Re: [PR] FINERACT-2421: fix(security): migrate request matchers to PathPatternRequestMatcher (no behavior change) [fineract]

via GitHub Sun, 04 Jan 2026 02:45:02 -0800


Aman-Mittal commented on PR #5271:
URL: https://github.com/apache/fineract/pull/5271#issuecomment-3707963374


   > Right now the PR mixes:
   > 
   > * explicit PathPatternRequestMatcher.withDefaults().matcher("/api/**") 
(good / explicit), and
   > * requestMatchers(HttpMethod.X, "/api/...") + requestMatchers("/api/**") 
(ambiguous implementation choice in Spring Security; can resolve differently 
depending on servlet setup, and has had misconfiguration pitfalls)
   > 
   > **Recommended fix**
   > 
   > Make every matcher explicit and consistent:
   > 
   > * Replace all requestMatchers(HttpMethod.X, "…") with 
requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.X, 
"…"))
   > * Replace all requestMatchers("…") with 
requestMatchers(PathPatternRequestMatcher.withDefaults().matcher("…"))
   > * Do the same for requiresChannel(channel -> channel.requestMatchers(...))
   >   Spring Security provides a 
PathPatternRequestMatcher.Builder#matcher(HttpMethod, String) for this exact 
purpose.
   
   Please review again,
   
https://github.com/Aman-Mittal/fineract/commit/285a34a9a945eda8197c935acdeb9efad8065fb1


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] FINERACT-2421: fix(security): migrate request matchers to PathPatternRequestMatcher (no behavior change) [fineract]

Reply via email to