Skip to content

Combined class and method @RequestMapping without patterns should match root path as both "" and "/" #29625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rstoyanchev opened this issue Dec 2, 2022 · 0 comments
Closed

Combined class and method @RequestMapping without patterns should match root path as both "" and "/" #29625

rstoyanchev opened this issue Dec 2, 2022 · 0 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
6.0.5

Comments

@rstoyanchev
Copy link
Contributor

rstoyanchev commented Dec 2, 2022
edited
Loading

Trailing slash matching was deprecated for 6.0 and the default changed to false. The motivation, as discussed in #28552, is to make mappings transparent by eliminating extras such as this, as well as others deprecated previously such as suffix patterns, path segment trimming, path decoding, and others that create a potential for vulnerabilities.

While the recommendation remains to configure redirects where trailing slashes need to be supported instead of relying on such an application-wide request mapping feature, an @RequestMapping without patterns is arguably one place where an exception can be made, and could be seen less as a trailing slash match and more as the root URL. For example:

@RestController
public class HomeController {

    @GetMapping
    public String home() {
        return "Hello, World!";
    }

}

The above should match to both http://localhost:8080 and to http://localhost:8080/. In both cases the requestURI is /, which means that the above would otherwise never match. There are other cases where the lookup path may be "", e.g. where there is a contextPath and/or servletPath, but arguably in all of these cases it's unlikely to have any ambiguity with URL security, which should be securing the root URL of the application consistently.
@rstoyanchev rstoyanchev added in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement labels Dec 2, 2022
@rstoyanchev rstoyanchev added this to the 6.0.3 milestone Dec 2, 2022
@rstoyanchev rstoyanchev self-assigned this Dec 2, 2022
This was referenced Dec 2, 2022
Closed
Closed
@bclozel bclozel modified the milestones: 6.0.3, 6.0.x Dec 13, 2022
@rstoyanchev rstoyanchev modified the milestones: 6.0.x, 6.0.4 Dec 15, 2022
@Patouche Patouche mentioned this issue Jan 5, 2023
Closed
@rstoyanchev rstoyanchev modified the milestones: 6.0.4, 6.0.5 Jan 9, 2023
@rstoyanchev rstoyanchev changed the title An @RequestMapping without patterns should match both "" and "/" Combined class and method @RequestMapping without patterns should match root path as both "" and "/" Jan 13, 2023
@bclozel bclozel mentioned this issue Apr 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
6.0.5
Development

No branches or pull requests
2 participants
@bclozel @rstoyanchev