethod = httpMethod; + } + + @Override + public boolean matches(HttpServletRequest request) { + if (StringUtils.hasText(request.getMethod()) + && this.httpMethod != HttpMethod.valueOf(request.getMethod())) { + return false; + } + String requestPath = getRequestPath(request); + return this.matcher.match(this.pattern, requestPath); + } + + private static String getRequestPath(HttpServletRequest request) { + String url = request.getServletPath(); + String pathInfo = request.getPathInfo(); + if (pathInfo != null) { + url = StringUtils.hasLength(url) ? url + pathInfo : pathInfo; + } + return url; + } + + } + +} diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilterTests.java index 97dc1750..c1910c6a 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -44,9 +44,9 @@ import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMe import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.WebAuthenticationDetails; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import static org.assertj.core.api.Assertions.assertThat; @@ -80,7 +80,7 @@ public class OAuth2ClientAuthenticationFilterTests { @BeforeEach public void setUp() { this.authenticationManager = mock(AuthenticationManager.class); - this.requestMatcher = new AntPathRequestMatcher(this.filterProcessesUrl, HttpMethod.POST.name()); + this.requestMatcher = RequestMatcherUtils.matcher(this.filterProcessesUrl, HttpMethod.POST); this.filter = new OAuth2ClientAuthenticationFilter(this.authenticationManager, this.requestMatcher); this.authenticationConverter = mock(AuthenticationConverter.class); this.filter.setAuthenticationConverter(this.authenticationConverter); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilterTests.java index 77a10e75..19b8ce87 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2024 the original author or authors. + * Copyright 2020-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -253,6 +253,8 @@ public class OAuth2DeviceAuthorizationEndpointFilterTests { MockHttpServletRequest request = createRequest(); request.setContextPath("/contextPath"); + request.setRequestURI("/contextPath" + AUTHORIZATION_URI); + MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain filterChain = mock(FilterChain.class); this.filter.doFilter(request, response, filterChain); diff --git a/samples/demo-authorizationserver/src/main/java/sample/web/authentication/DeviceClientAuthenticationConverter.java b/samples/demo-authorizationserver/src/main/java/sample/web/authentication/DeviceClientAuthenticationConverter.java index aa1cbfef..284164d5 100644 --- a/samples/demo-authorizationserver/src/main/java/sample/web/authentication/DeviceClientAuthenticationConverter.java +++ b/samples/demo-authorizationserver/src/main/java/sample/web/authentication/DeviceClientAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 the original author or authors. + * Copyright 2020-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,7 +16,6 @@ package sample.web.authentication; import jakarta.servlet.http.HttpServletRequest; - import sample.authentication.DeviceClientAuthenticationToken; import org.springframework.http.HttpMethod; @@ -27,9 +26,9 @@ import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; +import org.springframework.security.oauth2.server.authorization.web.util.matcher.RequestMatcherUtils; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.util.matcher.AndRequestMatcher; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.StringUtils; @@ -46,8 +45,7 @@ public final class DeviceClientAuthenticationConverter implements Authentication RequestMatcher clientIdParameterMatcher = request -> request.getParameter(OAuth2ParameterNames.CLIENT_ID) != null; this.deviceAuthorizationRequestMatcher = new AndRequestMatcher( - new AntPathRequestMatcher( - deviceAuthorizationEndpointUri, HttpMethod.POST.name()), + RequestMatcherUtils.matcher(deviceAuthorizationEndpointUri, HttpMethod.POST), clientIdParameterMatcher); this.deviceAccessTokenRequestMatcher = request -> AuthorizationGrantType.DEVICE_CODE.getValue().equals(request.getParameter(OAuth2ParameterNames.GRANT_TYPE)) &&