Automatic registration of ServletRequestPathFilter causes UrlBasedCorsConfigurationSource to not match URL

[jazdw]

Spring Security version: 6.5.0 release

Describe the bug

org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration#springSecurityPathPatternParserBeanDefinitionRegistryPostProcessor now automatically registers a ServletRequestPathFilter which runs before the Spring Security filter chain. This means that org.springframework.web.cors.UrlBasedCorsConfigurationSource#resolvePath always resolves a RequestPath which is relative to the application path (org.springframework.web.util.ServletRequestPathUtils#getCachedPath calls org.springframework.http.server.RequestPath#pathWithinApplication on the cached path).

This ignores the org.springframework.web.util.UrlPathHelper#setAlwaysUseFullPath setting when you configure the UrlBasedCorsConfigurationSource using org.springframework.web.cors.UrlBasedCorsConfigurationSource#setUrlPathHelper

To Reproduce

1. Use Spring Security 6.5.0
2. Use a UrlPathHelper with setAlwaysUseFullPath(true)
3. Register a CorsConfiguration on CorsConfigurationSource with a pattern which matches the full path
4. The CorsConfiguration will not be used

Expected behavior

The full path should be matched, and the CorsConfiguration should be used.

Sample

    @Bean
    public CorsConfigurationSource corsConfigurationSource(
            @Value("${rest.cors.allowedOrigins}") List<String> allowedOrigins,
            @Value("${rest.cors.allowedMethods}") List<String> allowedMethods,
            @Value("${rest.cors.allowedHeaders}") List<String> allowedHeaders,
            @Value("${rest.cors.exposedHeaders}") List<String> exposedHeaders,
            @Value("${rest.cors.allowCredentials}") boolean allowCredentials,
            @Value("${rest.cors.maxAge}") long maxAge) {

        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(allowedOrigins);
        configuration.setAllowedMethods(allowedMethods);
        configuration.setAllowedHeaders(allowedHeaders);
        configuration.setExposedHeaders(exposedHeaders);
        configuration.setAllowCredentials(allowCredentials);
        configuration.setMaxAge(maxAge);

        UrlPathHelper urlPathHelper = new UrlPathHelper();
        urlPathHelper.setAlwaysUseFullPath(true); //Don't chop off the starting /rest stuff

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.setUrlPathHelper(urlPathHelper);
        source.registerCorsConfiguration("/rest/**", configuration);

        return source;
    }

[jazdw]

This is a breaking change due to the automatic registration of ServletRequestPathFilter, I don't believe this was mentioned in the release notes. You can prevent it by overriding the bean:

    @Bean
    static BeanDefinitionRegistryPostProcessor springSecurityPathPatternParserBeanDefinitionRegistryPostProcessor() {
        // noop post processor
        return registry -> {};
    }

Relates to #17203