SEC-2357: Move *RequestMatchers to .matchers package

config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherConfigurer.java

@@ -23,9 +23,9 @@ import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.SecurityBuilder;
 import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.AbstractRequestMatcherMappingConfigurer;
-import org.springframework.security.web.util.AntPathRequestMatcher;
-import org.springframework.security.web.util.AnyRequestMatcher;
-import org.springframework.security.web.util.RegexRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.RegexRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
 
 /**
@@ -41,12 +41,12 @@ import org.springframework.security.web.util.RequestMatcher;
  * @since 3.2
  */
 public abstract class AbstractRequestMatcherConfigurer<B extends SecurityBuilder<O>,C,O> extends SecurityConfigurerAdapter<O,B> {
-    private static final RequestMatcher ANY_REQUEST = new AnyRequestMatcher();
+    private static final RequestMatcher ANY_REQUEST = AnyRequestMatcher.INSTANCE;
     /**
      * Maps any request.
      *
      * @param method the {@link HttpMethod} to use or {@code null} for any {@link HttpMethod}.
-     * @param antPatterns the ant patterns to create {@link org.springframework.security.web.util.AntPathRequestMatcher}
+     * @param antPatterns the ant patterns to create {@link org.springframework.security.web.util.matchers.AntPathRequestMatcher}
      *                    from
      *
      * @return the object that is chained after creating the {@link RequestMatcher}
@@ -56,10 +56,10 @@ public abstract class AbstractRequestMatcherConfigurer<B extends SecurityBuilder
     }
 
     /**
-     * Maps a {@link List} of {@link org.springframework.security.web.util.AntPathRequestMatcher} instances.
+     * Maps a {@link List} of {@link org.springframework.security.web.util.matchers.AntPathRequestMatcher} instances.
      *
      * @param method the {@link HttpMethod} to use or {@code null} for any {@link HttpMethod}.
-     * @param antPatterns the ant patterns to create {@link org.springframework.security.web.util.AntPathRequestMatcher}
+     * @param antPatterns the ant patterns to create {@link org.springframework.security.web.util.matchers.AntPathRequestMatcher}
      *                    from
      *
      * @return the object that is chained after creating the {@link RequestMatcher}
@@ -69,10 +69,10 @@ public abstract class AbstractRequestMatcherConfigurer<B extends SecurityBuilder
     }
 
     /**
-     * Maps a {@link List} of {@link org.springframework.security.web.util.AntPathRequestMatcher} instances that do
+     * Maps a {@link List} of {@link org.springframework.security.web.util.matchers.AntPathRequestMatcher} instances that do
      * not care which {@link HttpMethod} is used.
      *
-     * @param antPatterns the ant patterns to create {@link org.springframework.security.web.util.AntPathRequestMatcher}
+     * @param antPatterns the ant patterns to create {@link org.springframework.security.web.util.matchers.AntPathRequestMatcher}
      *                    from
      *
      * @return the object that is chained after creating the {@link RequestMatcher}
@@ -82,11 +82,11 @@ public abstract class AbstractRequestMatcherConfigurer<B extends SecurityBuilder
     }
 
     /**
-     * Maps a {@link List} of {@link org.springframework.security.web.util.RegexRequestMatcher} instances.
+     * Maps a {@link List} of {@link org.springframework.security.web.util.matchers.RegexRequestMatcher} instances.
      *
      * @param method the {@link HttpMethod} to use or {@code null} for any {@link HttpMethod}.
      * @param regexPatterns the regular expressions to create
-     *                      {@link org.springframework.security.web.util.RegexRequestMatcher} from
+     *                      {@link org.springframework.security.web.util.matchers.RegexRequestMatcher} from
      *
      * @return the object that is chained after creating the {@link RequestMatcher}
      */
@@ -96,11 +96,11 @@ public abstract class AbstractRequestMatcherConfigurer<B extends SecurityBuilder
     }
 
     /**
-     * Create a {@link List} of {@link org.springframework.security.web.util.RegexRequestMatcher} instances that do not
+     * Create a {@link List} of {@link org.springframework.security.web.util.matchers.RegexRequestMatcher} instances that do not
      * specify an {@link HttpMethod}.
      *
      * @param regexPatterns the regular expressions to create
-     *                      {@link org.springframework.security.web.util.RegexRequestMatcher} from
+     *                      {@link org.springframework.security.web.util.matchers.RegexRequestMatcher} from
      *
      * @return the object that is chained after creating the {@link RequestMatcher}
      */

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -63,11 +63,11 @@ import org.springframework.security.web.PortMapper;
 import org.springframework.security.web.PortMapperImpl;
 import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
 import org.springframework.security.web.session.HttpSessionEventPublisher;
-import org.springframework.security.web.util.AntPathRequestMatcher;
-import org.springframework.security.web.util.AnyRequestMatcher;
-import org.springframework.security.web.util.OrRequestMatcher;
-import org.springframework.security.web.util.RegexRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.RegexRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.security.web.util.matchers.OrRequestMatcher;
 import org.springframework.util.Assert;
 
 /**
@@ -115,7 +115,7 @@ import org.springframework.util.Assert;
 public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain,HttpSecurity> implements SecurityBuilder<DefaultSecurityFilterChain>, HttpSecurityBuilder<HttpSecurity> {
     private final RequestMatcherConfigurer requestMatcherConfigurer = new RequestMatcherConfigurer();
     private List<Filter> filters =  new ArrayList<Filter>();
-    private RequestMatcher requestMatcher = new AnyRequestMatcher();
+    private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE;
     private FilterComparator comparitor = new FilterComparator();
 
     /**

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractAuthenticationFilterConfigurer.java

@@ -36,8 +36,8 @@ import org.springframework.security.web.authentication.SavedRequestAwareAuthenti
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
-import org.springframework.security.web.util.MediaTypeRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.security.web.util.matchers.MediaTypeRequestMatcher;
 import org.springframework.web.accept.ContentNegotiationStrategy;
 import org.springframework.web.accept.HeaderContentNegotiationStrategy;
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java

@@ -23,7 +23,7 @@ import org.springframework.security.web.authentication.RememberMeServices;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageViewFilter;
-import org.springframework.security.web.util.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
 
 /**

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java

@@ -35,9 +35,9 @@ import org.springframework.security.web.authentication.DelegatingAuthenticationE
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-import org.springframework.security.web.util.MediaTypeRequestMatcher;
-import org.springframework.security.web.util.RequestHeaderRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.security.web.util.matchers.MediaTypeRequestMatcher;
+import org.springframework.security.web.util.matchers.RequestHeaderRequestMatcher;
 import org.springframework.web.accept.ContentNegotiationStrategy;
 import org.springframework.web.accept.HeaderContentNegotiationStrategy;
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java

@@ -30,7 +30,7 @@ import org.springframework.security.web.authentication.logout.LogoutSuccessHandl
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageViewFilter;
-import org.springframework.security.web.util.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
 
 /**

config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java

@@ -23,12 +23,12 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
-import org.springframework.security.web.util.AndRequestMatcher;
-import org.springframework.security.web.util.AntPathRequestMatcher;
-import org.springframework.security.web.util.MediaTypeRequestMatcher;
-import org.springframework.security.web.util.NegatedRequestMatcher;
-import org.springframework.security.web.util.RequestHeaderRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.security.web.util.matchers.AndRequestMatcher;
+import org.springframework.security.web.util.matchers.MediaTypeRequestMatcher;
+import org.springframework.security.web.util.matchers.NegatedRequestMatcher;
+import org.springframework.security.web.util.matchers.RequestHeaderRequestMatcher;
 import org.springframework.web.accept.ContentNegotiationStrategy;
 import org.springframework.web.accept.HeaderContentNegotiationStrategy;
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/openid/OpenIDLoginConfigurer.java

@@ -50,7 +50,7 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
 import org.springframework.security.web.authentication.RememberMeServices;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageViewFilter;
-import org.springframework.security.web.util.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
 
 /**

config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java

@@ -25,7 +25,8 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
 import org.springframework.security.web.session.SessionManagementFilter;
-import org.springframework.security.web.util.AnyRequestMatcher;
+import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 
 public class DefaultFilterChainValidator implements FilterChainProxy.FilterChainValidator {
     private final Log logger = LogFactory.getLog(getClass());
@@ -45,7 +46,8 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
         Iterator<SecurityFilterChain> chains = filterChains.iterator();
 
         while (chains.hasNext()) {
-            if (((DefaultSecurityFilterChain)chains.next()).getRequestMatcher() instanceof AnyRequestMatcher && chains.hasNext()) {
+            RequestMatcher matcher = ((DefaultSecurityFilterChain)chains.next()).getRequestMatcher();
+            if (AnyRequestMatcher.INSTANCE.equals(matcher) && chains.hasNext()) {
                 throw new IllegalArgumentException("A universal match pattern ('/**') is defined " +
                         " before other patterns in the filter chain, causing them to be ignored. Please check the " +
                         "ordering in your <security:http> namespace or FilterChainProxy bean configuration");

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -70,7 +70,7 @@ import org.springframework.security.web.servletapi.SecurityContextHolderAwareReq
 import org.springframework.security.web.session.ConcurrentSessionFilter;
 import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy;
-import org.springframework.security.web.util.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
 import org.springframework.util.ClassUtils;
 import org.springframework.util.ReflectionUtils;
 import org.springframework.util.StringUtils;

config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java

@@ -40,7 +40,7 @@ import org.springframework.security.config.authentication.AuthenticationManagerF
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.PortResolverImpl;
-import org.springframework.security.web.util.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
 import org.w3c.dom.Element;

config/src/main/java/org/springframework/security/config/http/MatcherType.java

@@ -5,9 +5,9 @@ import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
 import org.springframework.beans.factory.support.RootBeanDefinition;
-import org.springframework.security.web.util.AntPathRequestMatcher;
-import org.springframework.security.web.util.AnyRequestMatcher;
-import org.springframework.security.web.util.RegexRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.RegexRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
 import org.springframework.util.StringUtils;
 import org.w3c.dom.Element;

config/src/test/groovy/org/springframework/security/config/annotation/web/RequestMatchersTests.groovy

@@ -18,8 +18,8 @@ package org.springframework.security.config.annotation.web;
 import static org.springframework.security.config.annotation.web.AbstractRequestMatcherConfigurer.RequestMatchers.*
 
 import org.springframework.http.HttpMethod;
-import org.springframework.security.web.util.AntPathRequestMatcher;
-import org.springframework.security.web.util.RegexRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.RegexRequestMatcher;
 
 import spock.lang.Specification;
 

config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy

@@ -50,7 +50,7 @@ import org.springframework.security.web.savedrequest.NullRequestCache
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
 import org.springframework.security.web.session.SessionManagementFilter
-import org.springframework.security.web.util.RegexRequestMatcher
+import org.springframework.security.web.util.matchers.RegexRequestMatcher
 import org.springframework.security.web.util.RequestMatcher
 
 /**

config/src/test/groovy/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.groovy

@@ -40,7 +40,7 @@ import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
 import org.springframework.security.web.access.expression.WebSecurityExpressionHandler;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
-import org.springframework.security.web.util.AnyRequestMatcher
+import org.springframework.security.web.util.matchers.AnyRequestMatcher
 import org.springframework.test.util.ReflectionTestUtils;
 
 /**

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/AbstractRequestMatcherMappingConfigurerTests.groovy

@@ -23,8 +23,8 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractRequestMatcherMappingConfigurer;
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
-import org.springframework.security.web.util.AntPathRequestMatcher;
-import org.springframework.security.web.util.RegexRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.RegexRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
 
 import spock.lang.Specification;

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.groovy

@@ -43,7 +43,7 @@ import org.springframework.security.web.header.HeaderWriterFilter
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
 import org.springframework.security.web.session.SessionManagementFilter
-import org.springframework.security.web.util.AnyRequestMatcher
+import org.springframework.security.web.util.matchers.AnyRequestMatcher
 
 /**
  *

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.groovy

@@ -46,7 +46,7 @@ import org.springframework.security.web.header.HeaderWriterFilter
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
 import org.springframework.security.web.session.SessionManagementFilter
-import org.springframework.security.web.util.AnyRequestMatcher
+import org.springframework.security.web.util.matchers.AnyRequestMatcher
 import org.springframework.test.util.ReflectionTestUtils
 
 import spock.lang.Unroll

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceDebugTests.groovy

@@ -51,8 +51,8 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
-import org.springframework.security.web.util.AntPathRequestMatcher
-import org.springframework.security.web.util.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher
 
 import spock.lang.Ignore;

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpCustomFilterTests.groovy

@@ -52,8 +52,8 @@ import org.springframework.security.web.context.NullSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
-import org.springframework.security.web.util.AntPathRequestMatcher
-import org.springframework.security.web.util.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher
 
 import spock.lang.Ignore;

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.groovy

@@ -27,7 +27,7 @@ import org.springframework.security.web.header.writers.XXssProtectionHeaderWrite
 import org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy
 import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter
 import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode
-import org.springframework.security.web.util.AnyRequestMatcher
+import org.springframework.security.web.util.matchers.AnyRequestMatcher
 
 /**
  * Tests to verify that all the functionality of <headers> attributes is present
@@ -121,7 +121,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
                 .headers()
                     // hsts@request-matcher-ref, hsts@max-age-seconds, hsts@include-subdomains
                     // Additional Constructors are provided to leverage default values
-                    .addHeaderWriter(new HstsHeaderWriter(new AnyRequestMatcher(), 15768000, false))
+                    .addHeaderWriter(new HstsHeaderWriter(AnyRequestMatcher.INSTANCE, 15768000, false))
         }
     }
 

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpJeeTests.groovy

@@ -67,8 +67,8 @@ import org.springframework.security.web.context.NullSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
-import org.springframework.security.web.util.AntPathRequestMatcher
-import org.springframework.security.web.util.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher
 import org.springframework.test.util.ReflectionTestUtils;
 

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpLogoutTests.groovy

@@ -60,8 +60,8 @@ import org.springframework.security.web.context.NullSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
-import org.springframework.security.web.util.AntPathRequestMatcher
-import org.springframework.security.web.util.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher
 
 /**

config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy

@@ -20,7 +20,7 @@ import org.springframework.mock.web.MockHttpServletResponse
 import org.springframework.security.web.FilterChainProxy
 import org.springframework.security.web.header.HeaderWriterFilter
 import org.springframework.security.web.header.writers.StaticHeadersWriter
-import org.springframework.security.web.util.AnyRequestMatcher
+import org.springframework.security.web.util.matchers.AnyRequestMatcher
 
 /**
  *

config/src/test/groovy/org/springframework/security/config/http/InterceptUrlConfigTests.groovy

@@ -70,7 +70,7 @@ import org.springframework.security.access.vote.AffirmativeBased
 import org.springframework.security.access.PermissionEvaluator
 import org.springframework.security.core.Authentication
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler
-import org.springframework.security.web.util.AntPathRequestMatcher
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher
 import org.springframework.security.authentication.AuthenticationManager
 
 

config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy

@@ -71,7 +71,7 @@ import org.springframework.security.access.vote.AffirmativeBased
 import org.springframework.security.access.PermissionEvaluator
 import org.springframework.security.core.Authentication
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler
-import org.springframework.security.web.util.AntPathRequestMatcher
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher
 import org.springframework.security.authentication.AuthenticationManager
 
 

config/src/test/java/org/springframework/security/config/FilterChainProxyConfigTests.java

@@ -39,8 +39,8 @@ import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
-import org.springframework.security.web.util.AntPathRequestMatcher;
-import org.springframework.security.web.util.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
 
