From 51ce11cbd26113d1725e162031f6dd8c52e72942 Mon Sep 17 00:00:00 2001
From: Robert Winch <362503+rwinch@users.noreply.github.com>
Date: Wed, 25 Mar 2026 15:25:40 -0500
Subject: [PATCH] Move InetAddressMatcher to spring-security-core

Closes gh-18979
---
 .../util/matcher/InetAddressMatcher.java      |  2 +-
 .../util/matcher/InetAddressMatchers.java     | 14 ++++++++++-
 .../util/matcher/InetAddressParser.java       |  2 +-
 .../util/matcher/IpInetAddressMatcher.java    | 10 ++++----
 .../security/util/matcher/package-info.java   | 23 +++++++++++++++++++
 .../util/matcher/InetAddressMatcherTests.java |  2 +-
 .../matcher/InetAddressMatchersTests.java     |  2 +-
 .../matcher/IpInetAddressMatcherTests.java    |  2 +-
 docs/modules/ROOT/pages/whats-new.adoc        |  6 +++--
 .../IpAddressServerWebExchangeMatcher.java    |  4 ++--
 .../web/util/matcher/IpAddressMatcher.java    |  5 +++-
 11 files changed, 56 insertions(+), 16 deletions(-)
 rename {web/src/main/java/org/springframework/security/web => core/src/main/java/org/springframework/security}/util/matcher/InetAddressMatcher.java (96%)
 rename {web/src/main/java/org/springframework/security/web => core/src/main/java/org/springframework/security}/util/matcher/InetAddressMatchers.java (95%)
 rename {web/src/main/java/org/springframework/security/web => core/src/main/java/org/springframework/security}/util/matcher/InetAddressParser.java (97%)
 rename {web/src/main/java/org/springframework/security/web => core/src/main/java/org/springframework/security}/util/matcher/IpInetAddressMatcher.java (90%)
 create mode 100644 core/src/main/java/org/springframework/security/util/matcher/package-info.java
 rename {web/src/test/java/org/springframework/security/web => core/src/test/java/org/springframework/security}/util/matcher/InetAddressMatcherTests.java (97%)
 rename {web/src/test/java/org/springframework/security/web => core/src/test/java/org/springframework/security}/util/matcher/InetAddressMatchersTests.java (99%)
 rename {web/src/test/java/org/springframework/security/web => core/src/test/java/org/springframework/security}/util/matcher/IpInetAddressMatcherTests.java (98%)

diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/InetAddressMatcher.java b/core/src/main/java/org/springframework/security/util/matcher/InetAddressMatcher.java
similarity index 96%
rename from web/src/main/java/org/springframework/security/web/util/matcher/InetAddressMatcher.java
rename to core/src/main/java/org/springframework/security/util/matcher/InetAddressMatcher.java
index 93eae82b7f..36cb5c9791 100644
--- a/web/src/main/java/org/springframework/security/web/util/matcher/InetAddressMatcher.java
+++ b/core/src/main/java/org/springframework/security/util/matcher/InetAddressMatcher.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.web.util.matcher;
+package org.springframework.security.util.matcher;
 
 import java.net.InetAddress;
 
diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/InetAddressMatchers.java b/core/src/main/java/org/springframework/security/util/matcher/InetAddressMatchers.java
similarity index 95%
rename from web/src/main/java/org/springframework/security/web/util/matcher/InetAddressMatchers.java
rename to core/src/main/java/org/springframework/security/util/matcher/InetAddressMatchers.java
index 948b0b2271..dbe4e7be65 100644
--- a/web/src/main/java/org/springframework/security/web/util/matcher/InetAddressMatchers.java
+++ b/core/src/main/java/org/springframework/security/util/matcher/InetAddressMatchers.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.web.util.matcher;
+package org.springframework.security.util.matcher;
 
 import java.net.InetAddress;
 import java.util.ArrayList;
@@ -66,6 +66,18 @@ public final class InetAddressMatchers {
 		return builder().matchAll(InternalInetAddressMatcher.getInstance());
 	}
 
