Add PathPattern opt-in

Signed-off-by: Pat McCusker <[email protected]>

Author: pat-mccusker

config/src/main/java/org/springframework/security/config/annotation/web/socket/MessageMatcherAuthorizationManagerConfiguration.java

@@ -21,6 +21,7 @@
 import org.springframework.context.annotation.Scope;
 import org.springframework.messaging.simp.annotation.support.SimpAnnotationMethodMessageHandler;
 import org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager;
+import org.springframework.security.messaging.util.matcher.MessageMatcherFactory;
 import org.springframework.util.AntPathMatcher;
 
 final class MessageMatcherAuthorizationManagerConfiguration {
@@ -29,6 +30,7 @@ final class MessageMatcherAuthorizationManagerConfiguration {
 	@Scope("prototype")
 	MessageMatcherDelegatingAuthorizationManager.Builder messageAuthorizationManagerBuilder(
 			ApplicationContext context) {
+		MessageMatcherFactory.setApplicationContext(context);
 		return MessageMatcherDelegatingAuthorizationManager.builder()
 			.simpDestPathMatcher(
 					() -> (context.getBeanNamesForType(SimpAnnotationMethodMessageHandler.class).length > 0)

config/src/test/java/org/springframework/security/config/annotation/web/socket/WebSocketMessageBrokerSecurityConfigurationDocTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2025 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

messaging/src/main/java/org/springframework/security/messaging/access/intercept/MessageMatcherDelegatingAuthorizationManager.java

@@ -26,7 +26,6 @@
 import org.apache.commons.logging.LogFactory;
 
 import org.springframework.core.log.LogMessage;
-import org.springframework.http.server.PathContainer;
 import org.springframework.messaging.Message;
 import org.springframework.messaging.simp.SimpMessageType;
 import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
@@ -36,14 +35,15 @@
 import org.springframework.security.authorization.SingleResultAuthorizationManager;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.messaging.util.matcher.MessageMatcher;
+import org.springframework.security.messaging.util.matcher.MessageMatcherFactory;
 import org.springframework.security.messaging.util.matcher.PathPatternMessageMatcher;
 import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher;
 import org.springframework.security.messaging.util.matcher.SimpMessageTypeMatcher;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.PathMatcher;
 import org.springframework.util.function.SingletonSupplier;
-import org.springframework.web.util.pattern.PathPatternParser;
 
 public final class MessageMatcherDelegatingAuthorizationManager implements AuthorizationManager<Message<?>> {
 
@@ -89,13 +89,16 @@ public AuthorizationDecision check(Supplier<Authentication> authentication, Mess
 	}
 
 	private MessageAuthorizationContext<?> authorizationContext(MessageMatcher<?> matcher, Message<?> message) {
-		if (!matcher.matches((Message) message)) {
+		MessageMatcher.MatchResult matchResult = matcher.matcher((Message) message);
+		if (!matchResult.isMatch()) {
 			return null;
 		}
-		if (matcher instanceof Builder.LazySimpDestinationMessageMatcher pathMatcher) {
-			return new MessageAuthorizationContext<>(message, pathMatcher.extractPathVariables(message));
+
+		if (!CollectionUtils.isEmpty(matchResult.getVariables())) {
+			return new MessageAuthorizationContext<>(message, matchResult.getVariables());
 		}
-		if (matcher instanceof Builder.LazySimpDestinationPatternMessageMatcher pathMatcher) {
+
+		if (matcher instanceof Builder.LazySimpDestinationMessageMatcher pathMatcher) {
 			return new MessageAuthorizationContext<>(message, pathMatcher.extractPathVariables(message));
 		}
 		return new MessageAuthorizationContext<>(message);
@@ -119,8 +122,6 @@ public static final class Builder {
 		@Deprecated
 		private Supplier<PathMatcher> pathMatcher = AntPathMatcher::new;
 
-		private boolean useHttpPathSeparator = true;
-
 		public Builder() {
 		}
 
@@ -157,159 +158,70 @@ public Builder.Constraint simpTypeMatchers(SimpMessageType... typesToMatch) {
 		}
 
