Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Turn off useSuffixPatternMatching by default #23915

Closed
rupert-madden-abbott opened this issue Nov 3, 2019 · 7 comments
Closed

Turn off useSuffixPatternMatching by default #23915

rupert-madden-abbott opened this issue Nov 3, 2019 · 7 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
5.3 M1

Comments

@rupert-madden-abbott
Copy link

rupert-madden-abbott commented Nov 3, 2019
edited
Loading

When useSuffixPatternMatching is set to true, then

a method mapped to "/users" also matches to "/users.*"

The default value is true. Please can this be changed to false.

Defaults shouldn't be surprising
It is not obvious to developers that this will occur. They intend to setup a static mapping of "/users" and find that this mapping works. They have to explicit visit "/users.blah" to discover that they have unintentionally mapped more than they intended.

There are lots of examples of this causing surprise with developers being confused by the cause and purpose of this function:

The behaviour is clearly documented but that isn't good enough to stop the surprise because it isn't clear from the application code itself. All a developer sees is that "/users" is mapped and there is nothing explicit to make them realise something else is going on.

Defaults should encourage best practice
As documented, this default is enabling a practice that used to be widespread but has fallen out of favour due to the problems it causes. Developers should be using the Accept header and not file extensions for content negotiation.

It would be better to allow developers to opt-in to this feature, rather than having the best practice be an opt-in.

Defaults should be secure
antMatchers still exists in Spring Security. Whilst everybody should be using mvcMatchers, it's still really easy to open up a security hole by having this switched on.

It is also much more risky than the optional trailing slash feature which developers are far more likely to expect and anticipate since such a feature is common to many web frameworks. Developers are very unlikely to add a file extension to their URL if they haven't mapped one and thus can still easily miss this vulnerability if they have failed to use mvcMatchers
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Nov 3, 2019
@rstoyanchev
Copy link
Contributor

rstoyanchev commented Nov 4, 2019
edited
Loading

These are all valid arguments from our own reference docs, and in a greenfield situation like WebFlux, those options don't even exist. In Spring MVC however, the surprise will also apply to all those who already rely on the current behavior. That is the main sticking point.

@rstoyanchev rstoyanchev added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Nov 19, 2019
@rstoyanchev
Copy link
Contributor

rstoyanchev commented Dec 10, 2019
edited
Loading

Team decision:

In 5.2, deprecate config options (see #24179) for path matching and for content negotiation via path extensions in favor of content negotiation by Accept header, or query parameter if necessary, and path matching with @RequestMapping(produces="...").

In 5.3, enable suffix pattern matching via registered extensions only:

Setting Current Default New Default
useSuffixPatternMatch true true
useRegisteredSuffixPatternMatch false true
ContentNegotiationManager Path extensions, Accept header Path extensions, Accept header

For extra context, the relevant Spring Boot web properties and their settings:

  • spring.mvc.pathmatch.use-suffix-pattern = false
  • spring.mvc.pathmatch.use-registered-suffix-pattern = false
  • spring.mvc.contentnegotiation.favor-path-extension = false
  • spring.mvc.contentnegotiation.favor-parameter=false

@rstoyanchev rstoyanchev added this to the 5.3 M1 milestone Dec 10, 2019
@rstoyanchev rstoyanchev self-assigned this Dec 10, 2019
@rstoyanchev rstoyanchev added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Dec 10, 2019
@rstoyanchev rstoyanchev changed the title Change the default of useSuffixPatternMatching from true to false Turn off useSuffixPatternMatching by default Dec 10, 2019
@rstoyanchev rstoyanchev mentioned this issue Dec 10, 2019
Closed
@mikesmithson
Copy link

@rstoyanchev - is this issue something a first-time contributor can submit a PR for? I saw that it was self-assigned back in December and wasn't sure if it was being actively worked on. I have a PR that I can submit if this issue is still available for outside contribution.

mikesmithson added a commit to mikesmithson/spring-framework that referenced this issue Feb 23, 2020
@mikesmithson
spring-projects#23915 - Turn off useSuffixPatternMatching by default
f079f63
@mikesmithson mikesmithson mentioned this issue Feb 25, 2020
Closed
@rstoyanchev
Copy link
Contributor

rstoyanchev commented Apr 20, 2020
edited
Loading

In light of #24642 it's become clear for the deprecation to work properly, we must change defaults in 5.3 to turn off use of path extension completely. In other words:

