Description
Describe the bug
Defining multiple .requestMatchers().mvcMatchers() are overriding previous one.
http
.requestMatchers()
.mvcMatchers("/api-1")
.mvcMatchers("/api-2")
.mvcMatchers("/api-3")
.and()
In the example above matcher for "/api-3" will override the one for "/api-1", and result matcher list will contain only two latest matchers: "/api-2" and "/api-3".
Expected behavior
All matches should be used together, joined by OrRequestMatcher.
Possible issue
MvcMatchersRequestMatcherConfigurer that returned after .mvcMatchers() contains only the last pattern, but it should collect all pattern combined together.
I think the line https://github.com/spring-projects/spring-security/blob/main/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java#L3119 from the following code:
@Override
public MvcMatchersRequestMatcherConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
setMatchers(mvcMatchers);
return new MvcMatchersRequestMatcherConfigurer(getContext(), mvcMatchers);
}
should be changed to return all matches: this.matchers, like below:
@Override
public MvcMatchersRequestMatcherConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
setMatchers(mvcMatchers);
return new MvcMatchersRequestMatcherConfigurer(getContext(), this.matchers);
}
Version
Reproduced on v5.3.4.
But main and the latest v5.6.2 contains the same code.