 		/**
-		 * Maps a {@link List} of {@link SimpDestinationMessageMatcher} instances without
-		 * regard to the {@link SimpMessageType}. If no destination is found on the
-		 * Message, then the Matcher returns false.
-		 * @param patterns the patterns to create
-		 * {@link org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher}
-		 * from.
-		 * @deprecated use {@link #destinationPathPatterns(String...)}
+		 * Maps a {@link List} of {@link SimpDestinationMessageMatcher} (or
+		 * {@link PathPatternMessageMatcher} if the application has configured a
+		 * {@link org.springframework.security.messaging.util.matcher.PathPatternMessageMatcherBuilderFactoryBean})
+		 * instances without regard to the {@link SimpMessageType}. If no destination is
+		 * found on the Message, then the Matcher returns false.
+		 * @param patterns the patterns to create {@code MessageMatcher}s from.
 		 */
-		@Deprecated
 		public Builder.Constraint simpDestMatchers(String... patterns) {
 			return simpDestMatchers(null, patterns);
 		}
 
 		/**
-		 * Allows the creation of a security {@link Constraint} applying to messages whose
-		 * destinations match the provided {@code patterns}.
-		 * <p>
-		 * The matching of each pattern is performed by a
-		 * {@link PathPatternMessageMatcher} instance that matches irrespectively of
-		 * {@link SimpMessageType}. If no destination is found on the {@code Message},
-		 * then each {@code Matcher} returns false.
-		 * </p>
-		 * @param patterns the destination path patterns to which the security
-		 * {@code Constraint} will be applicable
-		 * @since 6.5
+		 * Maps a {@link List} of {@link SimpDestinationMessageMatcher} (or
+		 * {@link PathPatternMessageMatcher} if the application has configured a
+		 * {@link org.springframework.security.messaging.util.matcher.PathPatternMessageMatcherBuilderFactoryBean})
+		 * instances that match on {@code SimpMessageType.MESSAGE}. If no destination is
+		 * found on the Message, then the Matcher returns false.
+		 * @param patterns the patterns to create {@code MessageMatcher}s from.
 		 */
-		public Builder.Constraint destinationPathPatterns(String... patterns) {
-			return destinationPathPatterns(null, patterns);
-		}
-
-		/**
-		 * Maps a {@link List} of {@link SimpDestinationMessageMatcher} instances that
-		 * match on {@code SimpMessageType.MESSAGE}. If no destination is found on the
-		 * Message, then the Matcher returns false.
-		 * @param patterns the patterns to create
-		 * {@link org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher}
-		 * from.
-		 * @deprecated use {@link #destinationPathPatterns(String...)}
-		 */
-		@Deprecated
 		public Builder.Constraint simpMessageDestMatchers(String... patterns) {
 			return simpDestMatchers(SimpMessageType.MESSAGE, patterns);
 		}
 
 		/**
-		 * Allows the creation of a security {@link Constraint} applying to messages of
-		 * the type {@code SimpMessageType.MESSAGE} whose destinations match the provided
-		 * {@code patterns}.
-		 * <p>
-		 * The matching of each pattern is performed by a
-		 * {@link PathPatternMessageMatcher}. If no destination is found on the
-		 * {@code Message}, then each {@code Matcher} returns false.
-		 * @param patterns the patterns to create {@link PathPatternMessageMatcher} from.
-		 * @since 6.5
-		 */
-		public Builder.Constraint simpTypeMessageDestinationPatterns(String... patterns) {
-			return destinationPathPatterns(SimpMessageType.MESSAGE, patterns);
-		}
-
-		/**
-		 * Maps a {@link List} of {@link SimpDestinationMessageMatcher} instances that
-		 * match on {@code SimpMessageType.SUBSCRIBE}. If no destination is found on the
-		 * Message, then the Matcher returns false.
-		 * @param patterns the patterns to create
-		 * {@link org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher}
-		 * from.
-		 * @deprecated use {@link #simpTypeSubscribeDestinationPatterns(String...)}
+		 * Maps a {@link List} of {@link SimpDestinationMessageMatcher} (or
+		 * {@link PathPatternMessageMatcher} if the application has configured a
+		 * {@link org.springframework.security.messaging.util.matcher.PathPatternMessageMatcherBuilderFactoryBean})
+		 * instances that match on {@code SimpMessageType.SUBSCRIBE}. If no destination is
+		 * found on the Message, then the Matcher returns false.
+		 * @param patterns the patterns to create {@code MessageMatcher}s from.
 		 */
-		@Deprecated
 		public Builder.Constraint simpSubscribeDestMatchers(String... patterns) {
 			return simpDestMatchers(SimpMessageType.SUBSCRIBE, patterns);
 		}
 
 		/**
-		 * Allows the creation of a security {@link Constraint} applying to messages of
-		 * the type {@code SimpMessageType.SUBSCRIBE} whose destinations match the
-		 * provided {@code patterns}.
-		 * <p>
-		 * The matching of each pattern is performed by a
-		 * {@link PathPatternMessageMatcher}. If no destination is found on the
-		 * {@code Message}, then each {@code Matcher} returns false.
-		 * @param patterns the patterns to create {@link PathPatternMessageMatcher} from.
-		 * @since 6.5
-		 */
-		public Builder.Constraint simpTypeSubscribeDestinationPatterns(String... patterns) {
-			return destinationPathPatterns(SimpMessageType.SUBSCRIBE, patterns);
-		}
-
-		/**
-		 * Maps a {@link List} of {@link SimpDestinationMessageMatcher} instances. If no
-		 * destination is found on the Message, then the Matcher returns false.
+		 * Maps a {@link List} of {@link SimpDestinationMessageMatcher} instances, or
+		 * {@link PathPatternMessageMatcher} if the application has configured a
+		 * {@link org.springframework.security.messaging.util.matcher.PathPatternMessageMatcherBuilderFactoryBean}.
+		 * If no destination is found on the Message, then the Matcher returns false.
 		 * @param type the {@link SimpMessageType} to match on. If null, the
 		 * {@link SimpMessageType} is not considered for matching.
-		 * @param patterns the patterns to create
-		 * {@link org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher}
-		 * from.
+		 * @param patterns the patterns to create {@code MessageMatcher}s from.
 		 * @return the {@link Builder.Constraint} that is associated to the
 		 * {@link MessageMatcher}
-		 * @deprecated use {@link #destinationPathPatterns(String...)}
 		 */
-		@Deprecated
 		private Builder.Constraint simpDestMatchers(SimpMessageType type, String... patterns) {
 			List<MessageMatcher<?>> matchers = new ArrayList<>(patterns.length);
 			for (String pattern : patterns) {
-				MessageMatcher<Object> matcher = new LazySimpDestinationMessageMatcher(pattern, type);
+				MessageMatcher<Object> matcher = MessageMatcherFactory.usesPathPatterns()
+						? MessageMatcherFactory.matcher(pattern, type)
+						: new LazySimpDestinationMessageMatcher(pattern, type);
 				matchers.add(matcher);
 			}
 			return new Builder.Constraint(matchers);
 		}
 
