-
Notifications
You must be signed in to change notification settings - Fork 38.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate trailing slash match and change default value from true to false #28552
Comments
I think most users would would expect that a trailing slash doesn't make a difference. From that perspective, the default is not unreasonable, and more than just HATEOAS style navigation or API guidance, even just manually typing a URL somewhere. If we change the default, many would look to change it back, so overall it's hard to avoid the need to align Spring Security with with Spring MVC through For configuring redirects, do you mean externally, like in a proxy? That would solve the problem at a different level, before Spring Security and Spring MVC, so I would be more interested in that direction but we can only make it a recommendation, and we can still make such a recommendation independent of this. |
I can see manually typing a URL as a real argument only in case of web apps (not APIs) and even there it's only potentially useful for a few select URLs that are considered to be entry points into the application and are likely to be directly entered by the users.
This is the part I strongly disagree with - what Spring Security does is nothing special nor unique. You can end up with the same kind of risks with other Java filter based security frameworks (for example, Apache Shiro) or by applying security (authorization) in an external component that sits in front of your Spring application. After all, on a high level, conceptually these all take the same approach.
Either externally in a proxy or using something like Tuckey UrlRewriteFilter or even simply using What I would like to see in Spring are the defaults that are not ambiguous and are therefore less prone to abuse. When I see a handler annotated with |
I'm not necessarily disagreeing. I'm merely making the point that by itself, trailing slash is not unsafe. It's only when combined with a proxy or filter that also interprets URLs, where it becomes a problem, and the problem more generally is that there may be differences, which could go both ways. That said, this is also the reason, I've come to see over time that URL paths should be left alone as is as much as possible, avoiding normalization as much as possible. It's the only way for frameworks to minimize differences and align naturally. This is also why In any case, the only way to really make a significant difference here I think is to deprecate the trailingSlash option entirely and encourage an alternative solution, like a proxy or filter to redirect. That enforces being more precise about where you want to do that exactly, and it can be done ahead of security decisions. Otherwise the possibility for a mismatch between web and security frameworks remains. It's just too easy to flip the default back and not think about it again. This is something that we'll discuss as a possibility for 6.0. |
I like that even better. Thanks for the feedback. |
Team decision: we'll go ahead with this. It aligns with various other path matching changes we've made in 5.2 and 5.3 such suffix pattern matching, path segment trimming, and path decoding, to make path matching more transparent and explicit. |
Will the default be changed to false as part of this deprecation? |
Yes, I'm thinking that we might as well and that we'll have to, since otherwise you'd need to set it in order to stop using it. We had the same issue with suffix pattern matching. |
The trailing slash option is now deprecated and set to |
I've just found this while browing the code @rstoyanchev : Line 85 in 50240bb
Should this value be changed as well? |
Looks like it, yes. |
what is the deprecation period for PathMatchConfigurer#setUseTrailingSlashMatch ? |
Just to add to my initial response: in our project we have probably around 200 endpoints and 3 frontends, which access these endpoints in various manners (we hadn't used unified Feign Clients back when we started out). This change means, that we have to adjust our endpoints in so they explicitly define the endpoint with a trailing slash and one without. We have to adjust all integration tests for all endpoints and we even should adjust all end-to-end tests in multiple platforms. This is easily 10+ business days of work for just this useless change. I'd resort to using Isn't it possible to allow people, who did not pay 100% attention to the trailing slashes, opt-out of this "more security" aspect? We have implemente a few other means to strengthen our API security, so opting out of this thing would be okay. |
Thanks Spring team! I spent an entire day on figuring out why the API stopped working. You guys do great work with the framework; but this boggles my mind, how can such a decision be made? |
We have literally hundreds of clients across dozens of environments, this will stall the adoption of SB3 for months and months and will undoubtedly cause issues even with all the due diligence in the world. Absolutely crazy change. |
Spring upgrades have always been a pain, even between minor versions (remember "allow-bean-definition-overriding" ?). |
…quests with trailing slashes (#14) * Create navbar link and GET request to change password * Create PasswordEncoderService * Finish implementing the password change form * Don't encode password until it needs to be saved * Create admin page to view all users * Reroute requests with a trailing slash Used https://www.baeldung.com/spring-boot-3-url-matching An interesting read spring-projects/spring-framework#28552 * Use URLs without trailing slash as default * Create search functionality for users
This was a horrible update. Should have been an optional property in |
I really support different solutions proposed here, such as #31366. As of now, in nearly every project, we're having to fall back to |
Prior to this commit, trailing slash matching was disabled by default in Spring MVC with gh-28552. `StandaloneMockMvcBuilder` was not changed as a result and still had the trailing slash match option enabled. This commit aligns the defaults in `StandaloneMockMvcBuilder` to better reflect the expected behavior in tests. Closes gh-32796
This comment was marked as off-topic.
This comment was marked as off-topic.
This issue can be resolved by adding the following @Component
public class ServletRequestWrapperFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequestWrapper requestWrapper = new HttpServletRequestWrapper((HttpServletRequest) request) {
@Override
public String getRequestURI() {
String requestURI = super.getRequestURI();
if (StringUtils.endsWith(requestURI, "/")) {
return StringUtils.removeEnd(requestURI, "/");
}
return requestURI;
}
};
chain.doFilter(requestWrapper, response);
}
} |
There is a now a concrete proposal for a similar Filter under #31366. |
Did this ever happen? I expected some kind of information of this on https://github.com/spring-projects/spring-framework/wiki/What%27s-New-in-Spring-Framework-6.x but neither |
@soc thanks for the reminder, I've just added something here: https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-6.x#web-applications-1 |
@bclozel Thanks, I think that will be helpful to many people! |
Though i really appreciate the addition to the wiki, i still think that some kind of default filter should be provided by the framework. Even if it's not included in the filterchain by default, it would still make life a lot easier for this very common use-case. |
@ndrscodes it's already implemented - please provide feedback directly on the issue when you'll test it: #31366 |
Another variation since it took me a while to figure out how to apply the previous example: package com.example.myApp.Filters;
import java.io.IOException;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequestWrapper;
@Component
public class TrailingSlashFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequestWrapper requestWrappper = new HttpServletRequestWrapper((HttpServletRequest) request) {
@Override
public String getRequestURI() {
String requestURI = super.getRequestURI();
return StringUtils.trimTrailingCharacter(requestURI, "/".toCharArray()[0]);
}
};
chain.doFilter(requestWrappper, response);
}
} |
Even though this behavior has been long present in Spring, it introduces ambiguity that can (combined with some other choices) easily have consequences in shape of security vulnerabilities. Consider this example:
Default user (with role
user
) will get403
attempting toGET /resources
but can avoid protection by issuingGET /resources/
, which wouldn't be possible with trailing slash matching disabled.Let me note that I'm aware that using
mvcMatchers
instead ofantMatchers
would have prevented this issue but that doesn't change the fact that there are many configurations out there relying onantMatchers
and that sometimesantMatchers
are simply more suitable for other reasons.Also, I personally see little real benefit of having trailing slash matching enabled because:
For places where it's really needed for application to respond to both requests, I'd argue that it's either way better solution to configure redirects instead of application wide ambiguous request mappings.
Please consider making this change for
6.0
.The text was updated successfully, but these errors were encountered: