Skip to content

In Spring Boot 3.0.2, dispatcherServlet is not working when combined with filterChain function #34164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JoeWang1127 opened this issue Feb 10, 2023 · 4 comments
Closed

In Spring Boot 3.0.2, dispatcherServlet is not working when combined with filterChain function #34164

JoeWang1127 opened this issue Feb 10, 2023 · 4 comments
Labels
for: external-project For an external project and not something we can fix status: invalid An issue that we don't feel is valid

Comments

@JoeWang1127
Copy link

I'm using spring-security in my project. After upgrading to Spring Boot 3.0.2, the dispatcherServlet seems not working.

I've composed a simple project here.

In the main branch, the project is backed by Spring Boot 2.7.8 and it's working

  • Run the application
  • Type curl localhost:8080 in the terminal and it returns No secrets here!.

In the spring-boot3 branch, the project is backed by Spring Boot 3.0.0 and it's not working

  • Run the application
  • Type curl localhost:8080 in the terminal and nothing returns.
    Note that apart from the dependency change, I only changed antMatchers to requestMatchers in here.

Additional reference on the spring-security's filterChain function.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 10, 2023
@JoeWang1127 JoeWang1127 mentioned this issue Feb 10, 2023
Closed
@wilkinsona
Copy link
Member

Thanks for the report.

The change in behavior is due to this change in Spring Security. As I understand it, the change was made so that the defaults are more secure as an accidental hole in your security configuration will now result in the request being denied. You can allow access to / by adding .requestMatchers("/").anonymous() to your security configuration.

Please follow up on spring-projects/spring-security#11958 if you have any further questions as they will be best addressed by the Spring Security team.

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Feb 12, 2023
@wilkinsona wilkinsona added status: invalid An issue that we don't feel is valid for: external-project For an external project and not something we can fix and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 12, 2023
@JoeWang1127
Copy link
Author

JoeWang1127 commented Feb 12, 2023
edited
Loading

Thanks, the .requestMatchers("/").anonymous() works with GetMapping("/").

However, I have a follow up question about why a secured path /topsecret is not working.
I created an issue in spring-secret. Thanks for your advice.

@salim16
Copy link

salim16 commented Sep 19, 2023

It doesn't work for me .. I am using spring boot 3.1.3

    http.cors(cors -> cors.configurationSource(corsConfigurationSource()))
        .authorizeHttpRequests(
            requests ->
                requests
                    .requestMatchers(publicUrls.toArray(String[]::new))
                    .permitAll()
                    .requestMatchers(forPort(managementPort))
                    .permitAll()
                    .requestMatchers("/")
                    .anonymous()
                    .anyRequest()
                    .authenticated())

@wilkinsona
Copy link
Member

@salim16 As described above, the functionality that you're asking about is part of Spring Security. If you believe you have found a bug, please open a Spring Security issue. If you're looking for some help, please ask on Stack Overflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
for: external-project For an external project and not something we can fix status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wilkinsona @spring-projects-issues @salim16 @JoeWang1127