-		/**
-		 * Allows the creation of a security {@link Constraint} applying to messages of
-		 * the provided {@code type} whose destinations match the provided
-		 * {@code patterns}.
-		 * <p>
-		 * The matching of each pattern is performed by a
-		 * {@link PathPatternMessageMatcher}. If no destination is found on the
-		 * {@code Message}, then each {@code Matcher} returns false.
-		 * </p>
-		 * @param type the {@link SimpMessageType} to match on. If null, the
-		 * {@link SimpMessageType} is not considered for matching.
-		 * @param patterns the patterns to create {@link PathPatternMessageMatcher} from.
-		 * @return the {@link Builder.Constraint} that is associated to the
-		 * {@link MessageMatcher}s
-		 * @since 6.5
-		 */
-		private Builder.Constraint destinationPathPatterns(SimpMessageType type, String... patterns) {
-			List<MessageMatcher<?>> matchers = new ArrayList<>(patterns.length);
-			for (String pattern : patterns) {
-				MessageMatcher<Object> matcher = new LazySimpDestinationPatternMessageMatcher(pattern, type,
-						this.useHttpPathSeparator);
-				matchers.add(matcher);
-			}
-			return new Builder.Constraint(matchers);
-		}
-
-		/**
-		 * Instruct this builder to match message destinations using the separator
-		 * configured in
-		 * {@link org.springframework.http.server.PathContainer.Options#MESSAGE_ROUTE}
-		 */
-		public Builder messageRouteSeparator() {
-			this.useHttpPathSeparator = false;
-			return this;
-		}
-
 		/**
 		 * The {@link PathMatcher} to be used with the
 		 * {@link Builder#simpDestMatchers(String...)}. The default is to use the default
 		 * constructor of {@link AntPathMatcher}.
 		 * @param pathMatcher the {@link PathMatcher} to use. Cannot be null.
 		 * @return the {@link Builder} for further customization.
-		 * @deprecated use {@link #messageRouteSeparator()} to alter the path separator
+		 * @deprecated
 		 */
 		@Deprecated
 		public Builder simpDestPathMatcher(PathMatcher pathMatcher) {
@@ -324,7 +236,7 @@ public Builder simpDestPathMatcher(PathMatcher pathMatcher) {
 		 * computation or lookup of the {@link PathMatcher}.
 		 * @param pathMatcher the {@link PathMatcher} to use. Cannot be null.
 		 * @return the {@link Builder} for further customization.
-		 * @deprecated use {@link #messageRouteSeparator()} to alter the path separator
+		 * @deprecated
 		 */
 		@Deprecated
 		public Builder simpDestPathMatcher(Supplier<PathMatcher> pathMatcher) {
@@ -513,40 +425,6 @@ Map<String, String> extractPathVariables(Message<?> message) {
 
 		}
 
-		private static final class LazySimpDestinationPatternMessageMatcher implements MessageMatcher<Object> {
-
-			private final Supplier<PathPatternMessageMatcher> delegate;
-
-			private LazySimpDestinationPatternMessageMatcher(String pattern, SimpMessageType type,
-					boolean useHttpPathSeparator) {
-				this.delegate = SingletonSupplier.of(() -> {
-					PathPatternParser dotSeparatedPathParser = new PathPatternParser();
-					dotSeparatedPathParser.setPathOptions(PathContainer.Options.MESSAGE_ROUTE);
-					PathPatternMessageMatcher.Builder builder = (useHttpPathSeparator)
-							? PathPatternMessageMatcher.withDefaults()
-							: PathPatternMessageMatcher.withPathPatternParser(dotSeparatedPathParser);
-					if (type == null) {
-						return builder.matcher(pattern);
-					}
-					if (SimpMessageType.MESSAGE == type || SimpMessageType.SUBSCRIBE == type) {
-						return builder.matcher(pattern, type);
-					}
-					throw new IllegalStateException(type + " is not supported since it does not have a destination");
-				});
-			}
-
-			@Override
-			public boolean matches(Message<?> message) {
-				return this.delegate.get().matches(message);
-			}
-
-			Map<String, String> extractPathVariables(Message<?> message) {
-				MatchResult matchResult = this.delegate.get().matcher(message);
-				return matchResult.getVariables();
-			}
-
-		}
-
 	}
 
 	private static final class Entry<T> {

messaging/src/main/java/org/springframework/security/messaging/util/matcher/MessageMatcherFactory.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.messaging.util.matcher;
+
+import org.springframework.context.ApplicationContext;
+import org.springframework.messaging.simp.SimpMessageType;
+
+@Deprecated(forRemoval = true)
+public final class MessageMatcherFactory {
+
+	private static PathPatternMessageMatcher.Builder builder;
+
+	public static void setApplicationContext(ApplicationContext context) {
+		builder = context.getBeanProvider(PathPatternMessageMatcher.Builder.class).getIfUnique();
+	}
+
+	public static boolean usesPathPatterns() {
+		return builder != null;
+	}
+
+	public static MessageMatcher<?> matcher(String destination) {
+		return builder.matcher(destination);
+	}
+
+	public static MessageMatcher<Object> matcher(String destination, SimpMessageType type) {
+		return (type != null) ? builder.matcher(destination, type) : builder.matcher(destination);
+	}
+
+	private MessageMatcherFactory() {
+	}
+
+}