spring-projects · wonderfulrosemari · Feb 18, 2026
diff --git a/...c/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/...c/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
@@ -177,6 +177,7 @@ public HttpSecurity(ObjectPostProcessor<Object> objectPostProcessor,
 		}
 		ApplicationContext context = (ApplicationContext) sharedObjects.get(ApplicationContext.class);
 		this.requestMatcherConfigurer = new RequestMatcherConfigurer(context);
+		setSharedObject(RequestMatcher.class, this.requestMatcher);
 	}
 
 	private ApplicationContext getContext() {
@@ -2013,6 +2014,7 @@ public HttpSecurity securityMatchers(Customizer<RequestMatcherConfigurer> reques
 	 */
 	public HttpSecurity securityMatcher(RequestMatcher requestMatcher) {
 		this.requestMatcher = requestMatcher;
+		setSharedObject(RequestMatcher.class, this.requestMatcher);
 		return this;
 	}
 
@@ -2038,6 +2040,7 @@ public HttpSecurity securityMatcher(String... patterns) {
 			matchers.add(builder.matcher(pattern));
 		}
 		this.requestMatcher = new OrRequestMatcher(matchers);
+		setSharedObject(RequestMatcher.class, this.requestMatcher);
 		return this;
 	}
 

diff --git a/...ework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java b/...ework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
@@ -17,8 +17,10 @@
 package org.springframework.security.config.annotation.web.configurers.oauth2.client;
 
 import java.lang.reflect.Field;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import jakarta.servlet.http.HttpServletRequest;
@@ -84,7 +86,9 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
 import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.RedirectStrategy;
+import org.springframework.security.web.access.PathPatternRequestTransformer;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.session.SessionAuthenticationException;
@@ -164,6 +168,8 @@
 public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		extends AbstractAuthenticationFilterConfigurer<B, OAuth2LoginConfigurer<B>, OAuth2LoginAuthenticationFilter> {
 
+	private final Log logger = LogFactory.getLog(getClass());
+
 	private final AuthorizationEndpointConfig authorizationEndpointConfig = new AuthorizationEndpointConfig();
 
 	private final TokenEndpointConfig tokenEndpointConfig = new TokenEndpointConfig();
@@ -404,6 +410,53 @@ public void configure(B http) {
 		}
 		configureOidcSessionRegistry(http);
 		super.configure(http);
+		warnIfSecurityMatcherDoesNotMatchEndpoints(http);
+	}
+
+	private void warnIfSecurityMatcherDoesNotMatchEndpoints(B http) {
+		RequestMatcher securityMatcher = http.getSharedObject(RequestMatcher.class);
+		if (securityMatcher == null || securityMatcher instanceof AnyRequestMatcher) {
+			return;
+		}
+		List<String> unmatchedEndpoints = new ArrayList<>();
+		String authorizationRequestEndpoint = getAuthorizationRequestEndpointPattern();
+		if (authorizationRequestEndpoint != null && !matches(securityMatcher, authorizationRequestEndpoint)) {
+			unmatchedEndpoints.add(authorizationRequestEndpoint);
+		}
+		String authorizationResponseEndpoint = getAuthorizationResponseEndpointPattern();
+		if (!matches(securityMatcher, authorizationResponseEndpoint)) {
+			unmatchedEndpoints.add(authorizationResponseEndpoint);
+		}
+		if (!unmatchedEndpoints.isEmpty()) {
+			this.logger.warn("The configured securityMatcher (" + securityMatcher
+					+ ") does not match the oauth2Login() endpoint(s) " + unmatchedEndpoints + ". Requests to these"
+					+ " endpoints may return 404. Consider updating HttpSecurity#securityMatcher to include these"
+					+ " endpoint(s).");
+		}
+	}
+
+	private String getAuthorizationRequestEndpointPattern() {
+		if (this.authorizationEndpointConfig.authorizationRequestResolver != null) {
+			return null;
+		}
+		String baseUri = (this.authorizationEndpointConfig.authorizationRequestBaseUri != null)
+				? this.authorizationEndpointConfig.authorizationRequestBaseUri
+				: OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
+		return baseUri + "/{registrationId}";
+	}
+
+	private String getAuthorizationResponseEndpointPattern() {
+		return (this.redirectionEndpointConfig.authorizationResponseBaseUri != null)
+				? this.redirectionEndpointConfig.authorizationResponseBaseUri : this.loginProcessingUrl;
+	}
+
+	private boolean matches(RequestMatcher securityMatcher, String endpointPattern) {
+		String endpointPath = endpointPattern.replaceAll("\\{[^/]+}", "registration-id")
+			.replace("*", "registration-id");
+		PathPatternRequestTransformer requestTransformer = new PathPatternRequestTransformer();
+		HttpServletRequest request = requestTransformer
+			.transform(new FilterInvocation(endpointPath, "GET").getRequest());
+		return securityMatcher.matches(request);
 	}
 
