Spring Security: How to use multiple URL patterns in FilterRegistrationBean?

Question

I have a bean

@Bean
public FilterRegistrationBean animalsFilterRegistration() {
    FilterRegistrationBean registration = new FilterRegistrationBean();
    registration.setFilter(new AnimalsFilter());
    registration.addUrlPatterns(
        "/api/cat",
        "/api/cat/**",
        "/api/dog"
    );
    ...
    return registration;
}

In that bean, I use two patterns for /api/cat** URLs. The problem is that when I try to call endpoints with complex postfix ( /api/cat/1/feed ), my filter does not intercept the request. But it's OK when I call /api/cat and /api/got endpoints -- filter works as expected and intercepts requests.

How can I use multiple URL patterns for my case ( /api/cat , /api/cat/** )?

PS

I have tried to use next pattern combinations:

1) /api/cat, /api/cat**, /api/dog
2) /api/cat, /api/cat/**, /api/dog
3) /api/cat**, /api/dog

Answer 1

As mentioned by @Tarun Lalwani, you need to use * instead of ** , because ** is not a valid url pattern in this case.

In your case, try the following:

    registration.addUrlPatterns(
        "/api/cat",
        "/api/cat/*",
        "/api/dog",
        "/api/dog/*"
    );

those would match /api/cat/1 , /api/cat/1/feed , /api/dog/1 , /api/dog/1/feed , ...

If you want to replicate the /api/* behavior that would, only match /api/this but /api/not/that , then you need to use the following pattern: /api/*/ .

Answer 2

If you look at the documentation

https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/api/org/springframework/boot/web/servlet/FilterRegistrationBean.html

When no URL pattern or servlets are specified the filter will be associated to '/*'

As you can see * is the pattern used by spring and not ** . ** is usually a glob used by bash , golang . But spring uses * only. So what you need is just

registration.addUrlPatterns(
        "/api/cat",
        "/api/cat/*",
        "/api/dog",
        "/api/dog/*"
    );

The ** patterns are usually used in the security filters

https://docs.spring.io/spring-security/site/docs/current/reference/html/security-filter-chain.html#filter-chain-proxy

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
    <list>
    <sec:filter-chain pattern="/restful/**" filters="
        securityContextPersistenceFilterWithASCFalse,
        basicAuthenticationFilter,
        exceptionTranslationFilter,
        filterSecurityInterceptor" />
    <sec:filter-chain pattern="/**" filters="
        securityContextPersistenceFilterWithASCTrue,
        formLoginFilter,
        exceptionTranslationFilter,
        filterSecurityInterceptor" />
    </list>
</constructor-arg>
</bean>

Answer 3

my problem is: the filter is being called on every endpoint call, ignoring the patterns i've set:

myBean.setUrlPatterns(Arrays.asList("/cat/*","/dog/*","/serpent/*"));

i've created the bean inside @SpringBootApplication class.

so if i call http://server/api/animal/elephant the filter is being hit, and i don't think this is the expected behaviour since i've set the url patterns