From eda35e8074da938567dec2cb2af106b0b4df5ff5 Mon Sep 17 00:00:00 2001 From: rstoyanchev Date: Fri, 8 Sep 2023 09:17:59 +0100 Subject: [PATCH] Add note to the interceptor section of the MVC config Closes gh-31185 --- .../ROOT/pages/web/webmvc/mvc-config/interceptors.adoc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/framework-docs/modules/ROOT/pages/web/webmvc/mvc-config/interceptors.adoc b/framework-docs/modules/ROOT/pages/web/webmvc/mvc-config/interceptors.adoc index ccbf3433b2e..ba64b998005 100644 --- a/framework-docs/modules/ROOT/pages/web/webmvc/mvc-config/interceptors.adoc +++ b/framework-docs/modules/ROOT/pages/web/webmvc/mvc-config/interceptors.adoc @@ -52,7 +52,7 @@ The following example shows how to achieve the same configuration in XML: ---- -NOTE: Mapped interceptors are not ideally suited as a security layer due to the potential +NOTE: Interceptors are not ideally suited as a security layer due to the potential for a mismatch with annotated controller path matching, which can also match trailing slashes and path extensions transparently, along with other path matching options. Many of these options have been deprecated but the potential for a mismatch remains. @@ -61,6 +61,12 @@ https://docs.spring.io/spring-security/reference/servlet/integrations/mvc.html#m to align with Spring MVC path matching and also has a security firewall that blocks many unwanted characters in URL paths. +NOTE: The XML config declares interceptors as `MappedInterceptor` beans, and those are in +turn detected by any `HandlerMapping` bean, including those from other frameworks. +By contrast, the Java config passes interceptors only to the `HandlerMapping` beans it manages. +To re-use the same interceptors across Spring MVC and other framework `HandlerMapping` +beans with the MVC Java config, either declare `MappedInterceptor` beans, or conifgure the +same interceptors in both the Java config and in other `HandlerMapping` beans.