Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1634: Syntax and semantics of AntPathRequestMatcher undocumented #1874

spring-issuemaster opened this Issue Dec 5, 2010 · 1 comment


None yet
1 participant

Hakan Soderstrom (Migrated from SEC-1634) said:

The syntax and semantics of org.springframework.security.web.util.AntPathRequestMatcher (AntUrlPathMatcher in 3.0) are undocumented. The reference manual loosely refers to "Ant style" and states about the request-matcher attribute in the section:
"See the Javadoc for these classes for more details on exactly how the matching is preformed." (quote includes typo) However, the Javadoc says nothing about it.

The RequestMatcher syntax and semantics is an important contract between a user and Spring Security. Any misunderstanding from the user's side likely results in vulnerabilities.

Luke Taylor said:

I've updated the Javadoc as part of SEC-1636 to indicate that Spring's AntPathMatcher is used except in the case of simple wildcard patterns.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment