Merge pull request #45163 from ngocnhan-tran1996

* pr/45163:
  Polish 'Migrate from AntPathRequestMatcher to PathPatternRequestMatcher'
  Migrate from AntPathRequestMatcher to PathPatternRequestMatcher

Closes gh-45163

Author: philwebb

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfiguration.java

@@ -62,6 +62,7 @@
 import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.cors.CorsConfiguration;
@@ -183,16 +184,16 @@ static class IgnoredCloudFoundryPathsWebSecurityCustomizer implements WebSecurit
 		}
 
 		@Override
-		@SuppressWarnings("removal")
 		public void customize(WebSecurity web) {
-			List<RequestMatcher> requestMatchers = new ArrayList<>();
-			this.pathMappedEndpoints.getAllPaths()
-				.forEach((path) -> requestMatchers
-					.add(new org.springframework.security.web.util.matcher.AntPathRequestMatcher(path + "/**")));
-			requestMatchers.add(new org.springframework.security.web.util.matcher.AntPathRequestMatcher(BASE_PATH));
-			requestMatchers
-				.add(new org.springframework.security.web.util.matcher.AntPathRequestMatcher(BASE_PATH + "/"));
-			web.ignoring().requestMatchers(new OrRequestMatcher(requestMatchers));
+			List<RequestMatcher> matchers = new ArrayList<>();
+			this.pathMappedEndpoints.getAllPaths().forEach((path) -> matchers.add(pathMatcher(path + "/**")));
+			matchers.add(pathMatcher(BASE_PATH));
+			matchers.add(pathMatcher(BASE_PATH + "/"));
+			web.ignoring().requestMatchers(new OrRequestMatcher(matchers));
+		}
+
+		private PathPatternRequestMatcher pathMatcher(String path) {
+			return PathPatternRequestMatcher.withDefaults().matcher(path);
 		}
 
 	}

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java

@@ -42,6 +42,7 @@
 import org.springframework.core.annotation.MergedAnnotation;
 import org.springframework.core.annotation.MergedAnnotations;
 import org.springframework.http.HttpMethod;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
@@ -231,14 +232,12 @@ protected List<RequestMatcher> getLinksMatchers(RequestMatcherFactory requestMat
 			return linksMatchers;
 		}
 
-		@SuppressWarnings("removal")
 		protected RequestMatcherProvider getRequestMatcherProvider(WebApplicationContext context) {
 			try {
 				return getRequestMatcherProviderBean(context);
 			}
 			catch (NoSuchBeanDefinitionException ex) {
-				return (pattern, method) -> new org.springframework.security.web.util.matcher.AntPathRequestMatcher(
-						pattern, (method != null) ? method.name() : null);
+				return (pattern, method) -> PathPatternRequestMatcher.withDefaults().matcher(method, pattern);
 			}
 		}
 

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AntPathRequestMatcherProvider.java renamed to spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/PathPatternRequestMatcherProvider.java

@@ -19,29 +19,26 @@
 import java.util.function.Function;
 
 import org.springframework.http.HttpMethod;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
- * {@link RequestMatcherProvider} that provides an {@link AntPathRequestMatcher}.
+ * {@link RequestMatcherProvider} that provides an {@link PathPatternRequestMatcher}.
  *
  * @author Madhura Bhave
  * @author Chris Bono
  */
-class AntPathRequestMatcherProvider implements RequestMatcherProvider {
+class PathPatternRequestMatcherProvider implements RequestMatcherProvider {
 
 	private final Function<String, String> pathFactory;
 
-	AntPathRequestMatcherProvider(Function<String, String> pathFactory) {
+	PathPatternRequestMatcherProvider(Function<String, String> pathFactory) {
 		this.pathFactory = pathFactory;
 	}
 
 	@Override
-	@SuppressWarnings("removal")
 	public RequestMatcher getRequestMatcher(String pattern, HttpMethod httpMethod) {
-		String path = this.pathFactory.apply(pattern);
-		return new org.springframework.security.web.util.matcher.AntPathRequestMatcher(path,
-				(httpMethod != null) ? httpMethod.name() : null);
+		return PathPatternRequestMatcher.withDefaults().matcher(httpMethod, this.pathFactory.apply(pattern));
 	}
 
 }

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/SecurityRequestMatchersManagementContextConfiguration.java

@@ -52,7 +52,7 @@ public static class MvcRequestMatcherConfiguration {
 		@ConditionalOnMissingBean
 		@ConditionalOnClass(DispatcherServlet.class)
 		public RequestMatcherProvider requestMatcherProvider(DispatcherServletPath servletPath) {
-			return new AntPathRequestMatcherProvider(servletPath::getRelativePath);
+			return new PathPatternRequestMatcherProvider(servletPath::getRelativePath);
 		}
 
 	}
@@ -65,7 +65,7 @@ public static class JerseyRequestMatcherConfiguration {
 
 		@Bean
 		public RequestMatcherProvider requestMatcherProvider(JerseyApplicationPath applicationPath) {
-			return new AntPathRequestMatcherProvider(applicationPath::getRelativePath);
+			return new PathPatternRequestMatcherProvider(applicationPath::getRelativePath);
 		}
 
 	}

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -182,8 +182,10 @@ void cloudFoundryPathsIgnoredBySpringSecurity() {
 				testCloudFoundrySecurity(request, BASE_PATH + "/test", chain);
 				testCloudFoundrySecurity(request, BASE_PATH + "/test/a", chain);
 				request.setServletPath(BASE_PATH + "/other-path");
+				request.setRequestURI(BASE_PATH + "/other-path");
 				assertThat(chain.matches(request)).isFalse();
 				request.setServletPath("/some-other-path");
+				request.setRequestURI("/some-other-path");
 				assertThat(chain.matches(request)).isFalse();
 			});
 	}
@@ -209,9 +211,9 @@ private FilterChainProxy getFilterChainProxy(Filter filter) {
 		throw new IllegalStateException("No FilterChainProxy found");
 	}
 
-	private static void testCloudFoundrySecurity(MockHttpServletRequest request, String servletPath,
+	private static void testCloudFoundrySecurity(MockHttpServletRequest request, String requestUri,
 			SecurityFilterChain chain) {
-		request.setServletPath(servletPath);
+		request.setRequestURI(requestUri);
 		assertThat(chain.matches(request)).isTrue();
 	}
 

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequestTests.java

@@ -413,24 +413,24 @@ private void matches(HttpServletRequest request) {
 			assertThat(this.matcher.matches(request)).as("Matches " + getRequestPath(request)).isTrue();
 		}
 
-		void doesNotMatch(String servletPath) {
-			doesNotMatch(mockRequest(null, servletPath));
+		void doesNotMatch(String requestUri) {
+			doesNotMatch(mockRequest(null, requestUri));
 		}
 
-		void doesNotMatch(HttpMethod httpMethod, String servletPath) {
-			doesNotMatch(mockRequest(httpMethod, servletPath));
+		void doesNotMatch(HttpMethod httpMethod, String requestUri) {
+			doesNotMatch(mockRequest(httpMethod, requestUri));
 		}
 
 		private void doesNotMatch(HttpServletRequest request) {
 			assertThat(this.matcher.matches(request)).as("Does not match " + getRequestPath(request)).isFalse();
 		}
 
-		private MockHttpServletRequest mockRequest(HttpMethod httpMethod, String servletPath) {
+		private MockHttpServletRequest mockRequest(HttpMethod httpMethod, String requestUri) {
 			MockServletContext servletContext = new MockServletContext();
 			servletContext.setAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, this.context);
 			MockHttpServletRequest request = new MockHttpServletRequest(servletContext);
-			if (servletPath != null) {
-				request.setServletPath(servletPath);
+			if (requestUri != null) {
+				request.setRequestURI(requestUri);
 			}
 			if (httpMethod != null) {
 				request.setMethod(httpMethod.name());

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java

@@ -52,7 +52,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.web.context.ConfigurableWebApplicationContext;
 import org.springframework.web.context.WebApplicationContext;
 
@@ -206,7 +206,7 @@ private HttpStatus getResponseStatus(AssertableWebApplicationContext context, St
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		servletContext.setAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, context);
 		MockHttpServletRequest request = new MockHttpServletRequest(servletContext);
-		request.setServletPath(path);
+		request.setRequestURI(path);
 		request.setMethod("GET");
 		filterChainProxy.doFilter(request, response, new MockFilterChain());
 		return HttpStatus.valueOf(response.getStatus());
@@ -216,10 +216,9 @@ private HttpStatus getResponseStatus(AssertableWebApplicationContext context, St
 	static class CustomSecurityConfiguration {
 
 		@Bean
-		@SuppressWarnings("removal")
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 			http.authorizeHttpRequests((requests) -> {
-				requests.requestMatchers(new AntPathRequestMatcher("/foo")).permitAll();
+				requests.requestMatchers(PathPatternRequestMatcher.withDefaults().matcher("/foo")).permitAll();
 				requests.anyRequest().authenticated();
 			});
 			http.formLogin(withDefaults());
@@ -246,9 +245,8 @@ static class TestRemoteDevToolsSecurityFilterChainConfig extends TestSecurityFil
 
 		@Bean
 		@Order(SecurityProperties.BASIC_AUTH_ORDER - 1)
-		@SuppressWarnings("removal")
 		SecurityFilterChain testRemoteDevToolsSecurityFilterChain(HttpSecurity http) throws Exception {
-			http.securityMatcher(new AntPathRequestMatcher("/**"));
+			http.securityMatcher(PathPatternRequestMatcher.withDefaults().matcher("/**"));
 			http.authorizeHttpRequests((requests) -> requests.anyRequest().anonymous());
 			http.csrf((csrf) -> csrf.disable());
 			return http.build();

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/SecurityRequestMatchersManagementContextConfigurationTests.java

@@ -27,6 +27,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.util.pattern.PathPatternParser;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -58,9 +59,11 @@ void configurationConditionalOnRequestMatcherClass() {
 	@Test
 	void registersRequestMatcherProviderIfMvcPresent() {
 		this.contextRunner.withUserConfiguration(TestMvcConfiguration.class).run((context) -> {
-			AntPathRequestMatcherProvider matcherProvider = context.getBean(AntPathRequestMatcherProvider.class);
+			PathPatternRequestMatcherProvider matcherProvider = context
+				.getBean(PathPatternRequestMatcherProvider.class);
 			RequestMatcher requestMatcher = matcherProvider.getRequestMatcher("/example", null);
-			assertThat(requestMatcher).extracting("pattern").isEqualTo("/custom/example");
+			assertThat(requestMatcher).extracting("pattern")
+				.isEqualTo(PathPatternParser.defaultInstance.parse("/custom/example"));
 		});
 	}
 
@@ -69,37 +72,39 @@ void registersRequestMatcherForJerseyProviderIfJerseyPresentAndMvcAbsent() {
 		this.contextRunner.withClassLoader(new FilteredClassLoader("org.springframework.web.servlet.DispatcherServlet"))
 			.withUserConfiguration(TestJerseyConfiguration.class)
 			.run((context) -> {
-				AntPathRequestMatcherProvider matcherProvider = context.getBean(AntPathRequestMatcherProvider.class);
+				PathPatternRequestMatcherProvider matcherProvider = context
+					.getBean(PathPatternRequestMatcherProvider.class);
 				RequestMatcher requestMatcher = matcherProvider.getRequestMatcher("/example", null);
-				assertThat(requestMatcher).extracting("pattern").isEqualTo("/admin/example");
+				assertThat(requestMatcher).extracting("pattern")
+					.isEqualTo(PathPatternParser.defaultInstance.parse("/admin/example"));
 			});
 	}
 
 	@Test
 	void mvcRequestMatcherProviderConditionalOnDispatcherServletClass() {
 		this.contextRunner.withClassLoader(new FilteredClassLoader("org.springframework.web.servlet.DispatcherServlet"))
-			.run((context) -> assertThat(context).doesNotHaveBean(AntPathRequestMatcherProvider.class));
+			.run((context) -> assertThat(context).doesNotHaveBean(PathPatternRequestMatcherProvider.class));
 	}
 
 	@Test
 	void mvcRequestMatcherProviderConditionalOnDispatcherServletPathBean() {
 		new WebApplicationContextRunner()
 			.withConfiguration(AutoConfigurations.of(SecurityRequestMatchersManagementContextConfiguration.class))
-			.run((context) -> assertThat(context).doesNotHaveBean(AntPathRequestMatcherProvider.class));
+			.run((context) -> assertThat(context).doesNotHaveBean(PathPatternRequestMatcherProvider.class));
 	}
 
 	@Test
 	void jerseyRequestMatcherProviderConditionalOnResourceConfigClass() {
 		this.contextRunner.withClassLoader(new FilteredClassLoader("org.glassfish.jersey.server.ResourceConfig"))
-			.run((context) -> assertThat(context).doesNotHaveBean(AntPathRequestMatcherProvider.class));
+			.run((context) -> assertThat(context).doesNotHaveBean(PathPatternRequestMatcherProvider.class));
 	}
 
 	@Test
 	void jerseyRequestMatcherProviderConditionalOnJerseyApplicationPathBean() {
 		new WebApplicationContextRunner()
 			.withConfiguration(AutoConfigurations.of(SecurityRequestMatchersManagementContextConfiguration.class))
 			.withClassLoader(new FilteredClassLoader("org.springframework.web.servlet.DispatcherServlet"))
-			.run((context) -> assertThat(context).doesNotHaveBean(AntPathRequestMatcherProvider.class));
+			.run((context) -> assertThat(context).doesNotHaveBean(PathPatternRequestMatcherProvider.class));
 	}
 
 	@Configuration(proxyBeanMethods = false)

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/PathRequest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 import org.springframework.boot.autoconfigure.security.StaticResourceLocation;
 import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher;
 import org.springframework.boot.web.context.WebServerApplicationContext;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.context.WebApplicationContext;
 
@@ -76,10 +77,9 @@ protected boolean ignoreApplicationContext(WebApplicationContext applicationCont
 		}
 
 		@Override
-		@SuppressWarnings("removal")
 		protected void initialized(Supplier<H2ConsoleProperties> h2ConsoleProperties) {
-			this.delegate = new org.springframework.security.web.util.matcher.AntPathRequestMatcher(
-					h2ConsoleProperties.get().getPath() + "/**");
+			this.delegate = PathPatternRequestMatcher.withDefaults()
+				.matcher(h2ConsoleProperties.get().getPath() + "/**");
 		}
 
 		@Override

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/StaticResourceRequest.java

@@ -28,6 +28,7 @@
 import org.springframework.boot.autoconfigure.web.servlet.DispatcherServletPath;
 import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher;
 import org.springframework.boot.web.context.WebServerApplicationContext;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
@@ -134,10 +135,8 @@ protected void initialized(Supplier<DispatcherServletPath> dispatcherServletPath
 			this.delegate = new OrRequestMatcher(getDelegateMatchers(dispatcherServletPath.get()).toList());
 		}
 
-		@SuppressWarnings("removal")
 		private Stream<RequestMatcher> getDelegateMatchers(DispatcherServletPath dispatcherServletPath) {
-			return getPatterns(dispatcherServletPath)
-				.map(org.springframework.security.web.util.matcher.AntPathRequestMatcher::new);
+			return getPatterns(dispatcherServletPath).map(PathPatternRequestMatcher.withDefaults()::matcher);
 		}
 
 		private Stream<String> getPatterns(DispatcherServletPath dispatcherServletPath) {

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/PathRequestTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,6 +25,7 @@
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockServletContext;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.StringUtils;
 import org.springframework.web.context.WebApplicationContext;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -99,14 +100,14 @@ private MockHttpServletRequest mockRequest(String path) {
 			MockServletContext servletContext = new MockServletContext();
 			servletContext.setAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, this.context);
 			MockHttpServletRequest request = new MockHttpServletRequest(servletContext);
-			request.setPathInfo(path);
+			request.setRequestURI(path);
 			return request;
 		}
 
 		private String getRequestPath(HttpServletRequest request) {
 			String url = request.getServletPath();
-			if (request.getPathInfo() != null) {
-				url += request.getPathInfo();
+			if (StringUtils.hasText(request.getRequestURI())) {
+				url += request.getRequestURI();
 			}
 			return url;
 		}

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/StaticResourceRequestTests.java

@@ -25,6 +25,7 @@
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockServletContext;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.StringUtils;
 import org.springframework.web.context.WebApplicationContext;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -156,15 +157,18 @@ private MockHttpServletRequest mockRequest(String servletPath, String path) {
 			MockHttpServletRequest request = new MockHttpServletRequest(servletContext);
 			if (servletPath != null) {
 				request.setServletPath(servletPath);
+				request.setRequestURI(servletPath + path);
+			}
+			else {
+				request.setRequestURI(path);
 			}
-			request.setPathInfo(path);
 			return request;
 		}
 
 		private String getRequestPath(HttpServletRequest request) {
 			String url = request.getServletPath();
-			if (request.getPathInfo() != null) {
-				url += request.getPathInfo();
+			if (StringUtils.hasText(request.getRequestURI())) {
+				url += request.getRequestURI();
 			}
 			return url;
 		}