In a Spring Boot application I have set up a filter with url mapping /service1/*. This was done using a FilterRegistrationBean.

There is also a controller mapped to the same pattern:

   @RestController @RequestMapping(path = "/service1")
   class Service1 {
   ...

The problem:

Executing POST http://localhost:8080/service1/hello works as expected (i.e. the filter is involved in the request processing chain, and the service controller invoked). However, executing http://localhost:8080//service1/hello (note the double slash) will bypass the filter, but reach the controller anyway due to Spring MVC more lenient path matching algorithm.

I've read that the controller path matching algorithm can be customized (link: http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#mvc-config-path-matching), however I don't find an option for not ignoring double slashes.

Also important: this behaviour means that any Controller protected by a filter (not Spring security, but any custom filter) can be bypassed just putting a double slash in any part of the URL. Is my understanding correct? Do you know if the MVC controller path matching can be tweaked so that double slashes will not be ignored in the path matching algorithm?

There is nothing indicating Spring MVC mapping and generic Servlet filters should behave the same. Ant-pattern and Servlet-mapping are different standards, and the interpretation of // could be collapsed/normalized or not.

I would simply:

A) Register your filter for /* and do the matching in the filter.

B) Setup custom AntPathMatcher in Spring.

C) Register a filter prior to your filter that normalize the url-path and either refuse to serve (HTTP 404) or redirect (HTTP 301) to the normalized path in case of GET.