Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

6.1.2 - CsrfCongigurer.ignoringRequestMatchers broken #13576

Closed
OlliL opened this issue Jul 23, 2023 · 2 comments
Closed

6.1.2 - CsrfCongigurer.ignoringRequestMatchers broken #13576

OlliL opened this issue Jul 23, 2023 · 2 comments
Assignees
Labels
in: config An issue in spring-security-config status: duplicate A duplicate of another issue type: bug A general bug

Comments

@OlliL
Copy link

OlliL commented Jul 23, 2023

Describe the bug
Starting with the latest changes toAbstractRequestMatcherRegistry CsrfConfigurer.ignoringRequestMatchers is now broken as it raises the following exception:

Caused by: java.lang.IllegalArgumentException: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher).
	at org.springframework.util.Assert.isTrue(Assert.java:122) ~[spring-core-6.0.11.jar:6.0.11]
	at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.requestMatchers(AbstractRequestMatcherRegistry.java:204) ~[spring-security-config-6.1.2.jar:6.1.2]
	at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.requestMatchers(AbstractRequestMatcherRegistry.java:248) ~[spring-security-config-6.1.2.jar:6.1.2]
	at org.springframework.security.config.annotation.web.configurers.CsrfConfigurer.ignoringRequestMatchers(CsrfConfigurer.java:198) ~[spring-security-config-6.1.2.jar:6.1.2]

To Reproduce
Just configure matchers to ignore CSRF with:

  private static final String API_ROOT = "/moneyflow/server";

  private static final String[] OPEN_ENDPOINTS = { API_ROOT + "/user/login",
      API_ROOT + "/importedbalance/createImportedBalance",
      API_ROOT + "/importedmoneyflow/createImportedMoneyflow",
      API_ROOT + "/importedmonthlysettlement/createImportedMonthlySettlement" };

[...]
        .csrf(configurer -> {
          configurer.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
          configurer.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
          configurer.ignoringRequestMatchers(OPEN_ENDPOINTS);
        })
[...]

The complete Security Configuration can be seen here: https://github.com/OlliL/moneyjinn-server/blob/master/moneyjinn-server/src/main/java/org/laladev/moneyjinn/server/config/SecurityConfig.java

Expected behavior
works as it did with 6.1.1?

Sample

@OlliL OlliL added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jul 23, 2023
OlliL added a commit to OlliL/moneyjinn-server that referenced this issue Jul 23, 2023
@dreis2211
Copy link
Contributor

This is likely a duplicate of #13568

@jzheaux jzheaux self-assigned this Jul 24, 2023
@jzheaux jzheaux added status: duplicate A duplicate of another issue in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 24, 2023
@jzheaux
Copy link
Contributor

jzheaux commented Jul 24, 2023

Thanks for the report, @OlliL.

As @dreis2211 also pointed out, this is a duplicate of #13568, so I'll close in favor of that.

@jzheaux jzheaux closed this as completed Jul 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: config An issue in spring-security-config status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Development

No branches or pull requests

3 participants