From 8a6e1297a1e3f3feca3639027f8cc225847970ec Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Thu, 31 Oct 2024 12:22:17 -0600 Subject: [PATCH] Add Warning Message for Missing Leading Slashes Closes gh-16020 --- .../web/AbstractRequestMatcherRegistry.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java b/config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java index 7be2a4ae4c..d94e9d9083 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java @@ -199,6 +199,12 @@ public abstract class AbstractRequestMatcherRegistry { * @since 5.8 */ public C requestMatchers(HttpMethod method, String... patterns) { + if (anyPathsDontStartWithLeadingSlash(patterns)) { + this.logger.warn("One of the patterns in " + Arrays.toString(patterns) + + " is missing a leading slash. This is discouraged; please include the " + + "leading slash in all your request matcher patterns. In future versions of " + + "Spring Security, leaving out the leading slash will result in an exception."); + } if (!mvcPresent) { return requestMatchers(RequestMatchers.antMatchersAsArray(method, patterns)); } @@ -219,6 +225,15 @@ public abstract class AbstractRequestMatcherRegistry { return requestMatchers(matchers.toArray(new RequestMatcher[0])); } + private boolean anyPathsDontStartWithLeadingSlash(String... patterns) { + for (String pattern : patterns) { + if (!pattern.startsWith("/")) { + return true; + } + } + return false; + } + private RequestMatcher resolve(AntPathRequestMatcher ant, MvcRequestMatcher mvc, ServletContext servletContext) { Map registrations = mappableServletRegistrations(servletContext); if (registrations.isEmpty()) {