Initial commit 16186 security matchers

[GuusArts]

Closes spring-projectsgh-15982

Summary by Sourcery

Add validation for duplicate security matchers in Spring Security configuration

New Features:

• Implement validation to prevent multiple security filter chains with identical request matchers

Enhancements:

• Add equals and hashCode methods to OrRequestMatcher
• Improve filter chain validation to detect duplicate security matchers

Tests:

• Add test case to verify exception is thrown when duplicate security matchers are configured

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request adds support for checking same security matchers. It prevents the configuration of multiple security matchers with the same pattern, throwing an exception if duplicates are found. It also overrides the equals and hashCode methods in OrRequestMatcher to properly compare and hash OrRequestMatcher instances based on their constituent request matchers.

Updated class diagram for OrRequestMatcher

classDiagram
  class OrRequestMatcher {
    -List~RequestMatcher~ requestMatchers
    +OrRequestMatcher(requestMatchers: List~RequestMatcher~)
    +matches(request: HttpServletRequest): boolean
    +matcher(request: HttpServletRequest): MatchResult
    +equals(o: Object): boolean
    +hashCode(): int
    +toString(): String
  }

Loading

File-Level Changes

Change	Details	Files
Added a check to prevent the configuration of multiple security matchers with the same pattern, throwing a BeanCreationException if duplicates are found.	Added a test case configureWhenSameSecurityMatchersConfiguredThenThrowsBeanCreationException to verify the behavior of the application when multiple security matchers with the same pattern are configured. Created a configuration class MultipleSecurityMatchersConfig that defines two SecurityFilterChain beans with the same security matcher (/app/**).	config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java
Modified DefaultFilterChainValidator to check for duplicate request matchers across different filter chains, throwing an IllegalArgumentException if duplicates are found.	Added a check within the checkForDuplicateMatchers method to compare request matchers of different filter chains. If duplicate matchers are found, an IllegalArgumentException is thrown with a message indicating the issue and suggesting a solution.	config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
Overrode the equals and hashCode methods in OrRequestMatcher to properly compare and hash OrRequestMatcher instances based on their constituent request matchers.	Implemented the equals method to check for equality based on the requestMatchers field. Implemented the hashCode method to generate a hash code based on the requestMatchers field.	web/src/main/java/org/springframework/security/web/util/matcher/OrRequestMatcher.java
Set the FilterChainValidator to DefaultFilterChainValidator in WebSecurity.	Added filterChainProxy.setFilterChainValidator(new DefaultFilterChainValidator()); to set the FilterChainValidator.	config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[qodo-merge-pro]

Qodo Merge was enabled for this repository. To continue using it, please link your Git account with your Qodo account here.

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Type Safety The validation in checkPathOrder() only checks chains that are DefaultSecurityFilterChain instances. If a custom SecurityFilterChain implementation is used, it would be skipped by the validation. if (chains.next() instanceof DefaultSecurityFilterChain securityFilterChain) { if (AnyRequestMatcher.INSTANCE.equals(securityFilterChain.getRequestMatcher()) && chains.hasNext()) { throw new IllegalArgumentException("A universal match pattern ('/**') is defined " + " before other patterns in the filter chain, causing them to be ignored. Please check the " + "ordering in your <security:http> namespace or FilterChainProxy bean configuration"); } }

[qodo-merge-pro]

Qodo Merge was enabled for this repository. To continue using it, please link your Git account with your Qodo account here.

PR Code Suggestions ✨

No code suggestions found for the PR.

[sourcery-ai]

Hey @GuusArts - I've reviewed your changes - here's some feedback:

Overall Comments:

• The exception message in DefaultFilterChainValidator could be improved to suggest using requestMatchers instead of securityMatcher when defining multiple SecurityFilterChain beans.
• Consider adding an equals and hashCode implementation to AnyRequestMatcher.

Here's what I looked at during the review

• 🟢 General issues: all looks good
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[amazon-q-developer]

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

[snyk-io]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ code/snyk check is complete. No issues have been found. (View Details)

[amazon-q-developer]

✅ I finished the code review, and didn't find any security or code quality issues.

[Copilot]

Pull Request Overview

Enhances Spring Security to prevent duplicate HTTP security matchers by introducing a validator and proper equals/hashCode on composite matchers.

• Added equals and hashCode implementations to OrRequestMatcher for correct matcher comparison.
• Introduced DefaultFilterChainValidator and wired it into WebSecurity to detect duplicate filter chains.
• Added a test case in WebSecurityTests to verify that configuring two chains with the same matcher throws an exception.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
web/.../matcher/OrRequestMatcher.java	Bumped copyright year; added equals/hashCode for correct matcher deduplication.
config/.../WebSecurityTests.java	Bumped copyright year; imported BeanCreationException; added test for duplicate matcher failure.
config/.../DefaultFilterChainValidator.java	Refactored path-order check; implemented checkForDuplicateMatchers to throw on identical matchers.
config/.../WebSecurity.java	Wired in the new DefaultFilterChainValidator on the FilterChainProxy.

Comments suppressed due to low confidence (3)

web/src/main/java/org/springframework/security/web/util/matcher/OrRequestMatcher.java:85

• There are no direct unit tests for the new equals and hashCode methods. Consider adding tests to verify equality and hash code consistency for various matcher combinations.

@Override public boolean equals(Object o) {

config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java:184

• [nitpick] The inner config class name MultipleSecurityMatchersConfig is generic; renaming to DuplicateSecurityMatchersConfig would more clearly reflect its purpose in the test.

static class MultipleSecurityMatchersConfig {

config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java:87

• This method mutates the passed-in chains list via remove(0). It may be clearer and safer to iterate by index or operate on a copy to avoid side-effects on the original collection.

private void checkForDuplicateMatchers(List<SecurityFilterChain> chains) {

[Copilot]

The current equals compares the List<RequestMatcher> in order, but OR semantics are commutative. Consider normalizing or using a set so [A, B] and [B, A] are treated as equal.

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud