před 9 měsíci · a5b0304596
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
@@ -65,7 +65,6 @@ import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandle
 
				 import org.springframework.security.web.firewall.ObservationMarkingRequestRejectedHandler;
			
 
				 import org.springframework.security.web.firewall.RequestRejectedHandler;
			
 
				 import org.springframework.security.web.firewall.StrictHttpFirewall;
			
 
				-import org.springframework.security.web.util.matcher.AnyRequestMatcher;
			
 
				 import org.springframework.security.web.util.matcher.RequestMatcher;
			
 
				 import org.springframework.security.web.util.matcher.RequestMatcherEntry;
			
 
				 import org.springframework.util.Assert;
			
@@ -310,20 +309,8 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
				 			requestMatcherPrivilegeEvaluatorsEntries
			
 
				 				.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));
			
 
				 		}
			
 
				-		DefaultSecurityFilterChain anyRequestFilterChain = null;
			
 
				 		for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : this.securityFilterChainBuilders) {
			
 
				 			SecurityFilterChain securityFilterChain = securityFilterChainBuilder.build();
			
 
				-			if (anyRequestFilterChain != null) {
			
 
				-				String message = "A filter chain that matches any request [" + anyRequestFilterChain
			
 
				-						+ "] has already been configured, which means that this filter chain [" + securityFilterChain
			
 
				-						+ "] will never get invoked. Please use `HttpSecurity#securityMatcher` to ensure that there is only one filter chain configured for 'any request' and that the 'any request' filter chain is published last.";
			
 
				-				throw new IllegalArgumentException(message);
			
 
				-			}
			
 
				-			if (securityFilterChain instanceof DefaultSecurityFilterChain defaultSecurityFilterChain) {
			
 
				-				if (defaultSecurityFilterChain.getRequestMatcher() instanceof AnyRequestMatcher) {
			
 
				-					anyRequestFilterChain = defaultSecurityFilterChain;
			
 
				-				}
			
 
				-			}
			
 
				 			securityFilterChains.add(securityFilterChain);
			
 
				 			requestMatcherPrivilegeEvaluatorsEntries
			
 
				 				.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));
			
@@ -345,6 +332,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
				 					new HttpStatusRequestRejectedHandler());
			
 
				 			filterChainProxy.setRequestRejectedHandler(requestRejectedHandler);
			
 
				 		}
			
 
				+		filterChainProxy.setFilterChainValidator(new WebSecurityFilterChainValidator());
			
 
				 		filterChainProxy.setFilterChainDecorator(getFilterChainDecorator());
			
 
				 		filterChainProxy.afterPropertiesSet();
			
 
				 
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java
@@ -0,0 +1,52 @@
 
				+/*
			
 
				+ * Copyright 2002-2024 the original author or authors.
			
 
				+ *
			
 
				+ * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				+ * you may not use this file except in compliance with the License.
			
 
				+ * You may obtain a copy of the License at
			
 
				+ *
			
 
				+ *      https://www.apache.org/licenses/LICENSE-2.0
			
 
				+ *
			
 
				+ * Unless required by applicable law or agreed to in writing, software
			
 
				+ * distributed under the License is distributed on an "AS IS" BASIS,
			
 
				+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			
 
				+ * See the License for the specific language governing permissions and
			
 
				+ * limitations under the License.
			
 
				+ */
			
 
				+
			
 
				+package org.springframework.security.config.annotation.web.builders;
			
 
				+
			
 
				+import java.util.List;
			
 
				+
			
 
				+import org.springframework.security.web.DefaultSecurityFilterChain;
			
 
				+import org.springframework.security.web.FilterChainProxy;
			
 
				+import org.springframework.security.web.SecurityFilterChain;
			
 
				+import org.springframework.security.web.util.matcher.AnyRequestMatcher;
			
 
				+
			
 
				+/**
			
 
				+ * A filter chain validator for filter chains built by {@link WebSecurity}
			
 
				+ *
			
 
				+ * @since 6.5
			
 
				+ */
			
 
				+final class WebSecurityFilterChainValidator implements FilterChainProxy.FilterChainValidator {
			
 
				+
			
 
				+	@Override
			
 
				+	public void validate(FilterChainProxy filterChainProxy) {
			
 
				+		List<SecurityFilterChain> chains = filterChainProxy.getFilterChains();
			
 
				+		DefaultSecurityFilterChain anyRequestFilterChain = null;
			
 
				+		for (SecurityFilterChain chain : chains) {
			
 
				+			if (anyRequestFilterChain != null) {
			
 
				+				String message = "A filter chain that matches any request [" + anyRequestFilterChain
			
 
				+						+ "] has already been configured, which means that this filter chain [" + chain
			
 
				+						+ "] will never get invoked. Please use `HttpSecurity#securityMatcher` to ensure that there is only one filter chain configured for 'any request' and that the 'any request' filter chain is published last.";
			
 
				+				throw new IllegalArgumentException(message);
			
 
				+			}
			
 
				+			if (chain instanceof DefaultSecurityFilterChain defaultChain) {
			
 
				+				if (defaultChain.getRequestMatcher() instanceof AnyRequestMatcher) {
			
 
				+					anyRequestFilterChain = defaultChain;
			
 
				+				}
			
 
				+			}
			
 
				+		}
			
 
				+	}
			
 
				+
			
 
				+}