Skip to content

Make it possible for Spring Security to align with Spring MVC without HandlerMappingIntrospector #31823

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rstoyanchev opened this issue Dec 12, 2023 · 2 comments
Closed

Make it possible for Spring Security to align with Spring MVC without HandlerMappingIntrospector #31823

rstoyanchev opened this issue Dec 12, 2023 · 2 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
6.2.0-M2

Comments

@rstoyanchev
Copy link
Contributor

This is already the case in WebFlux which can serve as an example. However, in WebFlux there is only one path matching mechanism (parsed PathPatterns), and no other built-in path matching options. By contrast, Spring MVC historically supports String path matching via PathMatcher as well, which comes with various path parsing options on UrlPathHelper. That's in addition to (now deprecated) other built-in path matching options suffix pattern matching.

For applications that use only parsed PathPatterns, and don't have any other built-in path matching options enabled, we should be able to do the same as in WebFlux, but we'll need to expose an easy way for Spring Security to determine if that's the case or not.

In addition, we'll need to expose some support for Spring Security to handling CORS preflight requests with awareness of fine-grained CORS config at the handler level. In WebFlux, DispatcherHandler is a PreFlightHandler and exposed as a bean, which allows Spring Security to find it and use it. We'll need something comparable in Spring MVC.
@rstoyanchev rstoyanchev added in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement labels Dec 12, 2023
@rstoyanchev rstoyanchev added this to the 6.2.x milestone Dec 12, 2023
@rstoyanchev rstoyanchev self-assigned this Dec 12, 2023
@rstoyanchev rstoyanchev modified the milestones: 6.2.x, 6.2.0-M2 Apr 23, 2024
rstoyanchev added a commit that referenced this issue Apr 23, 2024
@rstoyanchev
Add PreFlightRequestHandler for Spring MVC
75a5409 
This is equivalent of the same contract for WebFlux. It is implemented
by HandlerMappingIntrospector, and may be called directly by Spring
Security to handle a pre-flight request without delegate to the rest
of the filter chain.

HandlerMappingIntrospector also has the boolean method
allHandlerMappingsUsePathPatternParser that checks whether all handler
mappings are configured to use parsed PathPattern's.

See gh-31823
@rstoyanchev
Copy link
Contributor Author

rstoyanchev commented Apr 23, 2024
edited
Loading

@rwinch @jzheaux I've made a couple of changes.

First, HandlerMappingIntrospector has a boolean method called allHandlerMappingsUsePathPatternParser that checks if all handler mappings use PathPatternParser. That in turn means AntPathMatcher and UrlPathHelper which come with a range of path parsing options, are not in use.

When this method returns true, it should be possible fine for Spring Security to just use PathPatternParser for request matching, just like what is done for WebFlux.

In order to handle pre-flight requests, there is now a PreFlightRequestHandler for use in Spring MVC like the one for WebFlux. HandlerMappingIntrospector implements it, and that allows Spring Security to handle pre-flight requests directly without delegating to the rest of the filter chain, like what is done for WebFlux.

I think this is a good time to have a look at changes on the Spring Security side to make use of this.

@rstoyanchev
Copy link
Contributor Author

I'm closing this as the API changes necessary for Spring Security to take advantage have been created. We'll created additional issues as needed.

@rstoyanchev rstoyanchev mentioned this issue Dec 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
6.2.0-M2
Development

No branches or pull requests
1 participant
@rstoyanchev