From 53bcf0d16b414d9f0436ac178c211ca6b9520d8e Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Wed, 15 Apr 2026 17:12:08 -0600
Subject: [PATCH] Fix Servlet Path Application

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
---
 .../PathPatternRequestMatcherFactoryBean.java |  2 +-
 .../config/http/InterceptUrlConfigTests.java  | 72 +++++++++++++++++++
 ...InterceptUrlConfigTests-CiRegexMatcher.xml | 36 ++++++++++
 ...sts-CiRegexMatcherAuthorizationManager.xml | 36 ++++++++++
 ...lConfigTests-DefaultMatcherServletPath.xml |  3 +
 ...MatcherServletPathAuthorizationManager.xml |  3 +
 .../InterceptUrlConfigTests-RegexMatcher.xml  | 36 ++++++++++
 ...Tests-RegexMatcherAuthorizationManager.xml | 36 ++++++++++
 8 files changed, 223 insertions(+), 1 deletion(-)
 create mode 100644 config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CiRegexMatcher.xml
 create mode 100644 config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CiRegexMatcherAuthorizationManager.xml
 create mode 100644 config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-RegexMatcher.xml
 create mode 100644 config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-RegexMatcherAuthorizationManager.xml

diff --git a/config/src/main/java/org/springframework/security/config/http/PathPatternRequestMatcherFactoryBean.java b/config/src/main/java/org/springframework/security/config/http/PathPatternRequestMatcherFactoryBean.java
index 116f2ccd12..39e13a02ac 100644
--- a/config/src/main/java/org/springframework/security/config/http/PathPatternRequestMatcherFactoryBean.java
+++ b/config/src/main/java/org/springframework/security/config/http/PathPatternRequestMatcherFactoryBean.java
@@ -70,7 +70,7 @@ public final class PathPatternRequestMatcherFactoryBean
 	@Override
 	public void afterPropertiesSet() throws Exception {
 		if (this.basePath != null) {
-			this.builder.basePath(this.basePath);
+			this.builder = this.builder.basePath(this.basePath);
 		}
 	}
 
diff --git a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
index fab1e932c0..2038828317 100644
--- a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
@@ -314,6 +314,78 @@ public class InterceptUrlConfigTests {
 				.autowire());
 	}
 
