Stephen Crawley (Migrated from SEC-1427) said:
I came across this code in HttpConfigurationBuilder:
BeanDefinitionBuilder metadataSourceBldr = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class);
metadataSourceBldr.addPropertyValue("stripQueryStringFromUrls", matcher instanceof AntUrlPathMatcher);
Similar code appears in FilterInvocationSecurityMetadataSourceParser.
As far as I can make out, this means that if you use "path-type=ant" in your element, then query parts will be stripped from URLs before matching them in the interceptor filter, but with "path-type=regex" the matching is done with URL query parts intact.
I don't understand see the rationale for this behaviour. I don't know if it is a bug, or it is a unexpected feature that should be properly documented.
(And as an aside, I would not that Appendix B 1.1 does not give the allowed values for path-type. You have to search the manual for the related examples to find what they are.)
Luke Taylor said:
It was a deliberate decision (you can search the Jira history and the forum for more information, e.g. SEC-161).
The recent changes for SEC-1407 make the behaviour more clearly defined (as it is encapsulated in the specific matcher classes and described in their Javadoc).