urlMapping confuses Sidecar Security Matcher #221
Description
The following situation occurred:
- A Vaadin project that has an urlMapping active (e.g.
vaadin.urlMapping=/2025/*) - A static redirector is instealled at the Root that redirects to the corresponing Vaadin Root (
/->/2025) - The root endpoint is a public stateless resource (no session)
- The Vaadin app is secured with the new VaadinSecurityConfigurer (Vaadin 24.9+
VaadinWebSecuritydeprecated #196)
This results in an incorrect match of the public stateless resource chain designed for / on /2025:
2025-10-06T07:15:31.001Z TRACE 11032 --- [mcat-handler-57] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain defined as 'configureStaticResources' in [class path resource [software/xdev/sse/web/sidecar/public_stateless/PublicStatelessWebSecurity.class]] matching [Or [... Mvc [pattern='/'], ..., Mvc [pattern='/robots.txt'], Mvc [pattern='/favicon.ico']]] and having filters [DisableEncodeUrl, WebAsyncManagerIntegration, SecurityContextHolder, HeaderWriter, Logout, RequestCacheAware, SecurityContextHolderAwareRequest, AnonymousAuthentication, SessionManagement, ExceptionTranslation, Authorization] (2/3)
2025-10-06T07:15:31.001Z DEBUG 11032 --- [mcat-handler-57] o.s.security.web.FilterChainProxy : Securing GET /2025/
which in turn causes a authentication failure because no Session is available, which causes the system to fallback to anonymous auth.
This seems to be caused by PathPatternMatchableHandlerMapping#match where
ServletRequestPathUtils.getParsedRequestPath(request).pathWithinApplication()reports /2025 as /.