Skip to content

Correct path mismatches in Authorize HTTP Requests documentation #18376

Closed
#18488
Closed
Correct path mismatches in Authorize HTTP Requests documentation#18376
#18488
Assignees
rwinchc-arianna
Labels
in: docsAn issue in Documentation or samplestype: enhancementA general enhancement
@c-arianna

Description

@c-arianna
c-arianna
opened on Dec 30, 2025

In docs at Spring Security - Servlet - Authorize HTTP Requests there is a mismatch between the paths defined in the Spring Security example configuration and the paths used in the provided test methods.

  1. In Matching Requests - Matching Using Ant the following security configuration is provided

http .authorizeHttpRequests((authorize) -> authorize .requestMatchers("/resource/**").hasAuthority("USER") .anyRequest().authenticated() )

with this test example

    @WithMockUser(authorities="USER")
    @Test
    void endpointWhenUserAuthorityThenAuthorized() {
    this.mvc.perform(get("/endpoint/jon"))
    .andExpect(status().isOk());
    }
    
    @WithMockUser
    @Test
    void endpointWhenNotUserAuthorityThenForbidden() {
    this.mvc.perform(get("/endpoint/jon"))
    .andExpect(status().isForbidden());
    }
    
    @Test
    void anyWhenUnauthenticatedThenUnauthorized() {
    this.mvc.perform(get("/any"))
    .andExpect(status().isUnauthorized());
    }

The first and the second test use a wrong endpoint: /endpoint/jon is not defined in the configuration, it should be /resource/jon instead

  1. In Matching By Http Method the following configuration is provided
http
    .authorizeHttpRequests((authorize) -> authorize
        .requestMatchers(HttpMethod.GET).hasAuthority("read")
        .requestMatchers(HttpMethod.POST).hasAuthority("write")
        .anyRequest().denyAll()
    )

with this test example

@WithMockUser(authorities="read")
@Test
void getWhenReadAuthorityThenAuthorized() {
    this.mvc.perform(get("/any"))
        .andExpect(status().isOk());
}

@WithMockUser
@Test
void getWhenNoReadAuthorityThenForbidden() {
    this.mvc.perform(get("/any"))
        .andExpect(status().isForbidden());
}

@WithMockUser(authorities="write")
@Test
void postWhenWriteAuthorityThenAuthorized() {
    this.mvc.perform(post("/any").with(csrf()))
        .andExpect(status().isOk());
}

@WithMockUser(authorities="read")
@Test
void postWhenNoWriteAuthorityThenForbidden() {
    this.mvc.perform(get("/any").with(csrf()))
        .andExpect(status().isForbidden());
}

In the last test, the correct HTTP method should be POST instead of GET.

Metadata

Metadata

Assignees

Labels

in: docsAn issue in Documentation or samplestype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions