Ian Brandt (Migrated from SEC-2731) said:
With the introduction of the RequestMatcher API LogoutFilter.setFilterProcessesUrl(java.lang.String) for example and its respective getter have been deprecated, but there is no JavaDoc explaining what to use instead.
Viewing the source reveals that LogoutFilter.FilterProcessUrlRequestMatcher is being used instead, but it's a private inner class, and hence can't be used by clients.
[AbstractAuthenticationProcessingFilter](http://docs.spring.io/autorepo/docs/spring-security/3.2.5.RELEASE/apidocs/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html) has the same issue, and notably duplicates the [FilterProcessUrlRequestMatcher](https://github.com/spring-projects/spring-security/blob/3.2.5.RELEASE/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java#L463) private inner class.
Searching the [matchers](http://docs.spring.io/autorepo/docs/spring-security/3.2.5.RELEASE/apidocs/org/springframework/security/web/util/matcher/package-summary.html) package reveals the [RequestMatcherEditor](http://docs.spring.io/autorepo/docs/spring-security/3.2.5.RELEASE/apidocs/org/springframework/security/web/util/matcher/RequestMatcherEditor.html) PropertyEditor, but that's not a drop-in replacement because it uses the [ELRequestMatcher](http://docs.spring.io/autorepo/docs/spring-security/3.2.5.RELEASE/apidocs/org/springframework/security/web/util/matcher/ELRequestMatcher.html):
<property name="logoutRequestMatcher" value="/logout.do" />
Caused by: org.springframework.beans.factory.BeanCreationException:
Error creating bean with name 'logoutFilter' defined in class path resource [spring-security.xml]:
Initialization of bean failed; nested exception is org.springframework.expression.spel.SpelParseException:
EL1070E:(pos 0): Problem parsing left operand
I got it to work with:
<property name="logoutRequestMatcher">
<bean class="org.springframework.security.web.util.matcher.RegexRequestMatcher">
<constructor-arg name="pattern" value="/logout\.do.*" />
<constructor-arg name="httpMethod">
<null />
</constructor-arg>
</bean>
</property>That's a bit verbose to say the least. It also lacks consistency compared to other URLs specified for other Spring Security API:
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<constructor-arg name="loginFormUrl" value="/login.do" />
<property name="useForward" value="true" />
</bean>It would be nice if there was a better migration path for this API, and either way it would help if it was documented.
Ian Brandt (Migrated from SEC-2731) said:
With the introduction of the
RequestMatcherAPI LogoutFilter.setFilterProcessesUrl(java.lang.String) for example and its respective getter have been deprecated, but there is no JavaDoc explaining what to use instead.Viewing the source reveals that
LogoutFilter.FilterProcessUrlRequestMatcheris being used instead, but it's a private inner class, and hence can't be used by clients.[AbstractAuthenticationProcessingFilter](http://docs.spring.io/autorepo/docs/spring-security/3.2.5.RELEASE/apidocs/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html)has the same issue, and notably duplicates the[FilterProcessUrlRequestMatcher](https://github.com/spring-projects/spring-security/blob/3.2.5.RELEASE/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java#L463)private inner class.Searching the
[matchers](http://docs.spring.io/autorepo/docs/spring-security/3.2.5.RELEASE/apidocs/org/springframework/security/web/util/matcher/package-summary.html)package reveals the[RequestMatcherEditor](http://docs.spring.io/autorepo/docs/spring-security/3.2.5.RELEASE/apidocs/org/springframework/security/web/util/matcher/RequestMatcherEditor.html)PropertyEditor, but that's not a drop-in replacement because it uses the[ELRequestMatcher](http://docs.spring.io/autorepo/docs/spring-security/3.2.5.RELEASE/apidocs/org/springframework/security/web/util/matcher/ELRequestMatcher.html):I got it to work with:
That's a bit verbose to say the least. It also lacks consistency compared to other URLs specified for other Spring Security API:
It would be nice if there was a better migration path for this API, and either way it would help if it was documented.