Polish ignoring() log messaging

- Public API remains unchanged

Issue gh-9334

config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java

@@ -54,7 +54,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 
 	private ApplicationContext context;
 
-	protected boolean anyRequestConfigured = false;
+	private boolean anyRequestConfigured = false;
 
 	protected final void setApplicationContext(ApplicationContext context) {
 		this.context = context;
@@ -166,8 +166,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		if (!this.context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
 			throw new NoSuchBeanDefinitionException("A Bean named " + HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME
 					+ " of type " + HandlerMappingIntrospector.class.getName()
-					+ " is required to use MvcRequestMatcher."
-					+ " Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
+					+ " is required to use MvcRequestMatcher. Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
 		}
 		HandlerMappingIntrospector introspector = this.context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME,
 				HandlerMappingIntrospector.class);
@@ -267,7 +266,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 	 * @author Rob Winch
 	 * @since 3.2
 	 */
-	public static final class RequestMatchers {
+	private static final class RequestMatchers {
 
 		private RequestMatchers() {
 		}
@@ -280,7 +279,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		 * from
 		 * @return a {@link List} of {@link AntPathRequestMatcher} instances
 		 */
-		public static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
+		static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
 			String method = (httpMethod != null) ? httpMethod.toString() : null;
 			List<RequestMatcher> matchers = new ArrayList<>();
 			for (String pattern : antPatterns) {
@@ -296,7 +295,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		 * from
 		 * @return a {@link List} of {@link AntPathRequestMatcher} instances
 		 */
-		public static List<RequestMatcher> antMatchers(String... antPatterns) {
+		static List<RequestMatcher> antMatchers(String... antPatterns) {
 			return antMatchers(null, antPatterns);
 		}
 

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -17,7 +17,6 @@
 package org.springframework.security.config.annotation.web.builders;
 
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.List;
 
 import javax.servlet.Filter;
@@ -31,7 +30,6 @@ import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
-import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
@@ -62,7 +60,6 @@ import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.firewall.RequestRejectedHandler;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
-import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
 import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcherEntry;
@@ -111,7 +108,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
 	private WebInvocationPrivilegeEvaluator privilegeEvaluator;
 
-	private final DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
+	private DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
 
 	private SecurityExpressionHandler<FilterInvocation> expressionHandler = this.defaultWebSecurityExpressionHandler;
 
@@ -294,6 +291,8 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 		List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize);
 		List<RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>>> requestMatcherPrivilegeEvaluatorsEntries = new ArrayList<>();
 		for (RequestMatcher ignoredRequest : this.ignoredRequests) {
+			WebSecurity.this.logger.warn("You are asking Spring Security to ignore " + ignoredRequest
+					+ ". This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.");
 			SecurityFilterChain securityFilterChain = new DefaultSecurityFilterChain(ignoredRequest);
 			securityFilterChains.add(securityFilterChain);
 			requestMatcherPrivilegeEvaluatorsEntries
@@ -423,8 +422,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 		@Override
 		public MvcMatchersIgnoredRequestConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
 			List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
-			Arrays.asList(mvcPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
-			mvcMatchers.stream().forEach((t) -> t.ignore());
 			WebSecurity.this.ignoredRequests.addAll(mvcMatchers);
 			return new MvcMatchersIgnoredRequestConfigurer(getApplicationContext(), mvcMatchers);
 		}
@@ -434,38 +431,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 			return mvcMatchers(null, mvcPatterns);
 		}
 
-		/**
-		 * @since 5.5
-		 */
-		@Override
-		public IgnoredRequestConfigurer antMatchers(HttpMethod method) {
-			return antMatchers(method, "/**");
-		}
-
-		/**
-		 * @since 5.5
-		 */
-		@Override
-		public IgnoredRequestConfigurer antMatchers(HttpMethod method, String... antPatterns) {
-			Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
-			List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(method, antPatterns);
-			Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
-			antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
-			return chainRequestMatchers(antMatchers);
-		}
-
-		/**
-		 * @since 5.5
-		 */
-		@Override
-		public IgnoredRequestConfigurer antMatchers(String... antPatterns) {
-			Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
-			List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(antPatterns);
-			Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(null, t));
-			antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
-			return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
-		}
-
 		@Override
 		protected IgnoredRequestConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) {
 			WebSecurity.this.ignoredRequests.addAll(requestMatchers);
@@ -479,33 +444,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 			return WebSecurity.this;
 		}
 
-		/**
-		 * @param method the HttpMethod, it could be null too.
-		 * @param pathPattern the path pattern to be ignored
-		 * @since 5.5
-		 */
-		private void printWarnSecurityMessage(HttpMethod method, String pathPattern) {
-			if (pathPattern.equals("/**")) {
-				WebSecurity.this.logger
-						.warn("**********************************************************************************");
-				if (method != null) {
-					WebSecurity.this.logger.warn(LogMessage.format(
-							"Applying explicit instruction to ignore the '/**' path for the HttpMethod: %s", method));
-					WebSecurity.this.logger.warn("You're disabling practically all the paths for that HttpMethod");
-					WebSecurity.this.logger
-							.warn("Therefore any path for that HttpMethod is completely ignored by Spring Security");
-				}
-				else {
-					WebSecurity.this.logger.warn("Applying explicit instruction to ignore the '/**' path");
-					WebSecurity.this.logger.warn("You're disabling practically all the paths");
-					WebSecurity.this.logger.warn("Therefore any path is completely ignored by Spring Security");
-				}
-				WebSecurity.this.logger.warn("It is not recomended for production");
-				WebSecurity.this.logger
-						.warn("**********************************************************************************");
-			}
-		}
-
 	}
 
 }

config/src/test/java/org/springframework/security/config/annotation/web/configuration/ignore/package-info.java

@@ -1,50 +0,0 @@
-/*
- * Copyright 2002-2021 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * Test package for path patterns that must be ignored by Spring Security and must be
- * indicated/notified through the output, it thanks to the
- * <code>DefaultSecurityFilterChain</code>'s constructor.
- *
- * <p>
- * <b>NOTE:</b> be advised that to test if a path(s) was really ignored or not, by
- * simplicity, is checking the output shown in the test report, it based with the pattern
- * <code>"Will not secure /ABC"</code>, where <code>ABC</code> was defined through the
- * <code>web.ignoring()</code> approach. Is very important edit the
- * <code>logback-test.xml</code> file (of this module) to change
- * <code>level="${sec.log.level:-WARN}"</code> to
- * <code>level="${sec.log.level:-INFO}"</code>
- *
- * <p>
- * In the handler methods do not return the view name (i.e:
- * <code>return "something"</code>) based on the path value (i.e:
- * <code>@GetMapping(path = "/something")</code>), otherwise the tests fail with:
- *
- * <pre class="code">
- * javax.servlet.ServletException:
- * Circular view path [something]:
- * would dispatch back to the current handler URL [/something] again.
- * Check your ViewResolver setup!
- * (Hint: This may be the result of an unspecified view, due to default view name generation.)
- * </pre>
- *
- * That's why the all handler methods are based with the
- * <code>return "something/something"</code> pattern.
- *
- * @author Manuel Jordan
- * @since 5.5
- */
-package org.springframework.security.config.annotation.web.configuration.ignore;

web/src/main/java/org/springframework/security/web/DefaultSecurityFilterChain.java

@@ -27,7 +27,6 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import org.springframework.core.log.LogMessage;
-import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
@@ -49,14 +48,8 @@ public final class DefaultSecurityFilterChain implements SecurityFilterChain {
 	}
 
 	public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) {
-		if (requestMatcher instanceof IgnoreRequestMatcher) {
-			IgnoreRequestMatcher ignoreRequestMatcher = (IgnoreRequestMatcher) requestMatcher;
-			if (ignoreRequestMatcher.isIgnore()) {
-				logger.info(LogMessage.format("Will not secure %s with %s", requestMatcher, filters));
-			}
-			else {
-				logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));
-			}
+		if (!filters.isEmpty()) {
+			logger.info(LogMessage.format("Will not secure %s", requestMatcher));
 		}
 		else {
 			logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));

web/src/main/java/org/springframework/security/web/server/restriction/IgnoreRequestMatcher.java

@@ -1,37 +0,0 @@
-/*
- * Copyright 2002-2021 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.web.server.restriction;
-
-/**
- * Indicates if the path should be ignored or not by Spring Security.
- *
- * @author Manuel Jordan
- * @since 5.5
- */
-public interface IgnoreRequestMatcher {
-
-	/**
-	 * Establishes the path must be ignored.
-	 */
-	void ignore();
-
-	/**
-	 * If the path should be ignored or not.
-	 */
-	boolean isIgnore();
-
-}

web/src/main/java/org/springframework/security/web/servlet/util/matcher/MvcRequestMatcher.java

@@ -21,7 +21,6 @@ import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.http.HttpMethod;
-import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.RequestVariablesExtractor;
 import org.springframework.util.AntPathMatcher;
@@ -45,10 +44,9 @@ import org.springframework.web.util.UrlPathHelper;
  * @author Rob Winch
  * @author Eddú Meléndez
  * @author Evgeniy Cheban
- * @author Manuel Jordan
  * @since 4.1.1
  */
-public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtractor, IgnoreRequestMatcher {
+public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtractor {
 
 	private final DefaultMatcher defaultMatcher = new DefaultMatcher();
 
@@ -60,12 +58,9 @@ public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtrac
 
 	private String servletPath;
 
-	private boolean ignore;
-
 	public MvcRequestMatcher(HandlerMappingIntrospector introspector, String pattern) {
 		this.introspector = introspector;
 		this.pattern = pattern;
-		this.ignore = false;
 	}
 
 	@Override
@@ -134,16 +129,6 @@ public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtrac
 		return this.servletPath;
 	}
 
-	@Override
-	public void ignore() {
-		this.ignore = true;
-	}
-
-	@Override
-	public boolean isIgnore() {
-		return this.ignore;
-	}
-
 	@Override
 	public String toString() {
 		StringBuilder sb = new StringBuilder();

web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java

@@ -22,7 +22,6 @@ import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.http.HttpMethod;
-import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
@@ -54,7 +53,7 @@ import org.springframework.web.util.UrlPathHelper;
  * @since 3.1
  * @see org.springframework.util.AntPathMatcher
  */
-public final class AntPathRequestMatcher implements RequestMatcher, RequestVariablesExtractor, IgnoreRequestMatcher {
+public final class AntPathRequestMatcher implements RequestMatcher, RequestVariablesExtractor {
 
 	private static final String MATCH_ALL = "/**";
 
@@ -68,8 +67,6 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
 
 	private final UrlPathHelper urlPathHelper;
 
-	private boolean ignore;
-
 	/**
 	 * Creates a matcher with the specific pattern which will match all HTTP methods in a
 	 * case sensitive manner.
@@ -135,7 +132,6 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
 		this.pattern = pattern;
 		this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
 		this.urlPathHelper = urlPathHelper;
-		this.ignore = false;
 	}
 
 	/**
@@ -175,16 +171,6 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
 		return MatchResult.match(this.matcher.extractUriTemplateVariables(url));
 	}
 
-	@Override
-	public void ignore() {
-		this.ignore = true;
-	}
-
-	@Override
-	public boolean isIgnore() {
-		return this.ignore;
-	}
-
 	private String getRequestPath(HttpServletRequest request) {
 		if (this.urlPathHelper != null) {
 			return this.urlPathHelper.getPathWithinApplication(request);