Only apply path to default PathPatternRequestMatcher.Builder

wilkinsona · wilkinsona · commit 05c877d61c97 · 2025-07-21T10:57:42.000+01:00
Prior to this commit, if the user defined a custom PathPatternRequestMatcher.Builder, security auto-configuration would still set its base path to matcher the dispatcher servlet path. We need to give the user more control in this situation. If the user has defined a custom builder bean it should have a name other than pathPatternRequestMatcherBuilder. This different name is required to prevent a clash with the @fallback bean that's defined by Security's AuthorizationConfiguration. This commit changes the bean post-processor so that it will only apply to a bean named pathPatternRequestMatcherBuilder. By using a different name (which is necessary unless overriding is enabled) to use can take complete control of the path pattern request matcher builder. See gh-45492
diff --git a/module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/servlet/SpringBootWebSecurityConfiguration.java b/module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/servlet/SpringBootWebSecurityConfiguration.java
@@ -59,7 +59,8 @@ static BeanPostProcessor pathPatternRequestMatcherBuilderBasePathCustomizer(
 
 				@Override
 				public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
-					if (bean instanceof PathPatternRequestMatcher.Builder builder) {
+					if ("pathPatternRequestMatcherBuilder".equals(beanName)
+							&& bean instanceof PathPatternRequestMatcher.Builder builder) {
 						String path = dispatcherServletPath.getObject().getPath();
 						if (!path.equals("/")) {
 							return builder.basePath(path);
diff --git a/module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/servlet/SecurityAutoConfigurationTests.java b/module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/servlet/SecurityAutoConfigurationTests.java
@@ -42,6 +42,7 @@
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
 import org.springframework.boot.testsupport.classpath.resources.WithResource;
 import org.springframework.boot.web.servlet.DelegatingFilterProxyRegistrationBean;
+import org.springframework.boot.webmvc.autoconfigure.DispatcherServletPath;
 import org.springframework.boot.webmvc.autoconfigure.WebMvcAutoConfiguration;
 import org.springframework.context.annotation.AnnotationConfigApplicationContext;
 import org.springframework.context.annotation.Bean;
@@ -52,11 +53,13 @@
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -216,6 +219,24 @@ void whenTheBeanFactoryHasAConversionServiceAndAConfigurationPropertyBindingConv
 			.run((context) -> assertThat(context.getBean(JwtProperties.class).getPublicKey()).isNotNull());
 	}
 
+	@Test
+	void whenDispatcherServletPathIsSetPathPatternRequestMatcherBuilderHasCustomBasePath() {
+		this.contextRunner.withBean(DispatcherServletPath.class, () -> () -> "/dispatcher-servlet").run((context) -> {
+			PathPatternRequestMatcher.Builder builder = context.getBean(PathPatternRequestMatcher.Builder.class);
+			assertThat(builder).extracting("basePath").isEqualTo("/dispatcher-servlet");
+		});
+	}
+
+	@Test
+	void givenACustomPathPatternRequestMatcherBuilderwhenDispatcherServletPathIsSetBuilderBasePathIsNotCustomized() {
+		this.contextRunner.withBean(PathPatternRequestMatcherBuilderFactoryBean.class)
+			.withBean(DispatcherServletPath.class, () -> () -> "/dispatcher-servlet")
+			.run((context) -> {
+				PathPatternRequestMatcher.Builder builder = context.getBean(PathPatternRequestMatcher.Builder.class);
+				assertThat(builder).extracting("basePath").isEqualTo("");
+			});
+	}
+
 	@Configuration(proxyBeanMethods = false)
 	@TestAutoConfigurationPackage(City.class)
 	static class EntityConfiguration {
