Improve regex support for URL path matching
Closes gh-28815
This commit is contained in:
@@ -648,7 +648,7 @@ See <<mvc-config-interceptors>> in the section on MVC configuration for examples
|
||||
configure interceptors. You can also register them directly by using setters on individual
|
||||
`HandlerMapping` implementations.
|
||||
|
||||
Note that `postHandle` is less useful with `@ResponseBody` and `ResponseEntity` methods for
|
||||
`postHandle` method is less useful with `@ResponseBody` and `ResponseEntity` methods for
|
||||
which the response is written and committed within the `HandlerAdapter` and before
|
||||
`postHandle`. That means it is too late to make any changes to the response, such as adding
|
||||
an extra header. For such scenarios, you can implement `ResponseBodyAdvice` and either
|
||||
@@ -657,6 +657,7 @@ declare it as an <<mvc-ann-controller-advice>> bean or configure it directly on
|
||||
|
||||
|
||||
|
||||
|
||||
[[mvc-exceptionhandlers]]
|
||||
=== Exceptions
|
||||
[.small]#<<web-reactive.adoc#webflux-dispatcher-exceptions, WebFlux>>#
|
||||
@@ -5362,7 +5363,6 @@ the following example shows:
|
||||
public void addInterceptors(InterceptorRegistry registry) {
|
||||
registry.addInterceptor(new LocaleChangeInterceptor());
|
||||
registry.addInterceptor(new ThemeChangeInterceptor()).addPathPatterns("/**").excludePathPatterns("/admin/**");
|
||||
registry.addInterceptor(new SecurityInterceptor()).addPathPatterns("/secure/*");
|
||||
}
|
||||
}
|
||||
----
|
||||
@@ -5376,7 +5376,6 @@ the following example shows:
|
||||
override fun addInterceptors(registry: InterceptorRegistry) {
|
||||
registry.addInterceptor(LocaleChangeInterceptor())
|
||||
registry.addInterceptor(ThemeChangeInterceptor()).addPathPatterns("/**").excludePathPatterns("/admin/**")
|
||||
registry.addInterceptor(SecurityInterceptor()).addPathPatterns("/secure/*")
|
||||
}
|
||||
}
|
||||
----
|
||||
@@ -5392,13 +5391,19 @@ The following example shows how to achieve the same configuration in XML:
|
||||
<mvc:exclude-mapping path="/admin/**"/>
|
||||
<bean class="org.springframework.web.servlet.theme.ThemeChangeInterceptor"/>
|
||||
</mvc:interceptor>
|
||||
<mvc:interceptor>
|
||||
<mvc:mapping path="/secure/*"/>
|
||||
<bean class="org.example.SecurityInterceptor"/>
|
||||
</mvc:interceptor>
|
||||
</mvc:interceptors>
|
||||
----
|
||||
|
||||
NOTE: Mapped interceptors are not ideally suited as a security layer due to the potential
|
||||
for a mismatch with annotated controller path matching, which can also match trailing
|
||||
slashes and path extensions transparently, along with other path matching options. Many
|
||||
of these options have been deprecated but the potential for a mismatch remains.
|
||||
Generally, we recommend using Spring Security which includes a dedicated
|
||||
https://docs.spring.io/spring-security/reference/servlet/integrations/mvc.html#mvc-requestmatcher[MvcRequestMatcher]
|
||||
to align with Spring MVC path matching and also has a security firewall that blocks many
|
||||
unwanted characters in URL paths.
|
||||
|
||||
|
||||
|
||||
|
||||
[[mvc-config-content-negotiation]]
|
||||
|
||||
Reference in New Issue
Block a user