Print ignore message DefaultSecurityFilterChain

When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.

Closes gh-9334

config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java

@@ -54,7 +54,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 
 	private ApplicationContext context;
 
-	private boolean anyRequestConfigured = false;
+	protected boolean anyRequestConfigured = false;
 
 	protected final void setApplicationContext(ApplicationContext context) {
 		this.context = context;
@@ -165,7 +165,8 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		if (!this.context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
 			throw new NoSuchBeanDefinitionException("A Bean named " + HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME
 					+ " of type " + HandlerMappingIntrospector.class.getName()
-					+ " is required to use MvcRequestMatcher. Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
+					+ " is required to use MvcRequestMatcher."
+					+ " Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
 		}
 		HandlerMappingIntrospector introspector = this.context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME,
 				HandlerMappingIntrospector.class);
@@ -265,7 +266,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 	 * @author Rob Winch
 	 * @since 3.2
 	 */
-	private static final class RequestMatchers {
+	public static final class RequestMatchers {
 
 		private RequestMatchers() {
 		}
@@ -278,7 +279,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		 * from
 		 * @return a {@link List} of {@link AntPathRequestMatcher} instances
 		 */
-		static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
+		public static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
 			String method = (httpMethod != null) ? httpMethod.toString() : null;
 			List<RequestMatcher> matchers = new ArrayList<>();
 			for (String pattern : antPatterns) {
@@ -294,7 +295,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
 		 * from
 		 * @return a {@link List} of {@link AntPathRequestMatcher} instances
 		 */
-		static List<RequestMatcher> antMatchers(String... antPatterns) {
+		public static List<RequestMatcher> antMatchers(String... antPatterns) {
 			return antMatchers(null, antPatterns);
 		}
 

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -17,6 +17,7 @@
 package org.springframework.security.config.annotation.web.builders;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 
 import javax.servlet.Filter;
@@ -30,6 +31,7 @@ import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
+import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
@@ -60,6 +62,7 @@ import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.firewall.RequestRejectedHandler;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
+import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
 import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcherEntry;
@@ -108,7 +111,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
 	private WebInvocationPrivilegeEvaluator privilegeEvaluator;
 
-	private DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
+	private final DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
 
 	private SecurityExpressionHandler<FilterInvocation> expressionHandler = this.defaultWebSecurityExpressionHandler;
 
@@ -420,6 +423,8 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 		@Override
 		public MvcMatchersIgnoredRequestConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
 			List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
+			Arrays.asList(mvcPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
+			mvcMatchers.stream().forEach((t) -> t.ignore());
 			WebSecurity.this.ignoredRequests.addAll(mvcMatchers);
 			return new MvcMatchersIgnoredRequestConfigurer(getApplicationContext(), mvcMatchers);
 		}
@@ -429,6 +434,38 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 			return mvcMatchers(null, mvcPatterns);
 		}
 
+		/**
+		 * @since 5.5
+		 */
+		@Override
+		public IgnoredRequestConfigurer antMatchers(HttpMethod method) {
+			return antMatchers(method, "/**");
+		}
+
+		/**
+		 * @since 5.5
+		 */
+		@Override
+		public IgnoredRequestConfigurer antMatchers(HttpMethod method, String... antPatterns) {
+			Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
+			List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(method, antPatterns);
+			Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
+			antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
+			return chainRequestMatchers(antMatchers);
+		}
+
+		/**
+		 * @since 5.5
+		 */
+		@Override
+		public IgnoredRequestConfigurer antMatchers(String... antPatterns) {
+			Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
+			List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(antPatterns);
+			Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(null, t));
+			antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
+			return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
+		}
+
 		@Override
 		protected IgnoredRequestConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) {
 			WebSecurity.this.ignoredRequests.addAll(requestMatchers);
@@ -442,6 +479,33 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 			return WebSecurity.this;
 		}
 
+		/**
+		 * @param method the HttpMethod, it could be null too.
+		 * @param pathPattern the path pattern to be ignored
+		 * @since 5.5
+		 */
+		private void printWarnSecurityMessage(HttpMethod method, String pathPattern) {
+			if (pathPattern.equals("/**")) {
+				WebSecurity.this.logger
+						.warn("**********************************************************************************");
+				if (method != null) {
+					WebSecurity.this.logger.warn(LogMessage.format(
+							"Applying explicit instruction to ignore the '/**' path for the HttpMethod: %s", method));
+					WebSecurity.this.logger.warn("You're disabling practically all the paths for that HttpMethod");
+					WebSecurity.this.logger
+							.warn("Therefore any path for that HttpMethod is completely ignored by Spring Security");
+				}
+				else {
+					WebSecurity.this.logger.warn("Applying explicit instruction to ignore the '/**' path");
+					WebSecurity.this.logger.warn("You're disabling practically all the paths");
+					WebSecurity.this.logger.warn("Therefore any path is completely ignored by Spring Security");
+				}
+				WebSecurity.this.logger.warn("It is not recomended for production");
+				WebSecurity.this.logger
+						.warn("**********************************************************************************");
+			}
+		}
+
 	}
 
 }

config/src/test/java/org/springframework/security/config/annotation/web/configuration/ignore/package-info.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Test package for path patterns that must be ignored by Spring Security and must be
+ * indicated/notified through the output, it thanks to the
+ * <code>DefaultSecurityFilterChain</code>'s constructor.
+ *
+ * <p>
+ * <b>NOTE:</b> be advised that to test if a path(s) was really ignored or not, by
+ * simplicity, is checking the output shown in the test report, it based with the pattern
+ * <code>"Will not secure /ABC"</code>, where <code>ABC</code> was defined through the
+ * <code>web.ignoring()</code> approach. Is very important edit the
+ * <code>logback-test.xml</code> file (of this module) to change
+ * <code>level="${sec.log.level:-WARN}"</code> to
+ * <code>level="${sec.log.level:-INFO}"</code>
+ *
+ * <p>
+ * In the handler methods do not return the view name (i.e:
+ * <code>return "something"</code>) based on the path value (i.e:
+ * <code>@GetMapping(path = "/something")</code>), otherwise the tests fail with:
+ *
+ * <pre class="code">
+ * javax.servlet.ServletException:
+ * Circular view path [something]:
+ * would dispatch back to the current handler URL [/something] again.
+ * Check your ViewResolver setup!
+ * (Hint: This may be the result of an unspecified view, due to default view name generation.)
+ * </pre>
+ *
+ * That's why the all handler methods are based with the
+ * <code>return "something/something"</code> pattern.
+ *
+ * @author Manuel Jordan
+ * @since 5.5
+ */
+package org.springframework.security.config.annotation.web.configuration.ignore;

web/src/main/java/org/springframework/security/web/DefaultSecurityFilterChain.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,6 +27,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import org.springframework.core.log.LogMessage;
+import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
@@ -48,7 +49,18 @@ public final class DefaultSecurityFilterChain implements SecurityFilterChain {
 	}
 
 	public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) {
+		if (requestMatcher instanceof IgnoreRequestMatcher) {
+			IgnoreRequestMatcher ignoreRequestMatcher = (IgnoreRequestMatcher) requestMatcher;
+			if (ignoreRequestMatcher.isIgnore()) {
+				logger.info(LogMessage.format("Will not secure %s with %s", requestMatcher, filters));
+			}
+			else {
 				logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));
+			}
+		}
+		else {
+			logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));
+		}
 		this.requestMatcher = requestMatcher;
 		this.filters = new ArrayList<>(filters);
 	}

web/src/main/java/org/springframework/security/web/server/restriction/IgnoreRequestMatcher.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.restriction;
+
+/**
+ * Indicates if the path should be ignored or not by Spring Security.
+ *
+ * @author Manuel Jordan
+ * @since 5.5
+ */
+public interface IgnoreRequestMatcher {
+
+	/**
+	 * Establishes the path must be ignored.
+	 */
+	void ignore();
+
+	/**
+	 * If the path should be ignored or not.
+	 */
+	boolean isIgnore();
+
+}

web/src/main/java/org/springframework/security/web/servlet/util/matcher/MvcRequestMatcher.java

@@ -21,6 +21,7 @@ import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.http.HttpMethod;
+import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.RequestVariablesExtractor;
 import org.springframework.util.AntPathMatcher;
@@ -44,9 +45,10 @@ import org.springframework.web.util.UrlPathHelper;
  * @author Rob Winch
  * @author Eddú Meléndez
  * @author Evgeniy Cheban
+ * @author Manuel Jordan
  * @since 4.1.1
  */
-public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtractor {
+public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtractor, IgnoreRequestMatcher {
 
 	private final DefaultMatcher defaultMatcher = new DefaultMatcher();
 
@@ -58,9 +60,12 @@ public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtrac
 
 	private String servletPath;
 
+	private boolean ignore;
+
 	public MvcRequestMatcher(HandlerMappingIntrospector introspector, String pattern) {
 		this.introspector = introspector;
 		this.pattern = pattern;
+		this.ignore = false;
 	}
 
 	@Override
@@ -129,6 +134,16 @@ public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtrac
 		return this.servletPath;
 	}
 
+	@Override
+	public void ignore() {
+		this.ignore = true;
+	}
+
+	@Override
+	public boolean isIgnore() {
+		return this.ignore;
+	}
+
 	@Override
 	public String toString() {
 		StringBuilder sb = new StringBuilder();

web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java

@@ -22,6 +22,7 @@ import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.http.HttpMethod;
+import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
@@ -49,10 +50,11 @@ import org.springframework.web.util.UrlPathHelper;
  * @author Rob Winch
  * @author Eddú Meléndez
  * @author Evgeniy Cheban
+ * @author Manuel Jordan
  * @since 3.1
  * @see org.springframework.util.AntPathMatcher
  */
-public final class AntPathRequestMatcher implements RequestMatcher, RequestVariablesExtractor {
+public final class AntPathRequestMatcher implements RequestMatcher, RequestVariablesExtractor, IgnoreRequestMatcher {
 
 	private static final String MATCH_ALL = "/**";
 
@@ -66,6 +68,8 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
 
 	private final UrlPathHelper urlPathHelper;
 
+	private boolean ignore;
+
 	/**
 	 * Creates a matcher with the specific pattern which will match all HTTP methods in a
 	 * case sensitive manner.
@@ -131,6 +135,7 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
 		this.pattern = pattern;
 		this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
 		this.urlPathHelper = urlPathHelper;
+		this.ignore = false;
 	}
 
 	/**
@@ -170,6 +175,16 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
 		return MatchResult.match(this.matcher.extractUriTemplateVariables(url));
 	}
 
+	@Override
+	public void ignore() {
+		this.ignore = true;
+	}
+
+	@Override
+	public boolean isIgnore() {
+		return this.ignore;
+	}
+
 	private String getRequestPath(HttpServletRequest request) {
 		if (this.urlPathHelper != null) {
 			return this.urlPathHelper.getPathWithinApplication(request);