Skip to content

6.1.2 - CsrfCongigurer.ignoringRequestMatchers broken #13576

Closed
@OlliL

Description

@OlliL

Describe the bug
Starting with the latest changes toAbstractRequestMatcherRegistry CsrfConfigurer.ignoringRequestMatchers is now broken as it raises the following exception:

Caused by: java.lang.IllegalArgumentException: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher).
	at org.springframework.util.Assert.isTrue(Assert.java:122) ~[spring-core-6.0.11.jar:6.0.11]
	at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.requestMatchers(AbstractRequestMatcherRegistry.java:204) ~[spring-security-config-6.1.2.jar:6.1.2]
	at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.requestMatchers(AbstractRequestMatcherRegistry.java:248) ~[spring-security-config-6.1.2.jar:6.1.2]
	at org.springframework.security.config.annotation.web.configurers.CsrfConfigurer.ignoringRequestMatchers(CsrfConfigurer.java:198) ~[spring-security-config-6.1.2.jar:6.1.2]

To Reproduce
Just configure matchers to ignore CSRF with:

  private static final String API_ROOT = "/moneyflow/server";

  private static final String[] OPEN_ENDPOINTS = { API_ROOT + "/user/login",
      API_ROOT + "/importedbalance/createImportedBalance",
      API_ROOT + "/importedmoneyflow/createImportedMoneyflow",
      API_ROOT + "/importedmonthlysettlement/createImportedMonthlySettlement" };

[...]
        .csrf(configurer -> {
          configurer.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
          configurer.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
          configurer.ignoringRequestMatchers(OPEN_ENDPOINTS);
        })
[...]

The complete Security Configuration can be seen here: https://github.com/OlliL/moneyjinn-server/blob/master/moneyjinn-server/src/main/java/org/laladev/moneyjinn/server/config/SecurityConfig.java

Expected behavior
works as it did with 6.1.1?

Sample

Metadata

Metadata

Assignees

Labels

in: configAn issue in spring-security-configstatus: duplicateA duplicate of another issuetype: bugA general bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions