Search code examples
spring-bootspring-securityspring-framework-beanssecurity-filter

Endpoint, Spring Security Configuration returning: The method cannot decide whether the patterns are Spring MVC or not


SecurityFilterChain beans in SecurityConfiguration returning this error I doesn't found anything about this method that solved it:

    @Configuration
    @EnableWebSecurity
    public class SecurityConfiguration {
        
          @Bean
            public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
                return  httpSecurity
                        .csrf(csrf -> csrf.disable())
                        .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                        .authorizeHttpRequests(authorize -> authorize
                                .requestMatchers(HttpMethod.POST, "/auth/login").permitAll()
                                .requestMatchers(HttpMethod.POST, "/auth/register").permitAll()
                                .requestMatchers(HttpMethod.POST, "/product").hasRole("ADMIN")
                                .anyRequest().authenticated()
                        )
                        .build();
            }
    }

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'securityFilterChain' threw exception with message: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher).

Caused by: java.lang.IllegalArgumentException: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher).


Solution

  • The cause is described here cve-2023-34035

    And also some discussions about this topic, you can find here 13568

    As a workaround you can do something like this:

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
        MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
        http.authorizeHttpRequests((requests) -> requests
            .requestMatchers(mvcMatcherBuilder.pattern("/test1")).permitAll()
            .anyRequest().authenticated()
        );
        return http.build();
    }
    

    UPDATE TO 24.10.2023

    About the fix and how to deal with this for future i suggest to check next one details(issuecomment-1759913041) from Development Team of Spring Security