Endpoint, Spring Security Configuration returning: The method cannot decide whether the patterns are Spring MVC or not

Question

SecurityFilterChain beans in SecurityConfiguration returning this error I doesn't found anything about this method that solved it:

    @Configuration
    @EnableWebSecurity
    public class SecurityConfiguration {
        
          @Bean
            public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
                return  httpSecurity
                        .csrf(csrf -> csrf.disable())
                        .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                        .authorizeHttpRequests(authorize -> authorize
                                .requestMatchers(HttpMethod.POST, "/auth/login").permitAll()
                                .requestMatchers(HttpMethod.POST, "/auth/register").permitAll()
                                .requestMatchers(HttpMethod.POST, "/product").hasRole("ADMIN")
                                .anyRequest().authenticated()
                        )
                        .build();
            }
    }

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'securityFilterChain' threw exception with message: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher).

Caused by: java.lang.IllegalArgumentException: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher).

Answer 1

The cause is described here cve-2023-34035

And also some discussions about this topic, you can find here 13568

As a workaround you can do something like this:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
    MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
    http.authorizeHttpRequests((requests) -> requests
        .requestMatchers(mvcMatcherBuilder.pattern("/test1")).permitAll()
        .anyRequest().authenticated()
    );
    return http.build();
}

UPDATE TO 24.10.2023

About the fix and how to deal with this for future i suggest to check next one details(issuecomment-1759913041) from Development Team of Spring Security