From c263c85de878f52dbd05aa44c7d2899cd2744684 Mon Sep 17 00:00:00 2001 From: Phillip Webb Date: Thu, 10 Apr 2025 13:48:19 -0700 Subject: [PATCH] Start building against Spring Security 6.5.0-RC1 snapshots See gh-45147 --- .../servlet/CloudFoundryActuatorAutoConfiguration.java | 10 ++++++---- .../servlet/AntPathRequestMatcherProvider.java | 4 +++- .../security/servlet/EndpointRequest.java | 5 +++-- .../autoconfigure/security/servlet/PathRequest.java | 5 +++-- .../security/servlet/StaticResourceRequest.java | 5 +++-- .../spring-boot-dependencies/build.gradle | 2 +- .../RemoteDevtoolsSecurityConfiguration.java | 4 ++-- .../actuator/customsecurity/SecurityConfiguration.java | 1 + 8 files changed, 22 insertions(+), 14 deletions(-) diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfiguration.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfiguration.java index 1e40af4cd48..4b4c2d4c38c 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfiguration.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfiguration.java @@ -62,7 +62,6 @@ import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.WebSecurityConfigurer; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.web.cors.CorsConfiguration; @@ -184,12 +183,15 @@ public class CloudFoundryActuatorAutoConfiguration { } @Override + @SuppressWarnings("removal") public void customize(WebSecurity web) { List requestMatchers = new ArrayList<>(); this.pathMappedEndpoints.getAllPaths() - .forEach((path) -> requestMatchers.add(new AntPathRequestMatcher(path + "/**"))); - requestMatchers.add(new AntPathRequestMatcher(BASE_PATH)); - requestMatchers.add(new AntPathRequestMatcher(BASE_PATH + "/")); + .forEach((path) -> requestMatchers + .add(new org.springframework.security.web.util.matcher.AntPathRequestMatcher(path + "/**"))); + requestMatchers.add(new org.springframework.security.web.util.matcher.AntPathRequestMatcher(BASE_PATH)); + requestMatchers + .add(new org.springframework.security.web.util.matcher.AntPathRequestMatcher(BASE_PATH + "/")); web.ignoring().requestMatchers(new OrRequestMatcher(requestMatchers)); } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AntPathRequestMatcherProvider.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AntPathRequestMatcherProvider.java index 430fb4e05fe..62b477cffac 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AntPathRequestMatcherProvider.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AntPathRequestMatcherProvider.java @@ -37,9 +37,11 @@ class AntPathRequestMatcherProvider implements RequestMatcherProvider { } @Override + @SuppressWarnings("removal") public RequestMatcher getRequestMatcher(String pattern, HttpMethod httpMethod) { String path = this.pathFactory.apply(pattern); - return new AntPathRequestMatcher(path, (httpMethod != null) ? httpMethod.name() : null); + return new org.springframework.security.web.util.matcher.AntPathRequestMatcher(path, + (httpMethod != null) ? httpMethod.name() : null); } } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java index 295f3d76f51..daf3eb5cc72 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java @@ -42,7 +42,6 @@ import org.springframework.context.ApplicationContext; import org.springframework.core.annotation.MergedAnnotation; import org.springframework.core.annotation.MergedAnnotations; import org.springframework.http.HttpMethod; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -232,12 +231,14 @@ public final class EndpointRequest { return linksMatchers; } + @SuppressWarnings("removal") protected RequestMatcherProvider getRequestMatcherProvider(WebApplicationContext context) { try { return getRequestMatcherProviderBean(context); } catch (NoSuchBeanDefinitionException ex) { - return (pattern, method) -> new AntPathRequestMatcher(pattern, (method != null) ? method.name() : null); + return (pattern, method) -> new org.springframework.security.web.util.matcher.AntPathRequestMatcher( + pattern, (method != null) ? method.name() : null); } } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/PathRequest.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/PathRequest.java index c1dfaa4831a..530d30a044f 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/PathRequest.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/PathRequest.java @@ -24,7 +24,6 @@ import org.springframework.boot.autoconfigure.h2.H2ConsoleProperties; import org.springframework.boot.autoconfigure.security.StaticResourceLocation; import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher; import org.springframework.boot.web.context.WebServerApplicationContext; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.web.context.WebApplicationContext; @@ -77,8 +76,10 @@ public final class PathRequest { } @Override + @SuppressWarnings("removal") protected void initialized(Supplier h2ConsoleProperties) { - this.delegate = new AntPathRequestMatcher(h2ConsoleProperties.get().getPath() + "/**"); + this.delegate = new org.springframework.security.web.util.matcher.AntPathRequestMatcher( + h2ConsoleProperties.get().getPath() + "/**"); } @Override diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/StaticResourceRequest.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/StaticResourceRequest.java index ef8a72bc5cd..67fd2a22314 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/StaticResourceRequest.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/StaticResourceRequest.java @@ -28,7 +28,6 @@ import org.springframework.boot.autoconfigure.security.StaticResourceLocation; import org.springframework.boot.autoconfigure.web.servlet.DispatcherServletPath; import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher; import org.springframework.boot.web.context.WebServerApplicationContext; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -135,8 +134,10 @@ public final class StaticResourceRequest { this.delegate = new OrRequestMatcher(getDelegateMatchers(dispatcherServletPath.get()).toList()); } + @SuppressWarnings("removal") private Stream getDelegateMatchers(DispatcherServletPath dispatcherServletPath) { - return getPatterns(dispatcherServletPath).map(AntPathRequestMatcher::new); + return getPatterns(dispatcherServletPath) + .map(org.springframework.security.web.util.matcher.AntPathRequestMatcher::new); } private Stream getPatterns(DispatcherServletPath dispatcherServletPath) { diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle index 79567c4f8e3..41f32d73f83 100644 --- a/spring-boot-project/spring-boot-dependencies/build.gradle +++ b/spring-boot-project/spring-boot-dependencies/build.gradle @@ -2362,7 +2362,7 @@ bom { releaseNotes("https://github.com/spring-projects/spring-retry/releases/tag/v{version}") } } - library("Spring Security", "6.5.0-M3") { + library("Spring Security", "6.5.0-SNAPSHOT") { considerSnapshots() group("org.springframework.security") { bom("spring-security-bom") diff --git a/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java b/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java index 841fe0e1af1..0a306881d90 100644 --- a/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java +++ b/spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java @@ -25,7 +25,6 @@ import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer; import org.springframework.security.web.SecurityFilterChain; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; /** * Spring Security configuration that allows anonymous access to the remote devtools @@ -46,9 +45,10 @@ class RemoteDevtoolsSecurityConfiguration { } @Bean + @SuppressWarnings("removal") @Order(SecurityProperties.BASIC_AUTH_ORDER - 1) SecurityFilterChain devtoolsSecurityFilterChain(HttpSecurity http) throws Exception { - http.securityMatcher(new AntPathRequestMatcher(this.url)); + http.securityMatcher(new org.springframework.security.web.util.matcher.AntPathRequestMatcher(this.url)); http.authorizeHttpRequests((requests) -> requests.anyRequest().anonymous()); http.csrf(CsrfConfigurer::disable); return http.build(); diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java index de982109e20..4826137ba18 100644 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java @@ -58,6 +58,7 @@ public class SecurityConfiguration { } @Bean + @SuppressWarnings("removal") SecurityFilterChain configure(HttpSecurity http, HandlerMappingIntrospector handlerMappingIntrospector) throws Exception { http.authorizeHttpRequests((requests) -> {