 	@Override

diff --git a/.../security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java b/.../security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java
@@ -24,12 +24,18 @@
 import java.util.Map;
 import java.util.stream.Collectors;
 
+import ch.qos.logback.classic.Level;
+import ch.qos.logback.classic.Logger;
+import ch.qos.logback.classic.spi.ILoggingEvent;
+import ch.qos.logback.core.Appender;
 import org.apache.http.HttpHeaders;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.ArgumentCaptor;
 import org.mockito.Mockito;
+import org.slf4j.LoggerFactory;
 
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.NoUniqueBeanDefinitionException;
@@ -125,6 +131,7 @@
 import static org.mockito.BDDMockito.then;
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.springframework.security.config.Customizer.withDefaults;
@@ -703,6 +710,35 @@ public void oauth2LoginWithCustomSecurityContextRepository() {
 		assertThatNoException().isThrownBy(() -> loadConfig(OAuth2LoginConfigSecurityContextRepository.class));
 	}
 
+	// gh-14096
+	@Test
+	public void oauth2LoginWhenSecurityMatcherMissesAuthorizationEndpointThenWarns() {
+		Appender<ILoggingEvent> appender = mockAppenderFor(OAuth2LoginConfigurer.class);
+		loadConfig(OAuth2LoginConfigWithMismatchedSecurityMatcher.class);
+		ArgumentCaptor<ILoggingEvent> captor = ArgumentCaptor.forClass(ILoggingEvent.class);
+		verify(appender, atLeastOnce()).doAppend(captor.capture());
+		assertThat(captor.getAllValues()).anySatisfy((event) -> {
+			assertThat(event.getLevel()).isEqualTo(Level.WARN);
+			assertThat(event.getFormattedMessage()).contains("securityMatcher")
+				.contains("/oauth2/authorization/{registrationId}");
+		});
+	}
+
+	@Test
+	public void oauth2LoginWhenSecurityMatcherMatchesEndpointsThenDoesNotWarn() {
+		Appender<ILoggingEvent> appender = mockAppenderFor(OAuth2LoginConfigurer.class);
+		loadConfig(OAuth2LoginConfigWithMatchingSecurityMatcher.class);
+		verify(appender, never()).doAppend(any(ILoggingEvent.class));
+	}
+
+	private Appender<ILoggingEvent> mockAppenderFor(Class<?> loggerType) {
+		Appender<ILoggingEvent> appender = mock(Appender.class);
+		Logger logger = (Logger) LoggerFactory.getLogger(loggerType);
+		logger.setLevel(Level.WARN);
+		logger.addAppender(appender);
+		return appender;
+	}
+
 	private void loadConfig(Class<?>... configs) {
 		AnnotationConfigWebApplicationContext applicationContext = new AnnotationConfigWebApplicationContext();
 		applicationContext.register(configs);
@@ -965,6 +1001,42 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	static class OAuth2LoginConfigWithMismatchedSecurityMatcher extends CommonSecurityFilterChainConfig {
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.securityMatcher("/api/**", "/oauth/**", "/login/**")
+				.oauth2Login((login) -> login
+					.clientRegistrationRepository(
+						new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION)));
+			// @formatter:on
+			return super.configureFilterChain(http);
+		}
+
+	}
+
+	@Configuration
+	@EnableWebSecurity
+	static class OAuth2LoginConfigWithMatchingSecurityMatcher extends CommonSecurityFilterChainConfig {
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.securityMatcher("/api/**", "/oauth2/**", "/login/**")
+				.oauth2Login((login) -> login
+					.clientRegistrationRepository(
+						new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION)));
+			// @formatter:on
+			return super.configureFilterChain(http);
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	static class OAuth2LoginConfigCustomAuthorizationRequestResolver extends CommonSecurityFilterChainConfig {