Skip to content

Commit fb95a46

Browse files
committed
Do not validate ignoredRequests from WebSecurity.ignoring()
Closes gh-17155 Signed-off-by: DingHao <[email protected]>
1 parent 4bf03bd commit fb95a46

File tree

2 files changed

+38
-2
lines changed

2 files changed

+38
-2
lines changed

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2024 the original author or authors.
2+
* Copyright 2002-2025 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -52,6 +52,9 @@ public void validate(FilterChainProxy filterChainProxy) {
5252
private void checkForAnyRequestRequestMatcher(List<SecurityFilterChain> chains) {
5353
DefaultSecurityFilterChain anyRequestFilterChain = null;
5454
for (SecurityFilterChain chain : chains) {
55+
if (isWebIgnoredRequests(chain)) {
56+
continue;
57+
}
5558
if (anyRequestFilterChain != null) {
5659
String message = "A filter chain that matches any request [" + anyRequestFilterChain
5760
+ "] has already been configured, which means that this filter chain [" + chain
@@ -69,6 +72,9 @@ private void checkForAnyRequestRequestMatcher(List<SecurityFilterChain> chains)
6972
private void checkForDuplicateMatchers(List<SecurityFilterChain> chains) {
7073
DefaultSecurityFilterChain filterChain = null;
7174
for (SecurityFilterChain chain : chains) {
75+
if (isWebIgnoredRequests(chain)) {
76+
continue;
77+
}
7278
if (filterChain != null) {
7379
if (chain instanceof DefaultSecurityFilterChain defaultChain) {
7480
if (defaultChain.getRequestMatcher().equals(filterChain.getRequestMatcher())) {
@@ -110,4 +116,8 @@ private void checkAuthorizationFilters(List<SecurityFilterChain> chains) {
110116
}
111117
}
112118

119+
private boolean isWebIgnoredRequests(SecurityFilterChain chain) {
120+
return chain.getFilters().isEmpty();
121+
}
122+
113123
}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2022 the original author or authors.
2+
* Copyright 2002-2025 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -142,6 +142,32 @@ public void defaultFiltersPermitAll() throws IOException, ServletException {
142142
assertThat(response.getRedirectedUrl()).isEqualTo("/login?logout");
143143
}
144144

145+
@Test
146+
public void validateWhenUseIgnoredRequests() {
147+
this.spring.register(FilterChainProxyWithWebSecurityCustomizer.class);
148+
List<SecurityFilterChain> filterChains = this.spring.getContext()
149+
.getBean(FilterChainProxy.class)
150+
.getFilterChains();
151+
assertThat(filterChains.size()).isEqualTo(2);
152+
}
153+
154+
@Configuration
155+
@EnableWebSecurity
156+
@EnableWebMvc
157+
static class FilterChainProxyWithWebSecurityCustomizer {
158+
159+
@Bean
160+
WebSecurityCustomizer webSecurityCustomizer() {
161+
return (web) -> web.ignoring().anyRequest();
162+
}
163+
164+
@Bean
165+
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
166+
return http.authorizeHttpRequests((a) -> a.anyRequest().authenticated()).build();
167+
}
168+
169+
}
170+
145171
@Configuration
146172
@EnableWebSecurity
147173
static class FilterChainProxyBuilderMissingConfig {

0 commit comments

Comments
 (0)