Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect sample code in securityMatcher migration docs #12296

Closed
beckermarc opened this issue Nov 25, 2022 · 3 comments
Closed

Incorrect sample code in securityMatcher migration docs #12296

beckermarc opened this issue Nov 25, 2022 · 3 comments
Assignees
@marcusdacoregio
Labels
in: docs An issue in Documentation or samples type: bug A general bug
Milestone
5.8.1

Comments

@beckermarc
Copy link
Contributor

While updating our security configurations as part of the Spring Boot 3.0.0 upgrade, I noticed a mismatch between the upgrade documentation on the new securityMatcher methods. The last code sample in https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#use-new-security-matchers shows the following snippet:

import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .securityMatcher(antMatcher("/api/**"), antMatcher("/app/**"))
        .authorizeHttpRequests((authz) -> authz
            .requestMatchers(antMatcher("/api/admin/**")).hasRole("ADMIN")
            .anyRequest().authenticated()
        );
    return http.build();
}

However http.securityMatcher(antMatcher("/api/**"), antMatcher("/app/**")) is not possible at the moment. There is no public HttpSecurity securityMatcher(RequestMatcher... requestMatcher) method only a public HttpSecurity securityMatcher(RequestMatcher requestMatcher) method (no varargs) is available.

Can you please clarify in the docs how such a use case should be migrated? Thanks!
I now opted for the following variant, as I wanted to use the antMatcher explicitly: http.securityMatchers().requestMatchers(antMatcher("/api/**"), antMatcher("/app/**"))
@beckermarc beckermarc added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 25, 2022
@marcusdacoregio
Copy link
Contributor

marcusdacoregio commented Nov 25, 2022
edited
Loading

Hi @beckermarc, thanks for the report.

Indeed, there was an oversight in that snippet, the variant that you've opted for is right. Do you want to contribute with a PR to fix the docs?

@marcusdacoregio marcusdacoregio added in: docs An issue in Documentation or samples and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 25, 2022
@marcusdacoregio marcusdacoregio self-assigned this Nov 25, 2022
@marcusdacoregio marcusdacoregio added this to the 5.8.1 milestone Nov 25, 2022
@beckermarc
Copy link
Contributor Author

Sure, I'll open a PR.

@beckermarc beckermarc mentioned this issue Nov 25, 2022
Merged
@beckermarc
Copy link
Contributor Author

Docu fix is provided here #12301

beckermarc added a commit to beckermarc/spring-security that referenced this issue Nov 25, 2022
@beckermarc
Fix securityMatchers code sample
311d8a1 
Closes spring-projectsgh-12296
@marcusdacoregio marcusdacoregio mentioned this issue Nov 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: docs An issue in Documentation or samples type: bug A general bug
Projects
None yet
Milestone
5.8.1
Development

No branches or pull requests
2 participants
@marcusdacoregio @beckermarc