Setting Current Default New Default
useSuffixPatternMatch true false
useRegisteredSuffixPatternMatch false false
ContentNegotiationManager Accept header Accept header

This will match the defaults in Boot and will allow applications to stop using those deprecated methods before they are eventually removed.

rstoyanchev added a commit that referenced this issue May 6, 2020
@rstoyanchev
Fix typo
66bb145 
See gh-23915, gh-25018
@eleftherias eleftherias mentioned this issue May 6, 2020
Closed
@rstoyanchev
Copy link
Contributor

Re-opening in order to change the default in the XML config as well.

@rstoyanchev rstoyanchev reopened this May 8, 2020
@rwinch
Copy link
Member

rwinch commented May 8, 2020
edited by rstoyanchev
Loading

For users who need to temporarily revert to the previous behavior you can adjust the path matching configuration:

@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void configurePathMatch(PathMatchConfigurer configurer) {
        configurer
            // ...
            .setUseRegisteredSuffixPatternMatch(true);
    }
}
<mvc:annotation-driven>
    <mvc:path-matching suffix-pattern="true"/>
</mvc:annotation-driven>

@mikesmithson
Copy link

@rstoyanchev - Is this still open for contribution or do you want to finish this one up?

rwinch added a commit to spring-projects/spring-security that referenced this issue May 8, 2020
@rwinch
Explicitly set useSuffixPatternMatch for Tests
d91b153 
Spring MVC changed their default behavior in
spring-projects/spring-framework#23915 This
causes failures in some of Spring Security's tests.

This explicitly sets useSuffixPatternMatch=true to ensure that Spring
Security still works if users have modified their defaults.

Closes gh-8493
@randomnicode randomnicode mentioned this issue May 17, 2020
Open
kenny5he pushed a commit to kenny5he/spring-framework that referenced this issue Jun 21, 2020
@rstoyanchev @kenny5he
Turn off use of path extensions by default
3ad80c7 
Closes spring-projectsgh-23915
kenny5he pushed a commit to kenny5he/spring-framework that referenced this issue Jun 21, 2020
@rstoyanchev @kenny5he
Fix typo
8af012c 
See spring-projectsgh-23915, spring-projectsgh-25018
FelixFly pushed a commit to FelixFly/spring-framework that referenced this issue Aug 16, 2020
@rstoyanchev
Add deprecation notes to the WebMvc config schema
cdb05b4 
Closes spring-projectsgh-23915
@rstoyanchev rstoyanchev mentioned this issue Nov 19, 2020
Closed
rstoyanchev added a commit that referenced this issue Nov 24, 2020
@rstoyanchev
Set favorPathExtension to false by default
8070108 
Applies a change that was intended in #23915 but wasn't.

Closes gh-26119
@perlan perlan mentioned this issue Jun 7, 2021
Closed
@rstoyanchev rstoyanchev mentioned this issue Dec 9, 2021
Closed
@vietnguyen vietnguyen mentioned this issue Apr 14, 2022
Merged
@vpavic vpavic mentioned this issue Jun 9, 2022
Closed
avgustinmm added a commit to bosch-io/hawkbit that referenced this issue Jul 6, 2023
@avgustinmm
[eclipse-hawkbit#1383] Spring Boot 3 Migration / Step 1
bb1bebb 
1. PagingAndSortingRepository doesn't extend CrudRepository anymore. For all extending that interface repositories CrudRepository super interface shall be now declared (https://spring.io/blog/2022/02/22/announcing-listcrudrepository-friends-for-spring-data-3-0 -
```
The popular PagingAndSortingRepository used to extend from CrudRepository, but it no longer does. This lets you combine it
with either CrudRepository or ListCrudRepository or a base interface of your own creation. This means you now have to
explicitly extend from a CRUD fragment, even when you already extend from PagingAndSortingRepository.
```
)
2. org.eclipse.hawkbit.autoconfigure.mgmt.ui -> move in hawkbit-ui (to be ready for removal), anyway - it's a better location for ui related configs
3. extends WebMvcConfigurerAdapter -> implements WebMvcConfigurer
4. remove WebSecurityConfigurerAdapter -> https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#_stop_using_websecurityconfigureradapter, https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
5. Use configurers (the other will be deprecated / removed), e.d:  http.csrf().disable() -> http.csrf(AbstractHttpConfigurer::disable)
6. configure(final AuthenticationManagerBuilder auth) -> put in httpsecurity config - http.getSharedObject(AuthenticationManagerBuilder.class).... (https://www.baeldung.com/spring-security-authentication-provider)
7. configure(final WebSecurity webSecurity) ->
```
@bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return (web) -> web.ignoring().antMatchers("/documentation/**", "/VAADIN/**", "/*.*", "/docs/**");
}
```
(https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter)
8. AuthenticationManager authenticationManagerBean() ->
```
@bean
AuthenticationManager authenticationManager(final AuthenticationConfiguration authenticationConfiguration) throws Exception {
    return authenticationConfiguration.getAuthenticationManager();
}
```
(https://backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/)
9. WebMvcAutoConfiguration could be removed - it uses deprectated methods, and sets properties that are same by default - hence - not neeeded
(spring-projects/spring-framework#23915 (comment))

Signed-off-by: Marinov Avgustin <[email protected]>
avgustinmm added a commit to bosch-io/hawkbit that referenced this issue Jul 6, 2023
@avgustinmm
[eclipse-hawkbit#1383] Spring Boot 3 Migration / Step 1
6c1f595 
1. PagingAndSortingRepository doesn't extend CrudRepository anymore. For all extending that interface repositories CrudRepository super interface shall be now declared (https://spring.io/blog/2022/02/22/announcing-listcrudrepository-friends-for-spring-data-3-0 -
```
The popular PagingAndSortingRepository used to extend from CrudRepository, but it no longer does. This lets you combine it
with either CrudRepository or ListCrudRepository or a base interface of your own creation. This means you now have to
explicitly extend from a CRUD fragment, even when you already extend from PagingAndSortingRepository.
```
)
2. org.eclipse.hawkbit.autoconfigure.mgmt.ui -> move in hawkbit-ui (to be ready for removal), anyway - it's a better location for ui related configs
3. extends WebMvcConfigurerAdapter -> implements WebMvcConfigurer
4. remove WebSecurityConfigurerAdapter -> https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#_stop_using_websecurityconfigureradapter, https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
5. Use configurers (the other will be deprecated / removed), e.d:  http.csrf().disable() -> http.csrf(AbstractHttpConfigurer::disable)
6. configure(final AuthenticationManagerBuilder auth) -> put in httpsecurity config - http.getSharedObject(AuthenticationManagerBuilder.class).... (https://www.baeldung.com/spring-security-authentication-provider)
7. configure(final WebSecurity webSecurity) ->
```
@bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return (web) -> web.ignoring().antMatchers("/documentation/**", "/VAADIN/**", "/*.*", "/docs/**");
}
```
(https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter)
8. AuthenticationManager authenticationManagerBean() ->
```
@bean
AuthenticationManager authenticationManager(final AuthenticationConfiguration authenticationConfiguration) throws Exception {
    return authenticationConfiguration.getAuthenticationManager();
}
```
(https://backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/)
9. WebMvcAutoConfiguration could be removed - it uses deprectated methods, and sets properties that are same by default - hence - not neeeded
(spring-projects/spring-framework#23915 (comment))