+	@Test
+	public void requestWhenUsingDefaultMatcherAndServletPathThenAuthorizesRequestsAccordingly() throws Exception {
+		this.spring.configLocations(this.xml("DefaultMatcherServletPath")).autowire();
+		// @formatter:off
+		this.mvc.perform(get("/spring/path").with(userCredentials()))
+				.andExpect(status().isForbidden());
+		this.mvc.perform(get("/path").with(userCredentials()))
+				.andExpect(status().isOk());
+		// @formatter:on
+	}
+
+	@Test
+	public void requestWhenUsingDefaultMatcherAndServletPathAndAuthorizationManagerThenAuthorizesRequestsAccordingly()
+			throws Exception {
+		this.spring.configLocations(this.xml("DefaultMatcherServletPathAuthorizationManager")).autowire();
+		// @formatter:off
+		this.mvc.perform(get("/spring/path").with(userCredentials()))
+				.andExpect(status().isForbidden());
+		this.mvc.perform(get("/path").with(userCredentials()))
+				.andExpect(status().isOk());
+		// @formatter:on
+		assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
+	}
+
+	@Test
+	public void requestWhenUsingRegexMatcherThenAuthorizesRequestsAccordingly() throws Exception {
+		this.spring.configLocations(this.xml("RegexMatcher")).autowire();
+		// @formatter:off
+		this.mvc.perform(get("/path").with(userCredentials()))
+				.andExpect(status().isForbidden());
+		this.mvc.perform(get("/other").with(userCredentials()))
+				.andExpect(status().isNotFound());
+		// @formatter:on
+	}
+
+	@Test
+	public void requestWhenUsingRegexMatcherAndAuthorizationManagerThenAuthorizesRequestsAccordingly()
+			throws Exception {
+		this.spring.configLocations(this.xml("RegexMatcherAuthorizationManager")).autowire();
+		// @formatter:off
+		this.mvc.perform(get("/path").with(userCredentials()))
+				.andExpect(status().isForbidden());
+		this.mvc.perform(get("/other").with(userCredentials()))
+				.andExpect(status().isNotFound());
+		// @formatter:on
+		assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
+	}
+
+	@Test
+	public void requestWhenUsingCiRegexMatcherThenAuthorizesRequestsAccordingly() throws Exception {
+		this.spring.configLocations(this.xml("CiRegexMatcher")).autowire();
+		// @formatter:off
+		this.mvc.perform(get("/path").with(userCredentials()))
+				.andExpect(status().isForbidden());
+		this.mvc.perform(get("/PATH").with(userCredentials()))
+				.andExpect(status().isForbidden());
+		// @formatter:on
+	}
+
+	@Test
+	public void requestWhenUsingCiRegexMatcherAndAuthorizationManagerThenAuthorizesRequestsAccordingly()
+			throws Exception {
+		this.spring.configLocations(this.xml("CiRegexMatcherAuthorizationManager")).autowire();
+		// @formatter:off
+		this.mvc.perform(get("/path").with(userCredentials()))
+				.andExpect(status().isForbidden());
+		this.mvc.perform(get("/PATH").with(userCredentials()))
+				.andExpect(status().isForbidden());
+		// @formatter:on
+		assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
+	}
+
 	@Test
 	public void requestWhenUsingFilterAllDispatcherTypesAndAuthorizationManagerThenAuthorizesRequestsAccordingly()
 			throws Exception {
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CiRegexMatcher.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CiRegexMatcher.xml
new file mode 100644
index 0000000000..37780a6735
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CiRegexMatcher.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2004-present the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http request-matcher="ciRegex" use-authorization-manager="false">
+		<intercept-url pattern="\A/PATH\Z" access="denyAll"/>
+		<intercept-url pattern="\A/.*\Z" access="permitAll"/>
+		<http-basic/>
+	</http>
+
+	<b:bean name="path" class="org.springframework.security.config.http.InterceptUrlConfigTests.PathController"/>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CiRegexMatcherAuthorizationManager.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CiRegexMatcherAuthorizationManager.xml
new file mode 100644
index 0000000000..f0b4bd71d7
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-CiRegexMatcherAuthorizationManager.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2004-present the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http request-matcher="ciRegex">
+		<intercept-url pattern="\A/PATH\Z" access="denyAll"/>
+		<intercept-url pattern="\A/.*\Z" access="permitAll"/>
+		<http-basic/>
+	</http>
+
+	<b:bean name="path" class="org.springframework.security.config.http.InterceptUrlConfigTests.PathController"/>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-DefaultMatcherServletPath.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-DefaultMatcherServletPath.xml
index 28d4a6cb4b..2f6eba90fc 100644
--- a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-DefaultMatcherServletPath.xml
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-DefaultMatcherServletPath.xml
@@ -26,8 +26,11 @@
 
 	<http use-authorization-manager="false">
 		<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
+		<intercept-url pattern="/**" access="permitAll"/>
 		<http-basic/>
 	</http>
 
+	<b:bean name="path" class="org.springframework.security.config.http.InterceptUrlConfigTests.PathController"/>
+
 	<b:import resource="userservice.xml"/>
 </b:beans>
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-DefaultMatcherServletPathAuthorizationManager.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-DefaultMatcherServletPathAuthorizationManager.xml
index 557083ccd8..fefc79d0e5 100644
--- a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-DefaultMatcherServletPathAuthorizationManager.xml
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-DefaultMatcherServletPathAuthorizationManager.xml
@@ -26,8 +26,11 @@
 
 	<http>
 		<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
+		<intercept-url pattern="/**" access="permitAll"/>
 		<http-basic/>
 	</http>
 
+	<b:bean name="path" class="org.springframework.security.config.http.InterceptUrlConfigTests.PathController"/>
+
 	<b:import resource="userservice.xml"/>
 </b:beans>
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-RegexMatcher.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-RegexMatcher.xml
new file mode 100644
index 0000000000..d362d91f27
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-RegexMatcher.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2004-present the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http request-matcher="regex" use-authorization-manager="false">
+		<intercept-url pattern="\A/path\Z" access="denyAll"/>
+		<intercept-url pattern="\A/.*\Z" access="permitAll"/>
+		<http-basic/>
+	</http>
+
+	<b:bean name="path" class="org.springframework.security.config.http.InterceptUrlConfigTests.PathController"/>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-RegexMatcherAuthorizationManager.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-RegexMatcherAuthorizationManager.xml
new file mode 100644
index 0000000000..47fd1c675e
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-RegexMatcherAuthorizationManager.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2004-present the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http request-matcher="regex">
+		<intercept-url pattern="\A/path\Z" access="denyAll"/>
+		<intercept-url pattern="\A/.*\Z" access="permitAll"/>
+		<http-basic/>
+	</http>
+
+	<b:bean name="path" class="org.springframework.security.config.http.InterceptUrlConfigTests.PathController"/>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>