spring-security: Security configuration is failed to be initialized in a Servlet 6.0 container

Describe the bug I tried to update my example Spring project to the latest Spring 6.1 and Spring Security 6.2, but it can be not started in Tomcat 10 or Jetty 11 container.

The example project: https://github.com/hantsy/spring6-sandbox/tree/master/mvc-freemarker

To Reproduce

Run docker compose up postgres in the root folder to start a Postgres.
Switch to this project folder, and mvn clean package cargo:run -Ptomcat or mvn clean package cargo:run -Pjetty to run the application on an embeded Tomcat or Jetty.

Expected behavior NOTICE THIS —> The original project is working with Spring 6.0.x/Spring Security 6.1.x

Now I got an exception like this.

[INFO] [talledLocalContainer] 2023-09-12 17:10:20,454 WARN  [main] org.springframework.context.support.AbstractApplicationContext: Exception encountered during context initialization -
 cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in org.springframework.security.
config.annotation.web.configuration.WebSecurityConfiguration: Failed to instantiate [jakarta.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception with message: S
ection 4.4 of the Servlet 3.0 specification does not permit this method to be called from a ServletContextListener that was not defined in web.xml, a web-fragment.xml file nor annotate
d with @WebListener
[INFO] [talledLocalContainer] 2023-09-12 17:10:20,459 ERROR [main] org.springframework.web.context.ContextLoader: Context initialization failed
[INFO] [talledLocalContainer] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in org.springframework.security
.config.annotation.web.configuration.WebSecurityConfiguration: Failed to instantiate [jakarta.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception with message: 
Section 4.4 of the Servlet 3.0 specification does not permit this method to be called from a ServletContextListener that was not defined in web.xml, a web-fragment.xml file nor annotat
ed with @WebListener
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:654)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:488)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:13
36)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1166)        
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:563)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:523)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:325)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:312)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:973)
[INFO] [talledLocalContainer]   at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:939)
[INFO] [talledLocalContainer]   at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:608)
[INFO] [talledLocalContainer]   at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)
[INFO] [talledLocalContainer]   at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)
[INFO] [talledLocalContainer]   at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:102)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4420)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4860)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:683)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:658)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:713)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:975)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1949)
[INFO] [talledLocalContainer]   at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
[INFO] [talledLocalContainer]   at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
[INFO] [talledLocalContainer]   at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
[INFO] [talledLocalContainer]   at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:123)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:776)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:426)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1656)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:114)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:345)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:893)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:846)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1332)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1322)
[INFO] [talledLocalContainer]   at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
[INFO] [talledLocalContainer]   at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
[INFO] [talledLocalContainer]   at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:866)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:241)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardService.startInternal(StandardService.java:433)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:918)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.Catalina.start(Catalina.java:795)
[INFO] [talledLocalContainer]   at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
[INFO] [talledLocalContainer]   at java.base/java.lang.reflect.Method.invoke(Method.java:580)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:347)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)
[INFO] [talledLocalContainer] Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [jakarta.servlet.Filter]: Factory method 'springSecurityFilterChain
' threw exception with message: Section 4.4 of the Servlet 3.0 specification does not permit this method to be called from a ServletContextListener that was not defined in web.xml, a w
eb-fragment.xml file nor annotated with @WebListener
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:171)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:650)
[INFO] [talledLocalContainer]   ... 56 common frames omitted
[INFO] [talledLocalContainer] Caused by: java.lang.UnsupportedOperationException: Section 4.4 of the Servlet 3.0 specification does not permit this method to be called from a ServletCo
ntextListener that was not defined in web.xml, a web-fragment.xml file nor annotated with @WebListener
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardContext$NoPluggabilityServletContext.getServletRegistrations(StandardContext.java:6197)
[INFO] [talledLocalContainer]   at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.mappableServletRegistrations(AbstractRequestMatcherRegistry.java:21
5)
[INFO] [talledLocalContainer]   at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.requestMatchers(AbstractRequestMatcherRegistry.java:199)
[INFO] [talledLocalContainer]   at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.requestMatchers(AbstractRequestMatcherRegistry.java:276)
[INFO] [talledLocalContainer]   at com.example.demo.SecurityConfig.lambda$ignoringCustomizer$0(SecurityConfig.java:39)
[INFO] [talledLocalContainer]   at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:119
)
[INFO] [talledLocalContainer]   at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
[INFO] [talledLocalContainer]   at java.base/java.lang.reflect.Method.invoke(Method.java:580)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:139)
[INFO] [talledLocalContainer]   ... 57 common frames omitted
[INFO] [talledLocalContainer] 9月 12, 2023 5:10:20 下午 org.apache.catalina.core.StandardContext listenerStart
[INFO] [talledLocalContainer] SEVERE: Exception sending context initialized event to listener instance of class [org.springframework.web.context.ContextLoaderListener]
[INFO] [talledLocalContainer] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in org.springframework.security
.config.annotation.web.configuration.WebSecurityConfiguration: Failed to instantiate [jakarta.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception with message: 
Section 4.4 of the Servlet 3.0 specification does not permit this method to be called from a ServletContextListener that was not defined in web.xml, a web-fragment.xml file nor annotat
ed with @WebListener
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:654)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:488)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:13
36)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1166)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:563)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:523)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:325)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:312)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:973)
[INFO] [talledLocalContainer]   at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:939)
[INFO] [talledLocalContainer]   at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:608)
[INFO] [talledLocalContainer]   at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)
[INFO] [talledLocalContainer]   at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)
[INFO] [talledLocalContainer]   at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:102)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4420)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4860)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:683)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:658)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:713)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:975)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1949)
[INFO] [talledLocalContainer]   at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
[INFO] [talledLocalContainer]   at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
[INFO] [talledLocalContainer]   at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
[INFO] [talledLocalContainer]   at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:123)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:776)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:426)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1656)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:114)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:345)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:893)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:846)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1332)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1322)
[INFO] [talledLocalContainer]   at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
[INFO] [talledLocalContainer]   at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
[INFO] [talledLocalContainer]   at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:866)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:241)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardService.startInternal(StandardService.java:433)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:918)
[INFO] [talledLocalContainer]   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.Catalina.start(Catalina.java:795)
[INFO] [talledLocalContainer]   at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
[INFO] [talledLocalContainer]   at java.base/java.lang.reflect.Method.invoke(Method.java:580)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:347)
[INFO] [talledLocalContainer]   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)
[INFO] [talledLocalContainer] Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [jakarta.servlet.Filter]: Factory method 'springSecurityFilterChain
' threw exception with message: Section 4.4 of the Servlet 3.0 specification does not permit this method to be called from a ServletContextListener that was not defined in web.xml, a w
eb-fragment.xml file nor annotated with @WebListener
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:171)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:650)
[INFO] [talledLocalContainer]   ... 56 more
[INFO] [talledLocalContainer] Caused by: java.lang.UnsupportedOperationException: Section 4.4 of the Servlet 3.0 specification does not permit this method to be called from a ServletCo
ntextListener that was not defined in web.xml, a web-fragment.xml file nor annotated with @WebListener
[INFO] [talledLocalContainer]   at org.apache.catalina.core.StandardContext$NoPluggabilityServletContext.getServletRegistrations(StandardContext.java:6197)
[INFO] [talledLocalContainer]   at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.mappableServletRegistrations(AbstractRequestMatcherRegistry.java:21
5)
[INFO] [talledLocalContainer]   at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.requestMatchers(AbstractRequestMatcherRegistry.java:199)
[INFO] [talledLocalContainer]   at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.requestMatchers(AbstractRequestMatcherRegistry.java:276)
[INFO] [talledLocalContainer]   at com.example.demo.SecurityConfig.lambda$ignoringCustomizer$0(SecurityConfig.java:39)
[INFO] [talledLocalContainer]   at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:119
)
[INFO] [talledLocalContainer]   at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
[INFO] [talledLocalContainer]   at java.base/java.lang.reflect.Method.invoke(Method.java:580)
[INFO] [talledLocalContainer]   at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:139)
[INFO] [talledLocalContainer]   ... 57 more
[INFO] [talledLocalContainer] 
[INFO] [talledLocalContainer] 9月 12, 2023 5:10:20 下午 org.apache.catalina.core.StandardContext startInternal
[INFO] [talledLocalContainer] SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file
[INFO] [talledLocalContainer] 9月 12, 2023 5:10:20 下午 org.apache.catalina.core.StandardContext startInternal
[INFO] [talledLocalContainer] SEVERE: Context [/demo] startup failed due to previous errors

