When I try to run an application it fails to start and throws this exception.
This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher).
I am new to Spring Security. Please help me solve this error.
This is my spring security configuration class
package com.ronit.SpringSecurityTutorial.configuration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
@EnableWebSecurity
@Configuration
public class SecurityConfiguration {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
AuthenticationManager authManager(UserDetailsService detailsService) {
DaoAuthenticationProvider daoProvider = new DaoAuthenticationProvider();
daoProvider.setUserDetailsService(detailsService);
return new ProviderManager(daoProvider);
}
@SuppressWarnings("removal")
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http.csrf(csrf -> csrf.disable()).authorizeHttpRequests(auth -> {
auth.anyRequest().authenticated();
auth.requestMatchers("/auth/**").permitAll();
auth.anyRequest().authenticated();
}).httpBasic().and().build();
}
}
This is the spring boot application
package com.ronit.SpringSecurityTutorial;
import java.util.HashSet;
import java.util.Set;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.security.crypto.password.PasswordEncoder;
import com.ronit.SpringSecurityTutorial.models.ApplicationUser;
import com.ronit.SpringSecurityTutorial.models.Role;
import com.ronit.SpringSecurityTutorial.repository.RoleRepository;
import com.ronit.SpringSecurityTutorial.repository.UserRepository;
@SpringBootApplication
public class SpringSecurityTutorialApplication {
public static void main(String[] args) {
SpringApplication.run(SpringSecurityTutorialApplication.class,args);
}
@Bean
CommandLineRunner run(RoleRepository roleRepository, UserRepository userRepository,
PasswordEncoder passwordEncoder) {
return args -> {
if (roleRepository.findByAuthority("ADMIN").isPresent())
return;
Role adminRole = roleRepository.save(new Role("ADMIN"));
roleRepository.save(new Role("USER"));
Set<Role> roles = new HashSet<>();
roles.add(adminRole);
ApplicationUser admin = new
ApplicationUser(1, "Admin", passwordEncoder.encode("Password"), roles);
userRepository.save(admin);
};
}
}
These are the dependencies in pom.xml
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
There is no configuration related to security in application.properties file.
I searched this on Google and found some Stack Overflow pages, but none of them were using similar configuration to mine.
I have watched an online tutorial and made this. I followed each step correctly, but my configuration is not working.
The application is stopped and terminated straight away.
I am using Spring Boot 3 and Spring Security 6 in my application.
A migration occurred due to vulnerability CVE-2023-34035.
In the event that you get an error like the following:
This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use
requestMatchers(MvcRequestMatcher)
; otherwise, please userequestMatchers(AntPathRequestMatcher)
.
You should use a complete RequestMatcher.
For example, if an application has a servlet deployed to /my-servlet/* and is authorizing that traffic like so:
@Bean
SecurityFilterChain appSecurity(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/my-servlet/**").hasRole("USER")
.requestMatchers("/spring-mvc-controller/**").hasRole("USER")
.anyRequest().authenticated()
)
// ...
return http.build();
}
then, the application should instead do the following:
import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
@Bean
MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) {
return new MvcRequestMatcher.Builder(introspector);
}
@Bean
SecurityFilterChain appSecurity(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(antMatcher("/my-servlet/*")).hasRole("USER")
.requestMatchers(mvc.pattern("/spring-mvc-controller/**")).hasRole("USER")
.anyRequest().authenticated()
)
// ...
return http.build();
}
For more details read this repository offered by Spring: cve-2023-34035-mitigations
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With