+	/**
+	 * Creates an {@link InetAddressMatcher} that matches a specific IP address or subnet
+	 * using CIDR notation (e.g., {@code 192.168.1.0/24}).
+	 * <p>
+	 * Both IPv4 and IPv6 addresses are supported.
+	 * @param ipAddress the IP address or CIDR range to match against
+	 * @return an {@link InetAddressMatcher} for the given IP address pattern
+	 */
+	public static InetAddressMatcher fromIpAddress(String ipAddress) {
+		return new IpInetAddressMatcher(ipAddress);
+	}
+
 	/**
 	 * A builder for constructing {@link InetAddressMatcher} instances with various
 	 * matching rules.
diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/InetAddressParser.java b/core/src/main/java/org/springframework/security/util/matcher/InetAddressParser.java
similarity index 97%
rename from web/src/main/java/org/springframework/security/web/util/matcher/InetAddressParser.java
rename to core/src/main/java/org/springframework/security/util/matcher/InetAddressParser.java
index 27d00c97c6..c6d64dd8d0 100644
--- a/web/src/main/java/org/springframework/security/web/util/matcher/InetAddressParser.java
+++ b/core/src/main/java/org/springframework/security/util/matcher/InetAddressParser.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.web.util.matcher;
+package org.springframework.security.util.matcher;
 
 import java.net.InetAddress;
 import java.net.UnknownHostException;
diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/IpInetAddressMatcher.java b/core/src/main/java/org/springframework/security/util/matcher/IpInetAddressMatcher.java
similarity index 90%
rename from web/src/main/java/org/springframework/security/web/util/matcher/IpInetAddressMatcher.java
rename to core/src/main/java/org/springframework/security/util/matcher/IpInetAddressMatcher.java
index 62ae9daf58..7f7e338ea2 100644
--- a/web/src/main/java/org/springframework/security/web/util/matcher/IpInetAddressMatcher.java
+++ b/core/src/main/java/org/springframework/security/util/matcher/IpInetAddressMatcher.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.web.util.matcher;
+package org.springframework.security.util.matcher;
 
 import java.net.InetAddress;
 import java.net.UnknownHostException;
@@ -34,18 +34,18 @@ import org.springframework.util.StringUtils;
  * Both IPv4 and IPv6 addresses are supported. The matcher can be configured with either a
  * specific IP address or a subnet using CIDR notation.
  * <p>
- * The logic from this class was migrated from {@link IpAddressMatcher} to provide a more
- * general API that did not depend on the servlet APIs (e.g. HttpServletRequest).
+ * The logic from this class was migrated from
+ * {@code org.springframework.security.web.util.matcher.IpAddressMatcher} to provide a
+ * more general API that did not depend on the servlet APIs (e.g. HttpServletRequest).
  *
  * @author Luke Taylor
  * @author Steve Riesenberg
  * @author Andrey Litvitski
  * @since 7.1
- * @see IpAddressMatcher
  */
 final class IpInetAddressMatcher implements InetAddressMatcher {
 
-	private static final Log logger = LogFactory.getLog(IpAddressMatcher.class);
+	private static final Log logger = LogFactory.getLog(IpInetAddressMatcher.class);
 
 	private final InetAddress requiredAddress;
 
diff --git a/core/src/main/java/org/springframework/security/util/matcher/package-info.java b/core/src/main/java/org/springframework/security/util/matcher/package-info.java
new file mode 100644
index 0000000000..56a64febc0
--- /dev/null
+++ b/core/src/main/java/org/springframework/security/util/matcher/package-info.java
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * General utility classes for matching IP addresses.
+ */
+@NullMarked
+package org.springframework.security.util.matcher;
+
+import org.jspecify.annotations.NullMarked;
diff --git a/web/src/test/java/org/springframework/security/web/util/matcher/InetAddressMatcherTests.java b/core/src/test/java/org/springframework/security/util/matcher/InetAddressMatcherTests.java
similarity index 97%
rename from web/src/test/java/org/springframework/security/web/util/matcher/InetAddressMatcherTests.java
rename to core/src/test/java/org/springframework/security/util/matcher/InetAddressMatcherTests.java
index 3471bbd725..7689cdd65b 100644
--- a/web/src/test/java/org/springframework/security/web/util/matcher/InetAddressMatcherTests.java
+++ b/core/src/test/java/org/springframework/security/util/matcher/InetAddressMatcherTests.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.web.util.matcher;
+package org.springframework.security.util.matcher;
 
 import org.junit.jupiter.api.Test;
 
