From 6fa1588de939b25c155ff618f29f4c412018176c Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Tue, 19 Apr 2016 15:21:56 -0500
Subject: [PATCH] Disable AntPathRequestMatcher trim tokens

Issue gh-3831
---
 .../web/util/matcher/AntPathRequestMatcher.java       |  8 +++++++-
 .../web/util/matcher/AntPathRequestMatcherTests.java  | 11 +++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java b/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java
index 598dbc33c9..f9c7d6de50 100644
--- a/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java
@@ -253,7 +253,7 @@ public final class AntPathRequestMatcher implements RequestMatcher {
 	}
 
 	private static class SpringAntMatcher implements Matcher {
-		private static final AntPathMatcher antMatcher = new AntPathMatcher();
+		private static final AntPathMatcher antMatcher = createMatcher();
 
 		private final String pattern;
 
@@ -270,6 +270,12 @@ public final class AntPathRequestMatcher implements RequestMatcher {
 		public Map<String, String> extractUriTemplateVariables(String path) {
 			return antMatcher.extractUriTemplateVariables(this.pattern, path);
 		}
+
+		private static AntPathMatcher createMatcher() {
+			AntPathMatcher matcher = new AntPathMatcher();
+			matcher.setTrimTokens(false);
+			return matcher;
+		}
 	}
 
 	/**
diff --git a/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java b/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java
index 52fcdc4dba..950f18c313 100644
--- a/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java
+++ b/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java
@@ -162,6 +162,17 @@ public class AntPathRequestMatcherTests {
 				.isTrue();
 	}
 
+	@Test
+	public void spacesInPathSegmentsAreNotIgnored() {
+		AntPathRequestMatcher matcher = new AntPathRequestMatcher("/path/*/bar");
+		MockHttpServletRequest request = createRequest("/path /foo/bar");
+		assertThat(matcher.matches(request)).isFalse();
+
+		matcher = new AntPathRequestMatcher("/path/foo");
+		request = createRequest("/path /foo");
+		assertThat(matcher.matches(request)).isFalse();
+	}
+
 	@Test
 	public void equalsBehavesCorrectly() throws Exception {
 		// Both universal wildcard options should be equal