spring-projects
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java‎
Lines changed: 3 additions & 1 deletion b/‎config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java‎
Lines changed: 1 addition & 3 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java‎
Lines changed: 62 additions & 0 deletions b/‎config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java‎
Lines changed: 43 additions & 0 deletions b/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java‎
Lines changed: 35 additions & 0 deletions b/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/PasswordManagementConfigurerTests.java‎
Lines changed: 34 additions & 0 deletions b/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/PasswordManagementConfigurerTests.java‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java‎
Lines changed: 41 additions & 0 deletions b/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java‎
Lines changed: 41 additions & 0 deletions
@@ -2033,7 +2033,9 @@ public HttpSecurity securityMatcher(RequestMatcher requestMatcher) {
 	 */
 	public HttpSecurity securityMatcher(String... patterns) {
 		List<RequestMatcher> matchers = new ArrayList<>();
-		PathPatternRequestMatcher.Builder builder = getSharedObject(PathPatternRequestMatcher.Builder.class);
+		ApplicationContext context = getSharedObject(ApplicationContext.class);
+		PathPatternRequestMatcher.Builder builder = context.getBeanProvider(PathPatternRequestMatcher.Builder.class)
+			.getIfUnique(() -> getSharedObject(PathPatternRequestMatcher.Builder.class));
 		for (String pattern : patterns) {
 			matchers.add(builder.matcher(pattern));
 		}
 
@@ -239,9 +239,7 @@ private Map<Class<?>, Object> createSharedObjects() {
 		Map<Class<?>, Object> sharedObjects = new HashMap<>();
 		sharedObjects.put(ApplicationContext.class, this.context);
 		sharedObjects.put(ContentNegotiationStrategy.class, this.contentNegotiationStrategy);
-		sharedObjects.put(PathPatternRequestMatcher.Builder.class,
-				this.context.getBeanProvider(PathPatternRequestMatcher.Builder.class)
-					.getIfUnique(() -> constructRequestMatcherBuilder(this.context)));
+		sharedObjects.put(PathPatternRequestMatcher.Builder.class, constructRequestMatcherBuilder(this.context));
 		return sharedObjects;
 	}
 
 
@@ -37,6 +37,7 @@
 import org.springframework.mock.web.MockServletContext;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -110,6 +111,21 @@ public void requestRejectedHandlerInvokedWhenOperationalObservationRegistry() th
 		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
 	}
 
+	// gh-19128
+	@Test
+	public void ignoringWhenBuilderBeanWithBasePathThenHonorsBasePath() throws Exception {
+		loadConfig(IgnoringBuilderBeanConfig.class);
+		this.request.setServletPath("/spring");
+		this.request.setRequestURI("/spring/path");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
+		setup();
+		this.request.setServletPath("");
+		this.request.setRequestURI("/path");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+	}
+
 	public void loadConfig(Class<?>... configs) {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.register(configs);
@@ -201,6 +217,52 @@ String path() {
 
 	}
 
+	// gh-19128
+	@EnableWebSecurity
+	@Configuration
+	@EnableWebMvc
+	static class IgnoringBuilderBeanConfig {
+
+		@Bean
+		PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder() {
+			PathPatternRequestMatcherBuilderFactoryBean bean = new PathPatternRequestMatcherBuilderFactoryBean();
+			bean.setBasePath("/spring");
+			return bean;
+		}
+
+		@Bean
+		WebSecurityCustomizer webSecurityCustomizer() {
+			return (web) -> web.ignoring().requestMatchers("/path");
+		}
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.httpBasic(withDefaults())
+				.authorizeHttpRequests((requests) -> requests
+					.anyRequest().denyAll());
+			// @formatter:on
+			return http.build();
+		}
+
+		@Bean
+		UserDetailsService userDetailsService() {
+			return new InMemoryUserDetailsManager(PasswordEncodedUser.user());
+		}
+
+		@RestController
+		static class PathController {
+
+			@RequestMapping("/path")
+			String path() {
+				return "path";
+			}
+
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	static class RequestRejectedHandlerConfig {
 
@@ -40,6 +40,7 @@
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.config.users.AuthenticationTestConfiguration;
+import org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextChangedListener;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -153,6 +154,17 @@ public void loginWhenFormLoginConfiguredThenHasDefaultFailureUrl() throws Except
 		// @formatter:on
 	}
 
+	// gh-19128
+	@Test
+	public void loginWhenBuilderBeanWithBasePathThenLoginProcessingUrlIgnoresBasePath() throws Exception {
+		this.spring.register(FormLoginBuilderBeanConfig.class).autowire();
+		// @formatter:off
+		this.mockMvc.perform(formLogin().user("invalid"))
+				.andExpect(status().isFound())
+				.andExpect(redirectedUrl("/login?error"));
+		// @formatter:on
+	}
+
 	@Test
 	public void loginWhenFormLoginConfiguredThenHasDefaultSuccessUrl() throws Exception {
 		this.spring.register(FormLoginConfig.class).autowire();
@@ -519,6 +531,37 @@ UserDetailsService userDetailsService() {
 
 	}
 
+	// gh-19128
+	@Configuration
+	@EnableWebSecurity
+	@EnableWebMvc
+	static class FormLoginBuilderBeanConfig {
+
+		@Bean
+		PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder() {
+			PathPatternRequestMatcherBuilderFactoryBean bean = new PathPatternRequestMatcherBuilderFactoryBean();
+			bean.setBasePath("/spring");
+			return bean;
+		}
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeHttpRequests((requests) -> requests
+					.anyRequest().authenticated())
+				.formLogin(withDefaults());
+			// @formatter:on
+			return http.build();
+		}
+
+		@Bean
+		UserDetailsService userDetailsService() {
+			return new InMemoryUserDetailsManager(PasswordEncodedUser.user());
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	static class FormLoginInLambdaConfig {
 
@@ -35,6 +35,7 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -127,6 +128,17 @@ public void logoutWhenInvokedTwiceThenUsesOriginalLogoutUrl() throws Exception {
 		// @formatter:on
 	}
 
+	// gh-19128
+	@Test
+	public void logoutWhenBuilderBeanWithBasePathThenLogoutUrlIgnoresBasePath() throws Exception {
+		this.spring.register(LogoutBuilderBeanConfig.class).autowire();
+		// @formatter:off
+		this.mvc.perform(post("/logout").with(csrf()))
+				.andExpect(status().isFound())
+				.andExpect(redirectedUrl("/login?logout"));
+		// @formatter:on
+	}
+
 	// SEC-2311
 	@Test
 	public void logoutWhenGetRequestAndCsrfDisabledThenRedirectsToLogin() throws Exception {
@@ -524,6 +536,29 @@ UserDetailsService userDetailsService() {
 
 	}
 
+	// gh-19128
+	@Configuration
+	@EnableWebSecurity
+	static class LogoutBuilderBeanConfig {
+
+		@Bean
+		PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder() {
+			PathPatternRequestMatcherBuilderFactoryBean bean = new PathPatternRequestMatcherBuilderFactoryBean();
+			bean.setBasePath("/spring");
+			return bean;
+		}
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.logout(withDefaults());
+			// @formatter:on
+			return http.build();
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	static class CsrfDisabledConfig {
 
@@ -26,6 +26,7 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.test.web.servlet.MockMvc;
 
@@ -66,6 +67,16 @@ public void whenChangePasswordPageSetThenSpecifiedChangePasswordPageUsed() throw
 			.andExpect(redirectedUrl("/custom-change-password-page"));
 	}
 
+	// gh-19128
+	@Test
+	public void changePasswordWhenBuilderBeanWithBasePathThenChangePasswordUrlIgnoresBasePath() throws Exception {
+		this.spring.register(PasswordManagementBuilderBeanConfig.class).autowire();
+
+		this.mvc.perform(get("/.well-known/change-password"))
+			.andExpect(status().isFound())
+			.andExpect(redirectedUrl("/change-password"));
+	}
+
 	@Test
 	public void whenSettingNullChangePasswordPage() {
 		PasswordManagementConfigurer configurer = new PasswordManagementConfigurer();
@@ -102,6 +113,29 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
 	}
 
+	// gh-19128
+	@Configuration
+	@EnableWebSecurity
+	static class PasswordManagementBuilderBeanConfig {
+
+		@Bean
+		PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder() {
+			PathPatternRequestMatcherBuilderFactoryBean bean = new PathPatternRequestMatcherBuilderFactoryBean();
+			bean.setBasePath("/spring");
+			return bean;
+		}
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			return http
+					.passwordManagement(withDefaults())
+					.build();
+			// @formatter:on
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	static class PasswordManagementWithCustomChangePasswordPageConfig {
 
@@ -34,6 +34,7 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.test.web.servlet.RequestCacheResultMatcher;
@@ -185,6 +186,21 @@ public void getWhenBookmarkedRequestIsWebSocketThenPostAuthenticationRedirectsTo
 		this.mvc.perform(formLogin(session)).andExpect(redirectedUrl("/"));
 	}
 
+	// gh-19128
+	@Test
+	public void getWhenBuilderBeanWithBasePathThenSavedRequestMatcherIgnoresBasePath() throws Exception {
+		this.spring.register(RequestCacheBuilderBeanConfig.class, DefaultSecurityConfig.class).autowire();
+		MockHttpServletRequestBuilder request = get("/messages").header(HttpHeaders.ACCEPT, MediaType.TEXT_HTML);
+		// @formatter:off
+		MockHttpSession session = (MockHttpSession) this.mvc.perform(request)
+				.andExpect(redirectedUrl("/login"))
+				.andReturn()
+				.getRequest()
+				.getSession();
+		// @formatter:on
+		this.mvc.perform(formLogin(session)).andExpect(RequestCacheResultMatcher.redirectToCachedRequest());
+	}
+
 	@Test
 	public void getWhenBookmarkedRequestIsAllMediaTypeThenPostAuthenticationRemembers() throws Exception {
 		this.spring.register(RequestCacheDefaultsConfig.class, DefaultSecurityConfig.class).autowire();
@@ -401,6 +417,31 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
 	}
 
+	// gh-19128
+	@Configuration
+	@EnableWebSecurity
+	static class RequestCacheBuilderBeanConfig {
+
+		@Bean
+		PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder() {
+			PathPatternRequestMatcherBuilderFactoryBean bean = new PathPatternRequestMatcherBuilderFactoryBean();
+			bean.setBasePath("/spring");
+			return bean;
+		}
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeHttpRequests((requests) -> requests
+					.anyRequest().authenticated())
+				.formLogin(withDefaults());
+			// @formatter:on
+			return http.build();
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	static class RequestCacheDisabledConfig {