Signed-off-by: Marinov Avgustin <[email protected]>
avgustinmm added a commit to bosch-io/hawkbit that referenced this issue Jul 11, 2023
@avgustinmm
[eclipse-hawkbit#1383] Spring Boot 3 Migration / Step 1
b065722 
1. PagingAndSortingRepository doesn't extend CrudRepository anymore. For all extending that interface repositories CrudRepository super interface shall be now declared (https://spring.io/blog/2022/02/22/announcing-listcrudrepository-friends-for-spring-data-3-0 -
```
The popular PagingAndSortingRepository used to extend from CrudRepository, but it no longer does. This lets you combine it
with either CrudRepository or ListCrudRepository or a base interface of your own creation. This means you now have to
explicitly extend from a CRUD fragment, even when you already extend from PagingAndSortingRepository.
```
)
2. org.eclipse.hawkbit.autoconfigure.mgmt.ui -> move in hawkbit-ui (to be ready for removal), anyway - it's a better location for ui related configs
3. extends WebMvcConfigurerAdapter -> implements WebMvcConfigurer
4. remove WebSecurityConfigurerAdapter -> https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#_stop_using_websecurityconfigureradapter, https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
and add @order to the bean reg!!
5. Use configurers (the other will be deprecated / removed), e.d:  http.csrf().disable() -> http.csrf(AbstractHttpConfigurer::disable)
6. configure(final AuthenticationManagerBuilder auth) -> put in httpsecurity config - http.getSharedObject(AuthenticationManagerBuilder.class).... (https://www.baeldung.com/spring-security-authentication-provider)
7. configure(final WebSecurity webSecurity) ->
```
@bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return (web) -> web.ignoring().antMatchers("/documentation/**", "/VAADIN/**", "/*.*", "/docs/**");
}
```
(https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter)
8. AuthenticationManager authenticationManagerBean() ->
```
@bean
AuthenticationManager authenticationManager(final AuthenticationConfiguration authenticationConfiguration) throws Exception {
    return authenticationConfiguration.getAuthenticationManager();
}
```
(https://backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/)
9. WebMvcAutoConfiguration could be removed - it uses deprectated methods, and sets properties that are same by default - hence - not neeeded
(spring-projects/spring-framework#23915 (comment))

Signed-off-by: Marinov Avgustin <[email protected]>
avgustinmm added a commit to bosch-io/hawkbit that referenced this issue Jul 11, 2023
@avgustinmm
[eclipse-hawkbit#1383] Spring Boot 3 Migration / Step 1
789d5f0 
1. PagingAndSortingRepository doesn't extend CrudRepository anymore. For all extending that interface repositories CrudRepository super interface shall be now declared (https://spring.io/blog/2022/02/22/announcing-listcrudrepository-friends-for-spring-data-3-0 -
```
The popular PagingAndSortingRepository used to extend from CrudRepository, but it no longer does. This lets you combine it
with either CrudRepository or ListCrudRepository or a base interface of your own creation. This means you now have to
explicitly extend from a CRUD fragment, even when you already extend from PagingAndSortingRepository.
```
)
2. org.eclipse.hawkbit.autoconfigure.mgmt.ui -> move in hawkbit-ui (to be ready for removal), anyway - it's a better location for ui related configs
3. extends WebMvcConfigurerAdapter -> implements WebMvcConfigurer
4. remove WebSecurityConfigurerAdapter -> https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#_stop_using_websecurityconfigureradapter, https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
and add @order to the bean reg!!
5. Use configurers (the other will be deprecated / removed), e.d:  http.csrf().disable() -> http.csrf(AbstractHttpConfigurer::disable)
6. configure(final AuthenticationManagerBuilder auth) -> put in httpsecurity config - http.getSharedObject(AuthenticationManagerBuilder.class).... (https://www.baeldung.com/spring-security-authentication-provider)
7. configure(final WebSecurity webSecurity) ->
```
@bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return (web) -> web.ignoring().antMatchers("/documentation/**", "/VAADIN/**", "/*.*", "/docs/**");
}
```
(https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter)
8. AuthenticationManager authenticationManagerBean() ->
```
@bean
AuthenticationManager authenticationManager(final AuthenticationConfiguration authenticationConfiguration) throws Exception {
    return authenticationConfiguration.getAuthenticationManager();
}
```
(https://backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/)
9. WebMvcAutoConfiguration could be removed - it uses deprectated methods, and sets properties that are same by default - hence - not neeeded
(spring-projects/spring-framework#23915 (comment))

