-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Description
The PathPatternRequestMatcher has been introduced since spring security 6.5.
However the equals() method only takes into account the pattern, while extra criteria exists like method, servlet path.
Shouldn't the equals() and hashCode() be extended to use these extra fields as well ?
This equals() logic might give issues, a dummy example could be to use a websecurity customizer, and
ignore 2 entries e.g. path pattern(/foobar/, HEAD) and path pattern (/foobar/, PUT). Such config can lead to errors
like UnreachableFilterChainException due to duplicates (both have same pattern and http method is ignored).
With an adapted equals() method, these would be seen as different request matchers.
And hence no errors like UnreachableFilterchainException will be raised. Also see some
other implementations like the mvc request matcher that does take into account the method.
Activity
[-]PathPatternRequestMatcher: equals method only considers pattern instead of pattern, method, ...[/-][+]PathPatternRequestMatcher: equals() only considers pattern instead of pattern, method, ...[/+][-]PathPatternRequestMatcher: equals() only considers pattern instead of pattern, method, ...[/-][+]PathPatternRequestMatcher equals() only considers pattern instead of pattern, method, ...[/+]therepanic commentedon May 29, 2025
Don't you think it's enough to just take into account the additional
method
field? The way I see it, because ofPathPatternParser#parse
, we don't need to add theservletPath
field toequals & hashCode
additionally, onlypattern
(as it is now) andmethod
. @jzheaux wdyt? If that's the case, I would definitely like to work on it.bartvr commentedon May 29, 2025
Also think that adding the method would be sufficient, since as I understand it, currently the servlet path
is not really used since it is always linking to the any request matcher.
jzheaux commentedon Jun 10, 2025
Sure, @therepanic, a PR would be most welcome. Will you please base the PR off the
6.5.x
branch?[-]PathPatternRequestMatcher equals() only considers pattern instead of pattern, method, ...[/-][+]PathPatternRequestMatcher should check method for equals and hashCode[/+]therepanic commentedon Jun 10, 2025
Thanks, @jzheaux, no problem
fix equals and hashCode in `PathPatternRequestMatcher` to include HTT…
PathPatternRequestMatcher
to include HTTP method #17337Include HTTP Method in equals and hashCode
4 remaining items