 /**

config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java

@@ -38,7 +38,7 @@ import org.springframework.security.web.access.intercept.FilterInvocationSecurit
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
-import org.springframework.security.web.util.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 
 /**
  *
@@ -65,7 +65,7 @@ public class DefaultFilterChainValidatorTests {
         fsi.setSecurityMetadataSource(metadataSource);
         AuthenticationEntryPoint authenticationEntryPoint = new LoginUrlAuthenticationEntryPoint("/login");
         ExceptionTranslationFilter etf = new ExceptionTranslationFilter(authenticationEntryPoint);
-        DefaultSecurityFilterChain securityChain = new DefaultSecurityFilterChain(new AnyRequestMatcher(), aaf, etf, fsi);
+        DefaultSecurityFilterChain securityChain = new DefaultSecurityFilterChain(AnyRequestMatcher.INSTANCE, aaf, etf, fsi);
         fcp = new FilterChainProxy(securityChain);
         validator = new DefaultFilterChainValidator();
         Whitebox.setInternalState(validator, "logger", logger);

config/src/test/resources/org/springframework/security/util/filtertest-valid.xml

@@ -45,9 +45,9 @@
         </sec:authentication-provider>
     </sec:authentication-manager>
 
-    <bean id="mockNotAFilter" class="org.springframework.security.web.util.AnyRequestMatcher"/>
+    <bean id="mockNotAFilter" class="org.springframework.security.web.util.matchers.AnyRequestMatcher"/>
 
-    <bean id="fooMatcher" class="org.springframework.security.web.util.AntPathRequestMatcher">
+    <bean id="fooMatcher" class="org.springframework.security.web.util.matchers.AntPathRequestMatcher">
         <constructor-arg value="/foo/**"/>
     </bean>
 
@@ -137,7 +137,7 @@
                 </bean>
                 <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
                     <constructor-arg>
-                        <bean class="org.springframework.security.web.util.AntPathRequestMatcher">
+                        <bean class="org.springframework.security.web.util.matchers.AntPathRequestMatcher">
                             <constructor-arg value="/some/other/path/**"/>
                         </bean>
                     </constructor-arg>
@@ -151,7 +151,7 @@
                 </bean>
                 <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
                     <constructor-arg>
-                        <bean class="org.springframework.security.web.util.AntPathRequestMatcher">
+                        <bean class="org.springframework.security.web.util.matchers.AntPathRequestMatcher">
                             <constructor-arg value="/do/not/filter*"/>
                         </bean>
                     </constructor-arg>
@@ -161,7 +161,7 @@
                 </bean>
                 <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
                     <constructor-arg>
-                        <bean class="org.springframework.security.web.util.AntPathRequestMatcher">
+                        <bean class="org.springframework.security.web.util.matchers.AntPathRequestMatcher">
                             <constructor-arg value="/**"/>
                         </bean>
                     </constructor-arg>

docs/manual/src/asciidoctor/index.adoc

@@ -1034,7 +1034,7 @@ We recommend you start with the tutorial sample, as the XML is minimal and easy
 ==== Contacts
 The Contacts Sample is an advanced example in that it illustrates the more powerful features of domain object access control lists (ACLs) in addition to basic application security. The application provides an interface with which the users are able to administer a simple database of contacts (the domain objects).
 
-To deploy, simply copy the WAR file from Spring Security distribution into your container’s `webapps` directory. The war should be called `spring-security-samples-contacts-3.1.x.war` (the appended version number will vary depending on what release you are using).
+To deploy, simply copy the WAR file from Spring Security distribution into your container<EFBFBD><EFBFBD><EFBFBD>s `webapps` directory. The war should be called `spring-security-samples-contacts-3.1.x.war` (the appended version number will vary depending on what release you are using).
 
 After starting your container, check the application can load. Visit http://localhost:8080/contacts (or whichever URL is appropriate for your web container and the WAR you deployed).
 
@@ -1424,7 +1424,7 @@ Following the secure object invocation proceeding and then returning - which may
 `AbstractSecurityInterceptor` and its related objects are shown in <<abstract-security-interceptor>>
 
 [[abstract-security-interceptor]]
-.Security interceptors and the “secure object” model
+.Security interceptors and the <EFBFBD><EFBFBD><EFBFBD>secure object<63><74><EFBFBD> model
 image::images/security-interception.png[Abstract Security Interceptor]
 
 ====== Extending the Secure Object Model
@@ -2509,7 +2509,7 @@ $(function () {
 });
 ----
 
-As a alternative to jQuery, we recommend using http://cujojs.com/[cujoJS’s] rest.js. https://github.com/cujojs/rest[rest.js] provides advanced support for working with HTTP request and responses in RESTful ways. A core capability is the ability to contextualize the HTTP client adding behavior as needed by chaining interceptors on to the client.
+As a alternative to jQuery, we recommend using http://cujojs.com/[cujoJS<EFBFBD><EFBFBD><EFBFBD>s] rest.js. https://github.com/cujojs/rest[rest.js] provides advanced support for working with HTTP request and responses in RESTful ways. A core capability is the ability to contextualize the HTTP client adding behavior as needed by chaining interceptors on to the client.
 
 [source,javascript]
 ----
@@ -3086,7 +3086,7 @@ At times you may want to only write a header for certain requests. For example,
 <beans:bean id="headerWriter"
     class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
     <beans:constructor-arg>
-        <bean class="org.springframework.security.web.util.AntPathRequestMatcher"
+        <bean class="org.springframework.security.web.util.matchers.AntPathRequestMatcher"
             c:pattern="/login"/>
     </beans:constructor-arg>
     <beans:constructor-arg>
@@ -3757,11 +3757,11 @@ Any Spring-EL functionality is available within the expression, so you can also
 public void doSomething(Contact contact);
 ----
 
-Here we are accessing another built–in expression, `authentication`, which is the `Authentication` stored in the security context. You can also access its "principal" property directly, using the expression `principal`. The value will often be a `UserDetails` instance, so you might use an expression like `principal.username` or `principal.enabled`.
+Here we are accessing another built<EFBFBD><EFBFBD><EFBFBD>in expression, `authentication`, which is the `Authentication` stored in the security context. You can also access its "principal" property directly, using the expression `principal`. The value will often be a `UserDetails` instance, so you might use an expression like `principal.username` or `principal.enabled`.
 
 [[el-pre-post-annotations-post]]
 * **Accessing the return value**
-Less commonly, you may wish to perform an access-control check after the method has been invoked. This can be achieved using the `@PostAuthorize` annotation. To access the return value from a method, use the built–in name `returnObject` in the expression.
+Less commonly, you may wish to perform an access-control check after the method has been invoked. This can be achieved using the `@PostAuthorize` annotation. To access the return value from a method, use the built<EFBFBD><EFBFBD><EFBFBD>in name `returnObject` in the expression.
 
 
 ====== Filtering using
@@ -4369,14 +4369,14 @@ In a Spring Security deployment, Spring Security is responsible for this user in
 
 Therefore, the JAAS package for Spring Security provides two default callback handlers, `JaasNameCallbackHandler` and `JaasPasswordCallbackHandler`. Each of these callback handlers implement `JaasAuthenticationCallbackHandler`. In most cases these callback handlers can simply be used without understanding the internal mechanics.
 
-For those needing full control over the callback behavior, internally `AbstractJaasAuthenticationProvider` wraps these `JaasAuthenticationCallbackHandler` s with an `InternalCallbackHandler`. The `InternalCallbackHandler` is the class that actually implements JAAS’ normal `CallbackHandler` interface. Any time that the JAAS `LoginModule` is used, it is passed a list of application context configured `InternalCallbackHandler` s. If the `LoginModule` requests a callback against the `InternalCallbackHandler` s, the callback is in-turn passed to the `JaasAuthenticationCallbackHandler` s being wrapped.
+For those needing full control over the callback behavior, internally `AbstractJaasAuthenticationProvider` wraps these `JaasAuthenticationCallbackHandler` s with an `InternalCallbackHandler`. The `InternalCallbackHandler` is the class that actually implements JAAS<EFBFBD><EFBFBD><EFBFBD> normal `CallbackHandler` interface. Any time that the JAAS `LoginModule` is used, it is passed a list of application context configured `InternalCallbackHandler` s. If the `LoginModule` requests a callback against the `InternalCallbackHandler` s, the callback is in-turn passed to the `JaasAuthenticationCallbackHandler` s being wrapped.
 
