SEC-1634: Syntax and semantics of AntPathRequestMatcher undocumented #1874

Closed
spring-issuemaster opened this Issue Dec 5, 2010 · 1 comment

1 participant

@spring-issuemaster

Hakan Soderstrom (Migrated from SEC-1634) said:

The syntax and semantics of org.springframework.security.web.util.AntPathRequestMatcher (AntUrlPathMatcher in 3.0) are undocumented. The reference manual loosely refers to "Ant style" and states about the request-matcher attribute in the section:
"See the Javadoc for these classes for more details on exactly how the matching is preformed." (quote includes typo) However, the Javadoc says nothing about it.

The RequestMatcher syntax and semantics is an important contract between a user and Spring Security. Any misunderstanding from the user's side likely results in vulnerabilities.

@spring-issuemaster

Luke Taylor said:

I've updated the Javadoc as part of SEC-1636 to indicate that Spring's AntPathMatcher is used except in the case of simple wildcard patterns.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment