A migration occurred due to vulnerability CVE-2023-34035.
In the event that you get an error like the following:
This method cannot decide whether these patterns are Spring MVC
patterns or not. If this endpoint is a Spring MVC endpoint, please use
requestMatchers(MvcRequestMatcher); otherwise, please use
requestMatchers(AntPathRequestMatcher).
You should use a complete RequestMatcher.
For example, if an application has a servlet deployed to /my-servlet/* and is authorizing that traffic like so:
@Bean
SecurityFilterChain appSecurity(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/my-servlet/**").hasRole("USER")
.requestMatchers("/spring-mvc-controller/**").hasRole("USER")
.anyRequest().authenticated()
)
// ...
return http.build();
}
then, the application should instead do the following:
import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
@Bean
MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) {
return new MvcRequestMatcher.Builder(introspector);
}
@Bean
SecurityFilterChain appSecurity(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(antMatcher("/my-servlet/*")).hasRole("USER")
.requestMatchers(mvc.pattern("/spring-mvc-controller/**")).hasRole("USER")
.anyRequest().authenticated()
)
// ...
return http.build();
}
For more details read this repository offered by Spring: cve-2023-34035-mitigations