 
 [[jaas-authoritygranter]]
 ===== JAAS AuthorityGranter
 JAAS works with principals. Even "roles" are represented as principals in JAAS. Spring Security, on the other hand, works with `Authentication` objects. Each `Authentication` object contains a single principal, and multiple `GrantedAuthority` s. To facilitate mapping between these different concepts, Spring Security's JAAS package includes an `AuthorityGranter` interface.
 
-An `AuthorityGranter` is responsible for inspecting a JAAS principal and returning a set of `String` s, representing the authorities assigned to the principal. For each returned authority string, the `AbstractJaasAuthenticationProvider` creates a `JaasGrantedAuthority` (which implements Spring Security’s `GrantedAuthority` interface) containing the authority string and the JAAS principal that the `AuthorityGranter` was passed. The `AbstractJaasAuthenticationProvider` obtains the JAAS principals by firstly successfully authenticating the user’s credentials using the JAAS `LoginModule`, and then accessing the `LoginContext` it returns. A call to `LoginContext.getSubject().getPrincipals()` is made, with each resulting principal passed to each `AuthorityGranter` defined against the `AbstractJaasAuthenticationProvider.setAuthorityGranters(List)` property.
+An `AuthorityGranter` is responsible for inspecting a JAAS principal and returning a set of `String` s, representing the authorities assigned to the principal. For each returned authority string, the `AbstractJaasAuthenticationProvider` creates a `JaasGrantedAuthority` (which implements Spring Security<EFBFBD><EFBFBD><EFBFBD>s `GrantedAuthority` interface) containing the authority string and the JAAS principal that the `AuthorityGranter` was passed. The `AbstractJaasAuthenticationProvider` obtains the JAAS principals by firstly successfully authenticating the user<EFBFBD><EFBFBD><EFBFBD>s credentials using the JAAS `LoginModule`, and then accessing the `LoginContext` it returns. A call to `LoginContext.getSubject().getPrincipals()` is made, with each resulting principal passed to each `AuthorityGranter` defined against the `AbstractJaasAuthenticationProvider.setAuthorityGranters(List)` property.
 
 Spring Security does not include any production `AuthorityGranter` s given that every JAAS principal has an implementation-specific meaning. However, there is a `TestAuthorityGranter` in the unit tests that demonstrates a simple `AuthorityGranter` implementation.
 
@@ -4445,7 +4445,7 @@ An example configuration of `DefaultJaasAuthenticationProvider` using `InMemoryC
 ==== JaasAuthenticationProvider
 The `JaasAuthenticationProvider` assumes the default `Configuration` is an instance of http://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html[ ConfigFile]. This assumption is made in order to attempt to update the `Configuration`. The `JaasAuthenticationProvider` then uses the default `Configuration` to create the `LoginContext`.
 
-Let’s assume we have a JAAS login configuration file, `/WEB-INF/login.conf`, with the following contents:
+Let<EFBFBD><EFBFBD><EFBFBD>s assume we have a JAAS login configuration file, `/WEB-INF/login.conf`, with the following contents:
 
 [source,txt]
 ----
@@ -5509,7 +5509,7 @@ Specify the name of the request parameter to use when using regexp or whitelist
 
 [[nsa-xss-protection]]
 ===== <xss-protection>
-Adds the http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx[X-XSS-Protection header] to the response to assist in protecting against http://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / “Type-1” Cross-Site Scripting (XSS)] attacks. This is in no-way a full protection to XSS attacks!
+Adds the http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx[X-XSS-Protection header] to the response to assist in protecting against http://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / <EFBFBD><EFBFBD><EFBFBD>Type-1<><31><EFBFBD> Cross-Site Scripting (XSS)] attacks. This is in no-way a full protection to XSS attacks!
 
 
 [[nsa-xss-protection-attributes]]
@@ -5518,7 +5518,7 @@ Adds the http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-
 
 [[nsa-xss-protection-enabled]]
 * **xss-protection-enabled**
-Enable or Disable http://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / “Type-1” Cross-Site Scripting (XSS)] protection.
+Enable or Disable http://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / <EFBFBD><EFBFBD><EFBFBD>Type-1<><31><EFBFBD> Cross-Site Scripting (XSS)] protection.
 
 
 [[nsa-xss-protection-block]]

web/src/main/java/org/springframework/security/web/access/expression/WebSecurityExpressionRoot.java

@@ -5,7 +5,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.springframework.security.access.expression.SecurityExpressionRoot;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.FilterInvocation;
-import org.springframework.security.web.util.IpAddressMatcher;
+import org.springframework.security.web.util.matchers.IpAddressMatcher;
 
 /**
  *

web/src/main/java/org/springframework/security/web/authentication/DelegatingAuthenticationEntryPoint.java

@@ -27,7 +27,7 @@ import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.util.ELRequestMatcher;
+import org.springframework.security.web.util.matchers.ELRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
 import org.springframework.security.web.util.RequestMatcherEditor;
 import org.springframework.util.Assert;

web/src/main/java/org/springframework/security/web/savedrequest/HttpSessionRequestCache.java

@@ -8,7 +8,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.web.PortResolver;
 import org.springframework.security.web.PortResolverImpl;
-import org.springframework.security.web.util.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
 
 /**
@@ -25,7 +25,7 @@ public class HttpSessionRequestCache implements RequestCache {
 
     private PortResolver portResolver = new PortResolverImpl();
     private boolean createSessionAllowed = true;
-    private RequestMatcher requestMatcher = new AnyRequestMatcher();
+    private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE;
 
     /**
      * Stores the current request, provided the configuration properties allow it.

web/src/main/java/org/springframework/security/web/util/AntPathRequestMatcher.java

@@ -14,12 +14,7 @@ package org.springframework.security.web.util;
 
 import javax.servlet.http.HttpServletRequest;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.http.HttpMethod;
 import org.springframework.util.AntPathMatcher;
-import org.springframework.util.Assert;
-import org.springframework.util.StringUtils;
 
 /**
  * Matcher which compares a pre-defined ant-style pattern against the URL
@@ -40,17 +35,11 @@ import org.springframework.util.StringUtils;
  * @author Luke Taylor
  * @author Rob Winch
  * @since 3.1
- *
+ * @deprecated use {@link org.springframework.security.web.util.matchers.AntPathRequestMatcher}
  * @see org.springframework.util.AntPathMatcher
  */
 public final class AntPathRequestMatcher implements RequestMatcher {
-    private static final Log logger = LogFactory.getLog(AntPathRequestMatcher.class);
-    private static final String MATCH_ALL = "/**";
-
-    private final Matcher matcher;
-    private final String pattern;
-    private final HttpMethod httpMethod;
-    private final boolean caseSensitive;
+    private final org.springframework.security.web.util.matchers.AntPathRequestMatcher delegate;
 
     /**
      * Creates a matcher with the specific pattern which will match all HTTP
@@ -90,28 +79,7 @@ public final class AntPathRequestMatcher implements RequestMatcher {
      *            true if the matcher should consider case, else false
      */
     public AntPathRequestMatcher(String pattern, String httpMethod, boolean caseSensitive) {
-        Assert.hasText(pattern, "Pattern cannot be null or empty");
-        this.caseSensitive = caseSensitive;
-
-        if (pattern.equals(MATCH_ALL) || pattern.equals("**")) {
-            pattern = MATCH_ALL;
-            matcher = null;
-        } else {
-            if(!caseSensitive) {
-                pattern = pattern.toLowerCase();
-            }
-
-            // If the pattern ends with {@code /**} and has no other wildcards, then optimize to a sub-path match
-            if (pattern.endsWith(MATCH_ALL) && pattern.indexOf('?') == -1 &&
-                    pattern.indexOf("*") == pattern.length() - 2) {
-                matcher = new SubpathMatcher(pattern.substring(0, pattern.length() - 3));
-            } else {
-                matcher = new SpringAntMatcher(pattern);
-            }
-        }
-
-        this.pattern = pattern;
-        this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
+        this.delegate = new org.springframework.security.web.util.matchers.AntPathRequestMatcher(pattern, httpMethod, caseSensitive);
     }
 