diff --git a/web/src/test/java/org/springframework/security/web/util/matcher/InetAddressMatchersTests.java b/core/src/test/java/org/springframework/security/util/matcher/InetAddressMatchersTests.java
similarity index 99%
rename from web/src/test/java/org/springframework/security/web/util/matcher/InetAddressMatchersTests.java
rename to core/src/test/java/org/springframework/security/util/matcher/InetAddressMatchersTests.java
index 967e3f1b79..387af3c381 100644
--- a/web/src/test/java/org/springframework/security/web/util/matcher/InetAddressMatchersTests.java
+++ b/core/src/test/java/org/springframework/security/util/matcher/InetAddressMatchersTests.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.web.util.matcher;
+package org.springframework.security.util.matcher;
 
 import java.net.InetAddress;
 import java.util.List;
diff --git a/web/src/test/java/org/springframework/security/web/util/matcher/IpInetAddressMatcherTests.java b/core/src/test/java/org/springframework/security/util/matcher/IpInetAddressMatcherTests.java
similarity index 98%
rename from web/src/test/java/org/springframework/security/web/util/matcher/IpInetAddressMatcherTests.java
rename to core/src/test/java/org/springframework/security/util/matcher/IpInetAddressMatcherTests.java
index e87f9a05bf..ecac465824 100644
--- a/web/src/test/java/org/springframework/security/web/util/matcher/IpInetAddressMatcherTests.java
+++ b/core/src/test/java/org/springframework/security/util/matcher/IpInetAddressMatcherTests.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.web.util.matcher;
+package org.springframework.security.util.matcher;
 
 import java.net.InetAddress;
 
diff --git a/docs/modules/ROOT/pages/whats-new.adoc b/docs/modules/ROOT/pages/whats-new.adoc
index 50e5baa9d8..54bb18fb42 100644
--- a/docs/modules/ROOT/pages/whats-new.adoc
+++ b/docs/modules/ROOT/pages/whats-new.adoc
@@ -1,9 +1,11 @@
 [[new]]
 = What's New in Spring Security 7.1
 
-== Web
+== Core
 
-* https://github.com/spring-projects/spring-security/pull/18634[gh-18634] - Added javadoc:org.springframework.security.web.util.matcher.InetAddressMatcher[]
+* https://github.com/spring-projects/spring-security/pull/18634[gh-18634] - Added javadoc:org.springframework.security.util.matcher.InetAddressMatcher[]
+
+== Web
 * https://github.com/spring-projects/spring-security/issues/18755[gh-18755] - Include `charset` in `WWW-Authenticate` header
 * Added xref:servlet/authorization/architecture.adoc#authz-conditional-authorization-manager[ConditionalAuthorizationManager]
 * Added `when` and `withWhen` conditions to `AuthorizationManagerFactories.multiFactor()` for xref:servlet/authentication/mfa.adoc#programmatic-mfa[Programmatic MFA]
diff --git a/web/src/main/java/org/springframework/security/web/server/util/matcher/IpAddressServerWebExchangeMatcher.java b/web/src/main/java/org/springframework/security/web/server/util/matcher/IpAddressServerWebExchangeMatcher.java
index 72662014c3..eb89eb159f 100644
--- a/web/src/main/java/org/springframework/security/web/server/util/matcher/IpAddressServerWebExchangeMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/server/util/matcher/IpAddressServerWebExchangeMatcher.java
@@ -20,8 +20,8 @@ import java.util.List;
 
 import reactor.core.publisher.Mono;
 
-import org.springframework.security.web.util.matcher.InetAddressMatcher;
-import org.springframework.security.web.util.matcher.InetAddressMatchers;
+import org.springframework.security.util.matcher.InetAddressMatcher;
+import org.springframework.security.util.matcher.InetAddressMatchers;
 import org.springframework.util.Assert;
 import org.springframework.web.server.ServerWebExchange;
 
diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java b/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
index 4e2ea3fdbc..ccf5d7a2e2 100644
--- a/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
@@ -19,6 +19,9 @@ package org.springframework.security.web.util.matcher;
 import jakarta.servlet.http.HttpServletRequest;
 import org.jspecify.annotations.Nullable;
 
+import org.springframework.security.util.matcher.InetAddressMatcher;
+import org.springframework.security.util.matcher.InetAddressMatchers;
+
 /**
  * