Skip to content

PathPatternRequestMatcher should check method for equals and hashCode #17180

@bartvr

Description

@bartvr

The PathPatternRequestMatcher has been introduced since spring security 6.5.
However the equals() method only takes into account the pattern, while extra criteria exists like method, servlet path.
Shouldn't the equals() and hashCode() be extended to use these extra fields as well ?

This equals() logic might give issues, a dummy example could be to use a websecurity customizer, and
ignore 2 entries e.g. path pattern(/foobar/, HEAD) and path pattern (/foobar/, PUT). Such config can lead to errors
like UnreachableFilterChainException due to duplicates (both have same pattern and http method is ignored).

With an adapted equals() method, these would be seen as different request matchers.
And hence no errors like UnreachableFilterchainException will be raised. Also see some
other implementations like the mvc request matcher that does take into account the method.

Activity

changed the title [-]PathPatternRequestMatcher: equals method only considers pattern instead of pattern, method, ...[/-] [+]PathPatternRequestMatcher: equals() only considers pattern instead of pattern, method, ...[/+] on May 28, 2025
changed the title [-]PathPatternRequestMatcher: equals() only considers pattern instead of pattern, method, ...[/-] [+]PathPatternRequestMatcher equals() only considers pattern instead of pattern, method, ...[/+] on May 28, 2025
therepanic

therepanic commented on May 29, 2025

@therepanic
Contributor

Don't you think it's enough to just take into account the additional method field? The way I see it, because of PathPatternParser#parse, we don't need to add the servletPath field to equals & hashCode additionally, only pattern (as it is now) and method. @jzheaux wdyt? If that's the case, I would definitely like to work on it.

bartvr

bartvr commented on May 29, 2025

@bartvr
Author

Also think that adding the method would be sufficient, since as I understand it, currently the servlet path
is not really used since it is always linking to the any request matcher.

jzheaux

jzheaux commented on Jun 10, 2025

@jzheaux
Contributor

Sure, @therepanic, a PR would be most welcome. Will you please base the PR off the 6.5.x branch?

added
in: webAn issue in web modules (web, webmvc)
and removed on Jun 10, 2025
self-assigned this
on Jun 10, 2025
changed the title [-]PathPatternRequestMatcher equals() only considers pattern instead of pattern, method, ...[/-] [+]PathPatternRequestMatcher should check method for equals and hashCode[/+] on Jun 10, 2025
therepanic

therepanic commented on Jun 10, 2025

@therepanic
Contributor

Thanks, @jzheaux, no problem

added a commit that references this issue on Jul 2, 2025
21ee0dc

4 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)status: duplicateA duplicate of another issuetype: bugA general bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Participants

    @jzheaux@bartvr@therepanic

    Issue actions

      PathPatternRequestMatcher should check method for equals and hashCode · Issue #17180 · spring-projects/spring-security