     /**
@@ -121,117 +89,29 @@ public final class AntPathRequestMatcher implements RequestMatcher {
      *    {@code servletPath} + {@code pathInfo} of the request.
      */
     public boolean matches(HttpServletRequest request) {
-        if (httpMethod != null && request.getMethod() != null && httpMethod != HttpMethod.valueOf(request.getMethod())) {
-            if (logger.isDebugEnabled()) {
-                logger.debug("Request '" + request.getMethod() + " " + getRequestPath(request) + "'"
-                        + " doesn't match '" + httpMethod  + " " + pattern);
-            }
-
-            return false;
-        }
-
-        if (pattern.equals(MATCH_ALL)) {
-            if (logger.isDebugEnabled()) {
-                logger.debug("Request '" + getRequestPath(request) + "' matched by universal pattern '/**'");
-            }
-
-            return true;
-        }
-
-        String url = getRequestPath(request);
-
-        if (logger.isDebugEnabled()) {
-            logger.debug("Checking match of request : '" + url + "'; against '" + pattern + "'");
-        }
-
-        return matcher.matches(url);
+        return this.delegate.matches(request);
     }
 
-    private String getRequestPath(HttpServletRequest request) {
-        String url = request.getServletPath();
-
-        if (request.getPathInfo() != null) {
-            url += request.getPathInfo();
-        }
-
-        if(!caseSensitive) {
-            url = url.toLowerCase();
-        }
-
-        return url;
+    public org.springframework.security.web.util.matchers.AntPathRequestMatcher getDelegate() {
+        return delegate;
     }
 
     public String getPattern() {
-        return pattern;
+        return delegate.getPattern();
     }
 
     @Override
     public boolean equals(Object obj) {
-        if (!(obj instanceof AntPathRequestMatcher)) {
-            return false;
-        }
-        AntPathRequestMatcher other = (AntPathRequestMatcher)obj;
-        return this.pattern.equals(other.pattern) &&
-            this.httpMethod == other.httpMethod &&
-            this.caseSensitive == other.caseSensitive;
+        return delegate.equals(obj);
     }
 
     @Override
     public int hashCode() {
-        int code = 31 ^ pattern.hashCode();
-        if (httpMethod != null) {
-            code ^= httpMethod.hashCode();
-        }
-        return code;
+        return delegate.hashCode();
     }
 
     @Override
     public String toString() {
-        StringBuilder sb = new StringBuilder();
-        sb.append("Ant [pattern='").append(pattern).append("'");
-
-        if (httpMethod != null) {
-            sb.append(", ").append(httpMethod);
-        }
-
-        sb.append("]");
-
-        return sb.toString();
-    }
-
-    private static interface Matcher {
-        boolean matches(String path);
-    }
-
-    private static class SpringAntMatcher implements Matcher {
-        private static final AntPathMatcher antMatcher = new AntPathMatcher();
-
-        private final String pattern;
-
-        private SpringAntMatcher(String pattern) {
-            this.pattern = pattern;
-        }
-
-        public boolean matches(String path) {
-            return antMatcher.match(pattern, path);
-        }
-    }
-
-    /**
-     * Optimized matcher for trailing wildcards
-     */
-    private static class SubpathMatcher implements Matcher {
-        private final String subpath;
-        private final int length;
-
-        private SubpathMatcher(String subpath) {
-            assert !subpath.contains("*");
-            this.subpath = subpath;
-            this.length = subpath.length();
-        }
-
-        public boolean matches(String path) {
-            return path.startsWith(subpath) && (path.length() == length || path.charAt(length) == '/');
-        }
+        return delegate.toString();
     }
 }

web/src/main/java/org/springframework/security/web/util/AnyRequestMatcher.java

@@ -7,20 +7,22 @@ import javax.servlet.http.HttpServletRequest;
  *
  * @author Luke Taylor
  * @since 3.1
+ * @deprecated use org.springframework.security.web.util.matchers.AnyRequestMatcher.INSTANCE instead
  */
 public final class AnyRequestMatcher implements RequestMatcher {
+    private final RequestMatcher delegate = org.springframework.security.web.util.matchers.AnyRequestMatcher.INSTANCE;
 
     public boolean matches(HttpServletRequest request) {
-        return true;
+        return delegate.matches(request);
     }
 
     @Override
     public boolean equals(Object obj) {
-        return obj instanceof AnyRequestMatcher;
+        return delegate.equals(obj);
     }
 
     @Override
     public int hashCode() {
-        return 1;
+        return delegate.hashCode();
     }
 }

web/src/main/java/org/springframework/security/web/util/ELRequestMatcher.java

@@ -19,9 +19,6 @@ package org.springframework.security.web.util;
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.expression.EvaluationContext;
-import org.springframework.expression.Expression;
-import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
 
 /**
@@ -35,19 +32,18 @@ import org.springframework.security.web.authentication.DelegatingAuthenticationE
  *
  * @author Mike Wiesner
  * @since 3.0.2
+ * @deprecated Use org.springframework.security.web.util.matchers.ELRequestMatcher
  */
 public class ELRequestMatcher implements RequestMatcher {
 
-    private final Expression expression;
+    private final org.springframework.security.web.util.matchers.ELRequestMatcher delegate;
 
     public ELRequestMatcher(String el) {
-        SpelExpressionParser parser = new SpelExpressionParser();
-        expression = parser.parseExpression(el);
+        delegate = new org.springframework.security.web.util.matchers.ELRequestMatcher(el);
     }
 
     public boolean matches(HttpServletRequest request) {
-        EvaluationContext context = createELContext(request);
-        return expression.getValue(context, Boolean.class).booleanValue();
+        return delegate.matches(request);
     }
 
     /**
@@ -56,7 +52,7 @@ public class ELRequestMatcher implements RequestMatcher {
      * @return EL root context which is used to evaluate the expression
      */
     public EvaluationContext createELContext(HttpServletRequest request) {
-        return new StandardEvaluationContext(new ELRequestMatcherContext(request));
+        return delegate.createELContext(request);
     }
 
 }

web/src/main/java/org/springframework/security/web/util/RegexRequestMatcher.java

@@ -16,11 +16,6 @@ import java.util.regex.Pattern;
 
 import javax.servlet.http.HttpServletRequest;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.http.HttpMethod;
-import org.springframework.util.StringUtils;
-
 /**
  * Uses a regular expression to decide whether a supplied the URL of a supplied {@code HttpServletRequest}.
  *
@@ -33,12 +28,10 @@ import org.springframework.util.StringUtils;
  * @author Luke Taylor
  * @author Rob Winch
  * @since 3.1
+ * @deprecated use org.springframework.security.web.util.matchers.RegexRequestMatcher
  */
 public final class RegexRequestMatcher implements RequestMatcher {
-    private final static Log logger = LogFactory.getLog(RegexRequestMatcher.class);
-
-    private final Pattern pattern;
-    private final HttpMethod httpMethod;
+    private final org.springframework.security.web.util.matchers.RegexRequestMatcher delegate;
 
     /**
      * Creates a case-sensitive {@code Pattern} instance to match against the request.
@@ -58,12 +51,7 @@ public final class RegexRequestMatcher implements RequestMatcher {
      * @param caseInsensitive if true, the pattern will be compiled with the {@link Pattern#CASE_INSENSITIVE} flag set.
      */
     public RegexRequestMatcher(String pattern, String httpMethod, boolean caseInsensitive) {
-        if (caseInsensitive) {
-            this.pattern = Pattern.compile(pattern, Pattern.CASE_INSENSITIVE);
-        } else {
-            this.pattern = Pattern.compile(pattern);
-        }
-        this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
+        this.delegate = new org.springframework.security.web.util.matchers.RegexRequestMatcher(pattern, httpMethod, caseInsensitive);
     }
 
     /**
@@ -74,31 +62,6 @@ public final class RegexRequestMatcher implements RequestMatcher {
      * @return true if the pattern matches the URL, false otherwise.
      */
     public boolean matches(HttpServletRequest request) {
-        if (httpMethod != null && request.getMethod() != null && httpMethod != HttpMethod.valueOf(request.getMethod())) {
-            return false;
-        }
-
-        String url = request.getServletPath();
-        String pathInfo = request.getPathInfo();
-        String query = request.getQueryString();
-
-        if (pathInfo != null || query != null) {
-            StringBuilder sb = new StringBuilder(url);
-
-            if (pathInfo != null) {
-                sb.append(pathInfo);
-            }
-
-            if (query != null) {
-                sb.append('?').append(query);
-            }
-            url = sb.toString();
-        }
-
-        if (logger.isDebugEnabled()) {
-            logger.debug("Checking match of request : '" + url + "'; against '" + pattern + "'");
-        }
-
-        return pattern.matcher(url).matches();
+        return delegate.matches(request);
     }
 }

web/src/main/java/org/springframework/security/web/util/RequestMatcherEditor.java

@@ -18,19 +18,20 @@ package org.springframework.security.web.util;
 
 import java.beans.PropertyEditorSupport;
 
+import org.springframework.security.web.util.matchers.ELRequestMatcher;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
 
 /**
  * PropertyEditor which creates ELRequestMatcher instances from Strings
- * 
+ *
  * This allows to use a String in a BeanDefinition instead of an (inner) bean
- * if a RequestMatcher is required, e.g. in {@link DelegatingAuthenticationEntryPoint}  
- * 
+ * if a RequestMatcher is required, e.g. in {@link DelegatingAuthenticationEntryPoint}
+ *
  * @author Mike Wiesner
  * @since 3.0.2
  */
 public class RequestMatcherEditor extends PropertyEditorSupport {
-    
+
     @Override
     public void setAsText(String text) throws IllegalArgumentException {
         setValue(new ELRequestMatcher(text));

web/src/main/java/org/springframework/security/web/util/matchers/AndRequestMatcher.java

@@ -13,7 +13,7 @@
  * License for the specific language governing permissions and limitations under
  * the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import java.util.Arrays;
 import java.util.List;
@@ -22,6 +22,7 @@ import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.security.web.util.RequestMatcher;
 import org.springframework.util.Assert;
 
 

web/src/main/java/org/springframework/security/web/util/matchers/AntPathRequestMatcher.java

@@ -0,0 +1,243 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.springframework.security.web.util.matchers;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+
+/**
+ * Matcher which compares a pre-defined ant-style pattern against the URL
+ * ({@code servletPath + pathInfo}) of an {@code HttpServletRequest}.
+ * The query string of the URL is ignored and matching is case-insensitive or case-sensitive depending on
+ * the arguments passed into the constructor.
+ * <p>
+ * Using a pattern value of {@code /**} or {@code **} is treated as a universal
+ * match, which will match any request. Patterns which end with {@code /**} (and have no other wildcards)
+ * are optimized by using a substring match &mdash; a pattern of {@code /aaa/**} will match {@code /aaa},
+ * {@code /aaa/} and any sub-directories, such as {@code /aaa/bbb/ccc}.
+ * </p>
+ * <p>
+ * For all other cases, Spring's {@link AntPathMatcher} is used to perform the match. See the Spring documentation
+ * for this class for comprehensive information on the syntax used.
+ * </p>
+ *
+ * @author Luke Taylor
+ * @author Rob Winch
+ * @since 3.1
+ *
+ * @see org.springframework.util.AntPathMatcher
+ */
+public final class AntPathRequestMatcher implements RequestMatcher {
+    private static final Log logger = LogFactory.getLog(AntPathRequestMatcher.class);
+    private static final String MATCH_ALL = "/**";
+
+    private final Matcher matcher;
+    private final String pattern;
+    private final HttpMethod httpMethod;
+    private final boolean caseSensitive;
+
+    /**
+     * Creates a matcher with the specific pattern which will match all HTTP
+     * methods in a case insensitive manner.
+     *
+     * @param pattern
+     *            the ant pattern to use for matching
+     */
+    public AntPathRequestMatcher(String pattern) {
+        this(pattern, null);
+    }
+
+    /**
+     * Creates a matcher with the supplied pattern and HTTP method in a case
+     * insensitive manner.
+     *
+     * @param pattern
+     *            the ant pattern to use for matching
+     * @param httpMethod
+     *            the HTTP method. The {@code matches} method will return false
+     *            if the incoming request doesn't have the same method.
+     */
+    public AntPathRequestMatcher(String pattern, String httpMethod) {
+        this(pattern,httpMethod,false);
+    }
+
+    /**
+     * Creates a matcher with the supplied pattern which will match the
+     * specified Http method
+     *
+     * @param pattern
+     *            the ant pattern to use for matching
+     * @param httpMethod
+     *            the HTTP method. The {@code matches} method will return false
+     *            if the incoming request doesn't doesn't have the same method.
+     * @param caseSensitive
+     *            true if the matcher should consider case, else false
+     */
+    public AntPathRequestMatcher(String pattern, String httpMethod, boolean caseSensitive) {
+        Assert.hasText(pattern, "Pattern cannot be null or empty");
+        this.caseSensitive = caseSensitive;
+
+        if (pattern.equals(MATCH_ALL) || pattern.equals("**")) {
+            pattern = MATCH_ALL;
+            matcher = null;
+        } else {
+            if(!caseSensitive) {
+                pattern = pattern.toLowerCase();
+            }
+
+            // If the pattern ends with {@code /**} and has no other wildcards, then optimize to a sub-path match
+            if (pattern.endsWith(MATCH_ALL) && pattern.indexOf('?') == -1 &&
+                    pattern.indexOf("*") == pattern.length() - 2) {
+                matcher = new SubpathMatcher(pattern.substring(0, pattern.length() - 3));
+            } else {
+                matcher = new SpringAntMatcher(pattern);
+            }
+        }
+
+        this.pattern = pattern;
+        this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
+    }
+
+    /**
+     * Returns true if the configured pattern (and HTTP-Method) match those of the supplied request.
+     *
+     * @param request the request to match against. The ant pattern will be matched against the
+     *    {@code servletPath} + {@code pathInfo} of the request.
+     */
+    public boolean matches(HttpServletRequest request) {
+        if (httpMethod != null && request.getMethod() != null && httpMethod != HttpMethod.valueOf(request.getMethod())) {
+            if (logger.isDebugEnabled()) {
+                logger.debug("Request '" + request.getMethod() + " " + getRequestPath(request) + "'"
+                        + " doesn't match '" + httpMethod  + " " + pattern);
+            }
+
+            return false;
+        }
+
+        if (pattern.equals(MATCH_ALL)) {
+            if (logger.isDebugEnabled()) {
+                logger.debug("Request '" + getRequestPath(request) + "' matched by universal pattern '/**'");
+            }
+
+            return true;
+        }
+
+        String url = getRequestPath(request);
+
+        if (logger.isDebugEnabled()) {
+            logger.debug("Checking match of request : '" + url + "'; against '" + pattern + "'");
+        }
+
+        return matcher.matches(url);
+    }
+
+    private String getRequestPath(HttpServletRequest request) {
+        String url = request.getServletPath();
+
+        if (request.getPathInfo() != null) {
+            url += request.getPathInfo();
+        }
+
+        if(!caseSensitive) {
+            url = url.toLowerCase();
+        }
+
+        return url;
+    }
+
+    public String getPattern() {
+        return pattern;
+    }
+
+    @SuppressWarnings("deprecation")
+    @Override
+    public boolean equals(Object obj) {
+        org.springframework.security.web.util.matchers.AntPathRequestMatcher other;
+        if (obj instanceof org.springframework.security.web.util.AntPathRequestMatcher) {
+            other = ((org.springframework.security.web.util.AntPathRequestMatcher) obj).getDelegate();
+        } else if(obj instanceof AntPathRequestMatcher) {
+            other = (AntPathRequestMatcher) obj;
+        } else {
+            return false;
+        }
+        return this.pattern.equals(other.pattern) &&
+            this.httpMethod == other.httpMethod &&
+            this.caseSensitive == other.caseSensitive;
+    }
+
+    @Override
+    public int hashCode() {
+        int code = 31 ^ pattern.hashCode();
+        if (httpMethod != null) {
+            code ^= httpMethod.hashCode();
+        }
+        return code;
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+        sb.append("Ant [pattern='").append(pattern).append("'");
+
+        if (httpMethod != null) {
+            sb.append(", ").append(httpMethod);
+        }
+
+        sb.append("]");
+
+        return sb.toString();
+    }
+
+    private static interface Matcher {
+        boolean matches(String path);
+    }
+
+    private static class SpringAntMatcher implements Matcher {
+        private static final AntPathMatcher antMatcher = new AntPathMatcher();
+
+        private final String pattern;
+
+        private SpringAntMatcher(String pattern) {
+            this.pattern = pattern;
+        }
+
+        public boolean matches(String path) {
+            return antMatcher.match(pattern, path);
+        }
+    }
+
+    /**
+     * Optimized matcher for trailing wildcards
+     */
+    private static class SubpathMatcher implements Matcher {
+        private final String subpath;
+        private final int length;
+
+        private SubpathMatcher(String subpath) {
+            assert !subpath.contains("*");
+            this.subpath = subpath;
+            this.length = subpath.length();
+        }
+
+        public boolean matches(String path) {
+            return path.startsWith(subpath) && (path.length() == length || path.charAt(length) == '/');
+        }
+    }
+}

web/src/main/java/org/springframework/security/web/util/matchers/AnyRequestMatcher.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.util.matchers;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.security.web.util.RequestMatcher;
+
+/**
+ * Matches any supplied request.
+ *
+ * @author Luke Taylor
+ * @since 3.1
+ */
+public final class AnyRequestMatcher implements RequestMatcher {
+    public static final RequestMatcher INSTANCE = new AnyRequestMatcher();
+
+    public boolean matches(HttpServletRequest request) {
+        return true;
+    }
+
+    @Override
+    @SuppressWarnings("deprecation")
+    public boolean equals(Object obj) {
+        return obj instanceof AnyRequestMatcher || obj instanceof org.springframework.security.web.util.AnyRequestMatcher;
+    }
+
+    @Override
+    public int hashCode() {
+        return 1;
+    }
+
+    private AnyRequestMatcher() {}
+}

web/src/main/java/org/springframework/security/web/util/matchers/ELRequestMatcher.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2010 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.util.matchers;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.expression.EvaluationContext;
+import org.springframework.expression.Expression;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
+import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
+import org.springframework.security.web.util.RequestMatcher;
+
+/**
+ * A RequestMatcher implementation which uses a SpEL expression
+ *
+ * <p>With the default EvaluationContext ({@link ELRequestMatcherContext}) you can use
+ * <code>hasIpAdress()</code> and <code>hasHeader()</code></p>
+ *
+ * <p>See {@link DelegatingAuthenticationEntryPoint} for an example configuration.</p>
+ *
+ *
+ * @author Mike Wiesner
+ * @since 3.0.2
+ */
+public class ELRequestMatcher implements RequestMatcher {
+
+    private final Expression expression;
+
+    public ELRequestMatcher(String el) {
+        SpelExpressionParser parser = new SpelExpressionParser();
+        expression = parser.parseExpression(el);
+    }
+
+    public boolean matches(HttpServletRequest request) {
+        EvaluationContext context = createELContext(request);
+        return expression.getValue(context, Boolean.class).booleanValue();
+    }
+
+    /**
+     * Subclasses can override this methode if they want to use a different EL root context
+     *
+     * @return EL root context which is used to evaluate the expression
+     */
+    public EvaluationContext createELContext(HttpServletRequest request) {
+        return new StandardEvaluationContext(new ELRequestMatcherContext(request));
+    }
+
+}

web/src/main/java/org/springframework/security/web/util/matchers/ELRequestMatcherContext.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 
 import javax.servlet.http.HttpServletRequest;

web/src/main/java/org/springframework/security/web/util/matchers/IpAddressMatcher.java

@@ -1,4 +1,4 @@
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import java.net.InetAddress;
 import java.net.UnknownHostException;
@@ -6,6 +6,7 @@ import java.util.Arrays;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.springframework.security.web.util.RequestMatcher;
 import org.springframework.util.StringUtils;
 
 /**

web/src/main/java/org/springframework/security/web/util/matchers/MediaTypeRequestMatcher.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import java.util.Arrays;
 import java.util.Collection;
@@ -26,6 +26,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.http.MediaType;
+import org.springframework.security.web.util.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.web.HttpMediaTypeNotAcceptableException;
 import org.springframework.web.accept.ContentNegotiationStrategy;

web/src/main/java/org/springframework/security/web/util/matchers/NegatedRequestMatcher.java

@@ -13,12 +13,13 @@
  * License for the specific language governing permissions and limitations under
  * the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.security.web.util.RequestMatcher;
 import org.springframework.util.Assert;
 
 /**

web/src/main/java/org/springframework/security/web/util/matchers/OrRequestMatcher.java

@@ -13,7 +13,7 @@
  * License for the specific language governing permissions and limitations under
  * the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import java.util.Arrays;
 import java.util.List;
@@ -22,6 +22,7 @@ import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.security.web.util.RequestMatcher;
 import org.springframework.util.Assert;
 
 

web/src/main/java/org/springframework/security/web/util/matchers/RegexRequestMatcher.java

@@ -0,0 +1,105 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.springframework.security.web.util.matchers;
+
+import java.util.regex.Pattern;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.util.StringUtils;
+
+/**
+ * Uses a regular expression to decide whether a supplied the URL of a supplied {@code HttpServletRequest}.
+ *
+ * Can also be configured to match a specific HTTP method.
+ *
+ * The match is performed against the {@code servletPath + pathInfo + queryString} of the request and is case-sensitive
+ * by default. Case-insensitive matching can be used by using the constructor which takes the {@code caseInsensitive}
+ * argument.
+ *
+ * @author Luke Taylor
+ * @author Rob Winch
+ * @since 3.1
+ */
+public final class RegexRequestMatcher implements RequestMatcher {
+    private final static Log logger = LogFactory.getLog(RegexRequestMatcher.class);
+
+    private final Pattern pattern;
+    private final HttpMethod httpMethod;
+
+    /**
+     * Creates a case-sensitive {@code Pattern} instance to match against the request.
+     *
+     * @param pattern the regular expression to compile into a pattern.
+     * @param httpMethod the HTTP method to match. May be null to match all methods.
+     */
+    public RegexRequestMatcher(String pattern, String httpMethod) {
+        this(pattern, httpMethod, false);
+    }
+
+    /**
+     * As above, but allows setting of whether case-insensitive matching should be used.
+     *
+     * @param pattern the regular expression to compile into a pattern.
+     * @param httpMethod the HTTP method to match. May be null to match all methods.
+     * @param caseInsensitive if true, the pattern will be compiled with the {@link Pattern#CASE_INSENSITIVE} flag set.
+     */
+    public RegexRequestMatcher(String pattern, String httpMethod, boolean caseInsensitive) {
+        if (caseInsensitive) {
+            this.pattern = Pattern.compile(pattern, Pattern.CASE_INSENSITIVE);
+        } else {
+            this.pattern = Pattern.compile(pattern);
+        }
+        this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
+    }
+
+    /**
+     * Performs the match of the request URL ({@code servletPath + pathInfo + queryString}) against
+     * the compiled pattern. If the query string is present, a question mark will be prepended.
+     *
+     * @param request the request to match
+     * @return true if the pattern matches the URL, false otherwise.
+     */
+    public boolean matches(HttpServletRequest request) {
+        if (httpMethod != null && request.getMethod() != null && httpMethod != HttpMethod.valueOf(request.getMethod())) {
+            return false;
+        }
+
+        String url = request.getServletPath();
+        String pathInfo = request.getPathInfo();
+        String query = request.getQueryString();
+
+        if (pathInfo != null || query != null) {
+            StringBuilder sb = new StringBuilder(url);
+
+            if (pathInfo != null) {
+                sb.append(pathInfo);
+            }
+
+            if (query != null) {
+                sb.append('?').append(query);
+            }
+            url = sb.toString();
+        }
+
+        if (logger.isDebugEnabled()) {
+            logger.debug("Checking match of request : '" + url + "'; against '" + pattern + "'");
+        }
+
+        return pattern.matcher(url).matches();
+    }
+}

web/src/main/java/org/springframework/security/web/util/matchers/RequestHeaderRequestMatcher.java

@@ -13,10 +13,11 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.springframework.security.web.util.RequestMatcher;
 import org.springframework.util.Assert;
 
 /**

web/src/test/java/org/springframework/security/web/access/expression/ExpressionBasedFilterInvocationSecurityMetadataSourceTests.java

@@ -7,7 +7,7 @@ import org.junit.Test;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.web.FilterInvocation;
-import org.springframework.security.web.util.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
 
 import java.util.Collection;
@@ -22,7 +22,7 @@ public class ExpressionBasedFilterInvocationSecurityMetadataSourceTests {
     public void expectedAttributeIsReturned() {
         final String expression = "hasRole('X')";
         LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>();
-        requestMap.put(new AnyRequestMatcher(), SecurityConfig.createList(expression));
+        requestMap.put(AnyRequestMatcher.INSTANCE, SecurityConfig.createList(expression));
         ExpressionBasedFilterInvocationSecurityMetadataSource mds =
                 new ExpressionBasedFilterInvocationSecurityMetadataSource(requestMap, new DefaultWebSecurityExpressionHandler());
         assertEquals(1, mds.getAllConfigAttributes().size());
@@ -37,7 +37,7 @@ public class ExpressionBasedFilterInvocationSecurityMetadataSourceTests {
     @Test(expected=IllegalArgumentException.class)
     public void invalidExpressionIsRejected() throws Exception {
         LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>();
-        requestMap.put(new AnyRequestMatcher(), SecurityConfig.createList("hasRole('X'"));
+        requestMap.put(AnyRequestMatcher.INSTANCE, SecurityConfig.createList("hasRole('X'"));
         ExpressionBasedFilterInvocationSecurityMetadataSource mds =
                 new ExpressionBasedFilterInvocationSecurityMetadataSource(requestMap, new DefaultWebSecurityExpressionHandler());
     }

web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java

@@ -29,7 +29,7 @@ import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.web.FilterInvocation;
-import org.springframework.security.web.util.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
 import org.springframework.security.web.util.RequestMatcher;
 
 /**

web/src/test/java/org/springframework/security/web/header/writers/HstsHeaderWriterTests.java

@@ -22,7 +22,7 @@ import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.web.header.writers.HstsHeaderWriter;
-import org.springframework.security.web.util.AnyRequestMatcher;
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 
 /**
  * @author Rob Winch
@@ -46,7 +46,7 @@ public class HstsHeaderWriterTests {
     @Test
     public void allArgsCustomConstructorWriteHeaders() {
         request.setSecure(false);
-        writer = new HstsHeaderWriter(new AnyRequestMatcher(), 15768000, false);
+        writer = new HstsHeaderWriter(AnyRequestMatcher.INSTANCE, 15768000, false);
 
         writer.writeHeaders(request, response);
 
@@ -57,7 +57,7 @@ public class HstsHeaderWriterTests {
     @Test
     public void maxAgeAndIncludeSubdomainsCustomConstructorWriteHeaders() {
         request.setSecure(false);
-        writer = new HstsHeaderWriter(new AnyRequestMatcher(), 15768000, false);
+        writer = new HstsHeaderWriter(AnyRequestMatcher.INSTANCE, 15768000, false);
 
         writer.writeHeaders(request, response);
 
@@ -124,7 +124,7 @@ public class HstsHeaderWriterTests {
 
     @Test
     public void writeHeadersAnyRequestMatcher() {
-        writer.setRequestMatcher(new AnyRequestMatcher());
+        writer.setRequestMatcher(AnyRequestMatcher.INSTANCE);
         request.setSecure(false);
 
         writer.writeHeaders(request, response);

web/src/test/java/org/springframework/security/web/util/matchers/AndRequestMatcherTests.java

@@ -13,7 +13,7 @@
  * License for the specific language governing permissions and limitations under
  * the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import static org.fest.assertions.Assertions.assertThat;
 import static org.mockito.Mockito.when;
@@ -28,6 +28,8 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.security.web.util.matchers.AndRequestMatcher;
 
 /**
  *

web/src/test/java/org/springframework/security/web/util/matchers/AntPathRequestMatcherTests.java

@@ -10,7 +10,7 @@
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import static org.fest.assertions.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
@@ -25,6 +25,8 @@ import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.util.matchers.AntPathRequestMatcher;
+import org.springframework.security.web.util.matchers.AnyRequestMatcher;
 
 /**
  * @author Luke Taylor
@@ -139,7 +141,7 @@ public class AntPathRequestMatcherTests {
         assertEquals(new AntPathRequestMatcher("/xyz", "POST"), new AntPathRequestMatcher("/xyz", "POST"));
         assertFalse(new AntPathRequestMatcher("/xyz", "POST").equals(new AntPathRequestMatcher("/xyz", "GET")));
         assertFalse(new AntPathRequestMatcher("/xyz").equals(new AntPathRequestMatcher("/xxx")));
-        assertFalse(new AntPathRequestMatcher("/xyz").equals(new AnyRequestMatcher()));
+        assertFalse(new AntPathRequestMatcher("/xyz").equals(AnyRequestMatcher.INSTANCE));
         assertFalse(new AntPathRequestMatcher("/xyz","GET", false).equals(new AntPathRequestMatcher("/xyz","GET", true)));
     }
 

web/src/test/java/org/springframework/security/web/util/matchers/ELRequestMatcherTests.java

@@ -13,12 +13,13 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import static org.junit.Assert.*;
 
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.util.matchers.ELRequestMatcher;
 
 /**
  * @author Mike Wiesner

web/src/test/java/org/springframework/security/web/util/matchers/IpAddressMatcherTests.java

@@ -1,4 +1,4 @@
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 
 import static org.junit.Assert.*;
@@ -6,6 +6,7 @@ import static org.junit.Assert.*;
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.util.matchers.IpAddressMatcher;
 
 
 /**

web/src/test/java/org/springframework/security/web/util/matchers/MediaTypeRequestMatcherRequestHCNSTests.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import static org.fest.assertions.Assertions.assertThat;
 
@@ -23,6 +23,7 @@ import org.junit.Before;
 import org.junit.Test;
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.util.matchers.MediaTypeRequestMatcher;
 import org.springframework.web.accept.ContentNegotiationStrategy;
 import org.springframework.web.accept.HeaderContentNegotiationStrategy;
 

web/src/test/java/org/springframework/security/web/util/matchers/MediaTypeRequestMatcherTests.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import static org.fest.assertions.Assertions.assertThat;
 import static org.mockito.Matchers.any;
@@ -30,6 +30,7 @@ import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.util.matchers.MediaTypeRequestMatcher;
 import org.springframework.web.HttpMediaTypeNotAcceptableException;
 import org.springframework.web.accept.ContentNegotiationStrategy;
 import org.springframework.web.context.request.NativeWebRequest;

web/src/test/java/org/springframework/security/web/util/matchers/NegatedRequestMatcherTests.java

@@ -13,7 +13,7 @@
  * License for the specific language governing permissions and limitations under
  * the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import static org.fest.assertions.Assertions.assertThat;
 import static org.mockito.Mockito.when;
@@ -24,6 +24,8 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.security.web.util.matchers.NegatedRequestMatcher;
 
 /**
  *

web/src/test/java/org/springframework/security/web/util/matchers/OrRequestMatcherTests.java

@@ -13,7 +13,7 @@
  * License for the specific language governing permissions and limitations under
  * the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import static org.fest.assertions.Assertions.assertThat;
 import static org.mockito.Mockito.when;
@@ -28,6 +28,8 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.security.web.util.matchers.OrRequestMatcher;
 
 /**
  *

web/src/test/java/org/springframework/security/web/util/matchers/RegexRequestMatcherTests.java

@@ -10,7 +10,7 @@
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
@@ -23,6 +23,7 @@ import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.util.matchers.RegexRequestMatcher;
 
 /**
  * @author Luke Taylor

web/src/test/java/org/springframework/security/web/util/matchers/RequestHeaderRequestMatcherTests.java

@@ -13,13 +13,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.util;
+package org.springframework.security.web.util.matchers;
 
 import static org.fest.assertions.Assertions.assertThat;
 
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.util.matchers.RequestHeaderRequestMatcher;
 
 /**
  *