From 0e7566ede32b38c4ebff9b4e9fd38216954f7fc3 Mon Sep 17 00:00:00 2001
From: Josh Cummings <josh.cummings@gmail.com>
Date: Mon, 17 Jun 2024 14:34:03 -0600
Subject: [PATCH] Adjust any-request check

Storing the request matcher outside of the for loop means that
if one of the SecurityFilterChain instances is not of type
DefaultSecurityFilterChain, then the error may print out an
earlier request matcher instead of the current one.

Instead, this commit changes to print out the entire filter chain
so that it can be inside of the for loop, regardless of type.

Issue gh-15220
---
 .../config/annotation/web/builders/WebSecurity.java       | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
index 4e65e35d34..684c5f8015 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
@@ -298,16 +298,14 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 				.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));
 		}
 		boolean anyRequestConfigured = false;
-		RequestMatcher matcher = null;
 		for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : this.securityFilterChainBuilders) {
 			SecurityFilterChain securityFilterChain = securityFilterChainBuilder.build();
 			Assert.isTrue(!anyRequestConfigured,
-					"A filter chain that matches any request has already been configured, which means that this filter chain for ["
-							+ matcher
+					"A filter chain that matches any request has already been configured, which means that this filter chain ["
+							+ securityFilterChain
 							+ "] will never get invoked. Please use `HttpSecurity#securityMatcher` to ensure that there is only one filter chain configured for 'any request' and that the 'any request' filter chain is published last.");
 			if (securityFilterChain instanceof DefaultSecurityFilterChain defaultSecurityFilterChain) {
-				matcher = defaultSecurityFilterChain.getRequestMatcher();
-				if (matcher instanceof AnyRequestMatcher) {
+				if (defaultSecurityFilterChain.getRequestMatcher() instanceof AnyRequestMatcher) {
 					anyRequestConfigured = true;
 				}
 			}