Description
Expected Behavior
http.securityMatcher("/actuator/**")
I expected above would match all actuator endpoints and apply the security filter configuration
Current Behavior
If there are more servlet contexts deployed (?) under subpath, security matcher tries to match against relative path from that other servlet context. Specifically, after adding hawtio project, I can see that during request to /actuator/hawtio/keycloak/enabled
, the configured matcher is compared to enabled
path, and since enabled
doesn't match /actuator/**
, the current filter chain is skipped and next one is tried.
Context
I've marked this as enhancement instead of a bug, because I presume this could be considered a desired behavior. The solution perhaps could be to explicitly specify this in javadoc of securityMatcher?
A workaround in my case is to use http.securityMatcher(request -> request.getServletPath().startsWith("/actuator"))