Security Filter ignores configured matchers when deciding on a rule

[TWJoachim]

Hello,

its basically the same issue from here: https://groups.google.com/g/pac4j-users/c/vCZ9-YItIUg .When the security filter config for pac4j defines two rules that would match the same request, but uses "matchers" (e.g. HttpMethodMatcher, one POST, one GET) to define a more specific rule matching behavior, the current org.pac4j.play.filters.SecurityFilter ignores this in its "apply" method.

The logic in "findRule" does only apply regex matching on the path and is not taking any matchers into account. So the matchers are evaluated later when the chosen endpoint is executed - but to my understanding of the docs they should also be relevant in choosing the right rule.

(see https://github.com/pac4j/play-pac4j/blob/master/shared/src/main/scala/org/pac4j/play/filters/SecurityFilter.scala , method "private def findRule(..)"

Thanks a lot,
Joachim

[leleuj]

Indeed, there is a flaw here, only the path is taken into account. This should be fixed. As I said, I'm not fluent in Scala. A pull request is welcome here. Thanks

[TWJoachim]

I'm also not fluent in Scala. Has the Play-Pac4j integration active maintainers? If not, I can close this issue (and we may look into rewriting the SecurityFilter in Java).

[leleuj]

I'm the main maintainer and there are also occasional contributors. But unfortunately, I'm not fluent in Scala either.

Rewriting the filter in Java is a great idea (as filters can be used both in Java and Scala), it would ease its maintenance. Keep the issue open if you intend to do so.