6.1.2 - CsrfCongigurer.ignoringRequestMatchers broken #13576
Description
Describe the bug
Starting with the latest changes toAbstractRequestMatcherRegistry CsrfConfigurer.ignoringRequestMatchers is now broken as it raises the following exception:
Caused by: java.lang.IllegalArgumentException: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher).
at org.springframework.util.Assert.isTrue(Assert.java:122) ~[spring-core-6.0.11.jar:6.0.11]
at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.requestMatchers(AbstractRequestMatcherRegistry.java:204) ~[spring-security-config-6.1.2.jar:6.1.2]
at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.requestMatchers(AbstractRequestMatcherRegistry.java:248) ~[spring-security-config-6.1.2.jar:6.1.2]
at org.springframework.security.config.annotation.web.configurers.CsrfConfigurer.ignoringRequestMatchers(CsrfConfigurer.java:198) ~[spring-security-config-6.1.2.jar:6.1.2]
To Reproduce
Just configure matchers to ignore CSRF with:
private static final String API_ROOT = "/moneyflow/server";
private static final String[] OPEN_ENDPOINTS = { API_ROOT + "/user/login",
API_ROOT + "/importedbalance/createImportedBalance",
API_ROOT + "/importedmoneyflow/createImportedMoneyflow",
API_ROOT + "/importedmonthlysettlement/createImportedMonthlySettlement" };
[...]
.csrf(configurer -> {
configurer.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
configurer.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
configurer.ignoringRequestMatchers(OPEN_ENDPOINTS);
})
[...]
The complete Security Configuration can be seen here: https://github.com/OlliL/moneyjinn-server/blob/master/moneyjinn-server/src/main/java/org/laladev/moneyjinn/server/config/SecurityConfig.java
Expected behavior
works as it did with 6.1.1?
Sample