Aug 24, 2025 · Aug 24, 2025 · Aug 24, 2025 · Aug 24, 2025 · Aug 24, 2025 · Aug 26, 2025
diff --git a/.../src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java b/.../src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java
diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
Original file line number	Diff line number	Diff line change
Expand Up		@@ -30,15 +30,14 @@
		import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
		import org.springframework.security.core.Authentication;
		import org.springframework.util.Assert;
	import org.springframework.util.StringUtils;
		import org.springframework.util.function.SingletonSupplier;

		/**
		* Base root object for use in Spring Security expression evaluations.
		*
		* @author Luke Taylor
		* @author Evgeniy Cheban
	* @author Ngoc Nhan
	* @author Steve Riesenberg
		* @since 3.0
		*/
		public abstract class SecurityExpressionRoot<T extends @Nullable Object> implements SecurityExpressionOperations {
Expand Down Expand Up		@@ -209,8 +208,7 @@ private boolean isGranted(AuthorizationManager<T> authorizationManager) {
		/**
		* Convenience method to access {@link Authentication#getPrincipal()} from
		* {@link #getAuthentication()}
	* @return the <code>Principal</code> being authenticated or the authenticated
	* principal after authentication.
	* @return
		*/
		public @Nullable Object getPrincipal() {
		return getAuthentication().getPrincipal();
Expand Down Expand Up		@@ -306,24 +304,4 @@ public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) {
		this.permissionEvaluator = permissionEvaluator;
		}

	/**
	* Prefixes role with defaultRolePrefix if defaultRolePrefix is non-null and if role
	* does not already start with defaultRolePrefix.
	* @param defaultRolePrefix the default prefix to add to roles.
	* @param role the role that should be required.
	* @return a {@code String} role
	*/
	private static String getRoleWithDefaultPrefix(@Nullable String defaultRolePrefix, String role) {
	if (role == null) {
	return role;
	}
	if (!StringUtils.hasLength(defaultRolePrefix)) {
	return role;
	}
	if (role.startsWith(defaultRolePrefix)) {
	return role;
	}
	return defaultRolePrefix + role;
	}

		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -36,7 +36,6 @@
		import org.springframework.security.web.util.UrlUtils;
		import org.springframework.util.Assert;
		import org.springframework.util.ObjectUtils;
	import org.springframework.util.StringUtils;
		import org.springframework.web.util.UriComponentsBuilder;

		/**
Expand All		@@ -59,7 +58,6 @@
		* @author Andrey Grebnev
		* @author Ben Alex
		* @author Luke Taylor
	* @author Ngoc Nhan
		*/
		public class DefaultSavedRequest implements SavedRequest {

Expand Down Expand Up		@@ -195,65 +193,24 @@ private void addLocale(Locale locale) {
		* @since 4.2
		*/
		private void addParameters(Map<String, String[]> parameters) {
	if (ObjectUtils.isEmpty(parameters)) {
	return;
	}

	for (Map.Entry<String, String[]> entry : parameters.entrySet()) {
	String name = entry.getKey();
	String[] values = entry.getValue();
	if (values != null) {
	this.parameters.put(name, values);
	if (!ObjectUtils.isEmpty(parameters)) {
	for (String paramName : parameters.keySet()) {
	Object paramValues = parameters.get(paramName);
	if (paramValues instanceof String[]) {
	this.addParameter(paramName, (String[]) paramValues);
	}
	else {
	logger.warn("ServletRequest.getParameterMap() returned non-String array");
	}
		}
		}
		}

	/**
	* Determines if the current request matches the <code>DefaultSavedRequest</code>.
	* <p>
	* All URL arguments are considered but not cookies, locales, headers or parameters.
	* @param request the actual request to be matched against this one
	* @param portResolver used to obtain the server port of the request
	* @return true if the request is deemed to match this one.
	* @deprecated This is deprecated for removal. Users can compare
	* {@link #getRedirectUrl()} to the {@link HttpServletRequest} URL instead.
	*/
	@Deprecated(forRemoval = true)
	public boolean doesRequestMatch(HttpServletRequest request, PortResolver portResolver) {
	if (!propertyEquals(this.pathInfo, request.getPathInfo())) {
	return false;
	}
	if (!propertyEquals(createQueryString(this.queryString, this.matchingRequestParameterName),
	request.getQueryString())) {
	return false;
	}
	if (!propertyEquals(this.requestURI, request.getRequestURI())) {
	return false;
	}
	if (!"GET".equals(request.getMethod()) && "GET".equals(this.method)) {
	// A save GET should not match an incoming non-GET method
	return false;
	}
	if (!propertyEquals(this.serverPort, portResolver.getServerPort(request))) {
	return false;
	}
	if (!propertyEquals(this.requestURL, request.getRequestURL().toString())) {
	return false;
	}
	if (!propertyEquals(this.scheme, request.getScheme())) {
	return false;
	}
	if (!propertyEquals(this.serverName, request.getServerName())) {
	return false;
	}
	if (!propertyEquals(this.contextPath, request.getContextPath())) {
	return false;
	}
	return propertyEquals(this.servletPath, request.getServletPath());

	private void addParameter(String name, String[] values) {
	this.parameters.put(name, values);
		}

	public String getContextPath() {
	public @Nullable String getContextPath() {
		return this.contextPath;
		}

Expand Down Expand Up		@@ -364,7 +321,7 @@ public String toString() {
		if (matchingRequestParameterName == null) {
		return queryString;
		}
	if (!StringUtils.hasLength(queryString)) {
	if (queryString == null \|\| queryString.length() == 0) {
		return matchingRequestParameterName;
		}
		return UriComponentsBuilder.newInstance()
Expand Down