Hakan Soderstrom (Migrated from SEC-1634) said:
The syntax and semantics of org.springframework.security.web.util.AntPathRequestMatcher (AntUrlPathMatcher in 3.0) are undocumented. The reference manual loosely refers to "Ant style" and states about the request-matcher attribute in the section:
"See the Javadoc for these classes for more details on exactly how the matching is preformed." (quote includes typo) However, the Javadoc says nothing about it.
The RequestMatcher syntax and semantics is an important contract between a user and Spring Security. Any misunderstanding from the user's side likely results in vulnerabilities.
Luke Taylor said:
I've updated the Javadoc as part of SEC-1636 to indicate that Spring's AntPathMatcher is used except in the case of simple wildcard patterns.