There is a line indicate it is caused by WebSecurityCustomizer

at com.example.demo.SecurityConfig.lambda$ignoringCustomizer$0(SecurityConfig.java:39)

The ignoringCustomizer method is like this.

@Bean
public WebSecurityCustomizer ignoringCustomizer() {
    // antMatchers -> requestMatchers
    return (web) -> web.ignoring().requestMatchers("/css/**", "/images/**");
}

Reproducible Example

Check this minimal, reproducible sample.

About this issue

Original URL
State: closed
Created 10 months ago
Comments: 24 (6 by maintainers)

Commits related to this issue

Defer requestMatchers Validation to Runtime Closes gh-13794 — committed to spring-projects/spring-security by jzheaux 7 months ago
Polish RequestMatcher Description Issue gh-13794 — committed to spring-projects/spring-security by jzheaux 7 months ago
Adjust When Spring Security is Loaded By Placing it as part of the Servlet Config, it isn't loaded via a programmatic listener by Spring, thus allowing it to use the ServletRegistration API. While th... — committed to jzheaux/spring6-sandbox by jzheaux 7 months ago
Adjust When Spring Security is Loaded (#500) By Placing it as part of the Servlet Config, it isn't loaded via a programmatic listener by Spring, thus allowing it to use the ServletRegistration API.... — committed to hantsy/spring6-sandbox by jzheaux 7 months ago
Polish ServletRegistration API Deferral Tomcat uses different ServletContext instances from startup- and request-time. This commit ensures that if the programmatic API isn't available at startup-time... — committed to spring-projects/spring-security by jzheaux 7 months ago

Most upvoted comments

Thanks for the report and the sample. I’ve deferred the ServletContext-based validations to runtime by first testing to see if they are available.

This won’t affect Boot applications as the ServletContext API is available at runtime in those circumstances.

Will you please check the SNAPSHOT version to see if the issue is resolved?

jzheaux on Nov 17, 2023

@jzheaux

Thank you for your response.

As you suggested, I moved the Security settings from the constructor of HelloSecurityInitializer to getServletConfigClasses().

I also removed the HandlerMappingIntrospector bean that I was creating on purpose.

example project zip (modified)
- requestMatchers-example.zip
commit
- https://github.com/mklinkj/QnA/commit/406dcc4ac3d38631d09e8182698be01db528b7a2

I added a test to try to access the example main page once with Gretty (Tomcat 10.1.x), and confirmed that it works fine and doesn’t send a 500 response like it used to. (Spring Security 5.8.9-SNAPSHOT environment)

https://github.com/mklinkj/QnA/blob/406dcc4ac3d38631d09e8182698be01db528b7a2/Spring-Security/requestMatchers-example/src/test/java/org/mklinkj/qna/spring_security/controller/HelloControllerClientTests.java#L57

Thank you. Have a good day. 👍

I apologize for the previous test code being incorrect.

There was a potential for occasional test failures because Gretty’s random port was being acquired in the wrong way.

I have made corrections regarding this issue.

commit
- https://github.com/mklinkj/QnA/commit/eacfb6b1951bd8a013ba71191f1808b9e9fcce1f
example project zip (modified: 12/01)
- requestMatchers-example.zip

Thank you. Have a good day. 👍

mklinkj on Dec 1, 2023

@mklinkj, please try and apply the same change to your HelloWebInitializer. When using Spring MVC, you should register your security configuration alongside it like so:

public class HelloWebInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
  @Override
  protected Class<?>[] getRootConfigClasses() {
    return null;
  }

  @Override
  protected Class<?>[] getServletConfigClasses() {
    return new Class<?>[] {HelloSecurityConfig.class, HelloWebConfig.class};
  }

  @Override
  protected String[] getServletMappings() {
    return new String[] {"/"};
  }
}

And not specify it in HelloSecurityInitializer:

public class HelloSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
}

This is largely because Spring Security needs to be able to see some Spring MVC configuration to correctly construct MVC request matchers. It cannot, though, when it is configured in a separate application context (the result of your app’s existing arrangement).

You can see an example of this in Spring Security Samples. You can also read some detail about this in the reference, though there is a ticket I’ve just added to clarify this use case.

Also, I think that the error message could be improved in this case, so I’ve created https://github.com/spring-projects/spring-security/issues/14221 as well to address that.

jzheaux on Nov 30, 2023

I have updated my example project to use the snapshot version, and got the following result.

Firstly startup a db by docker compose file in the repo root.

docker compose up postgres

Then start to build and deploy on Servlet containers.

mvn clean package cargo:run -Ptomcat 
mvn clean package cargo:run -Pjetty
mvn clean wildfly:run -Pwildfly

All are started successfully.

Tomcat 10.1.15

Tomcat startup is ok, when accessing the home page, http://localhost:8080/demo/posts and got exception as following, I can not go through any pages.

[INFO] [talledLocalContainer] java.lang.UnsupportedOperationException: 
Section 4.4 of the Servlet 3.0 specification does not permit this method to be 
called from a ServletContextListener that was not defined in web.xml, a 
web-fragment.xml file nor annotated with @WebListener

From https://tomcat.apache.org/whichversion.html, Tomcat 10.1.x should also include Servlet 6.0 spec support.

Jetty 12.0.3

Jetty is running well, open browser and navigate http://localhost:8080/demo/posts, redirect to login page, login is ok.

But some endpoint protection does not work as expected.

Logged in as user/password.
In the new posts page, add title and content.
Save post will cause a 403 error.

The same error will be occurred on updating posts.

From the logging, it seems it is failed due to a Csrf token. I do not use any csrf hidden form fields in my freemarker template. Not sure why it triggers the csrf token validation.

I have to disable it explicitly if do not want to use it?
If I only want to use csrf in some forms(not all forms), how to process it?

Wildfly 30.0.0.Final

Similar to Jetty, start up is ok, when accessing http://localhost:8080/demo/posts, go to login page, login is ok. but got Forbidden when adding new posts.

hantsy on Nov 19, 2023