Signed-off-by: Marinov Avgustin <[email protected]>
avgustinmm added a commit to bosch-io/hawkbit that referenced this issue Jul 11, 2023
@avgustinmm
[eclipse-hawkbit#1383] Spring Boot 3 Migration / Step 1
cd1ffbe 
1. PagingAndSortingRepository doesn't extend CrudRepository anymore. For all extending that interface repositories CrudRepository super interface shall be now declared (https://spring.io/blog/2022/02/22/announcing-listcrudrepository-friends-for-spring-data-3-0 -
```
The popular PagingAndSortingRepository used to extend from CrudRepository, but it no longer does. This lets you combine it
with either CrudRepository or ListCrudRepository or a base interface of your own creation. This means you now have to
explicitly extend from a CRUD fragment, even when you already extend from PagingAndSortingRepository.
```
)
2. org.eclipse.hawkbit.autoconfigure.mgmt.ui -> move in hawkbit-ui (to be ready for removal), anyway - it's a better location for ui related configs
3. extends WebMvcConfigurerAdapter -> implements WebMvcConfigurer
4. remove WebSecurityConfigurerAdapter -> https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#_stop_using_websecurityconfigureradapter, https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
and add @order to the bean reg!!
5. Use configurers (the other will be deprecated / removed), e.d:  http.csrf().disable() -> http.csrf(AbstractHttpConfigurer::disable)
6. configure(final AuthenticationManagerBuilder auth) -> put in httpsecurity config - http.getSharedObject(AuthenticationManagerBuilder.class).... (https://www.baeldung.com/spring-security-authentication-provider)
7. configure(final WebSecurity webSecurity) ->
```
@bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return (web) -> web.ignoring().antMatchers("/documentation/**", "/VAADIN/**", "/*.*", "/docs/**");
}
```
(https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter)
8. AuthenticationManager authenticationManagerBean() ->
```
@bean
AuthenticationManager authenticationManager(final AuthenticationConfiguration authenticationConfiguration) throws Exception {
    return authenticationConfiguration.getAuthenticationManager();
}
```
(https://backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/)
9. WebMvcAutoConfiguration could be removed - it uses deprectated methods, and sets properties that are same by default - hence - not neeeded
(spring-projects/spring-framework#23915 (comment))

Signed-off-by: Marinov Avgustin <[email protected]>
strailov pushed a commit to eclipse-hawkbit/hawkbit that referenced this issue Jul 17, 2023
@avgustinmm
[#1383] Spring Boot 3 Migration / Step 1 (#1384)
56ea5b1 
1. PagingAndSortingRepository doesn't extend CrudRepository anymore. For all extending that interface repositories CrudRepository super interface shall be now declared (https://spring.io/blog/2022/02/22/announcing-listcrudrepository-friends-for-spring-data-3-0 -
```
The popular PagingAndSortingRepository used to extend from CrudRepository, but it no longer does. This lets you combine it
with either CrudRepository or ListCrudRepository or a base interface of your own creation. This means you now have to
explicitly extend from a CRUD fragment, even when you already extend from PagingAndSortingRepository.
```
)
2. org.eclipse.hawkbit.autoconfigure.mgmt.ui -> move in hawkbit-ui (to be ready for removal), anyway - it's a better location for ui related configs
3. extends WebMvcConfigurerAdapter -> implements WebMvcConfigurer
4. remove WebSecurityConfigurerAdapter -> https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#_stop_using_websecurityconfigureradapter, https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
and add @order to the bean reg!!
5. Use configurers (the other will be deprecated / removed), e.d:  http.csrf().disable() -> http.csrf(AbstractHttpConfigurer::disable)
6. configure(final AuthenticationManagerBuilder auth) -> put in httpsecurity config - http.getSharedObject(AuthenticationManagerBuilder.class).... (https://www.baeldung.com/spring-security-authentication-provider)
7. configure(final WebSecurity webSecurity) ->
```
@bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return (web) -> web.ignoring().antMatchers("/documentation/**", "/VAADIN/**", "/*.*", "/docs/**");
}
```
(https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter)
8. AuthenticationManager authenticationManagerBean() ->
```
@bean
AuthenticationManager authenticationManager(final AuthenticationConfiguration authenticationConfiguration) throws Exception {
    return authenticationConfiguration.getAuthenticationManager();
}
```
(https://backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/)
9. WebMvcAutoConfiguration could be removed - it uses deprectated methods, and sets properties that are same by default - hence - not neeeded
(spring-projects/spring-framework#23915 (comment))

Signed-off-by: Marinov Avgustin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
5.3 M1
Development

No branches or pull requests
5 participants
@rwinch @mikesmithson @rstoyanchev @rupert-madden-abbott @spring-projects-issues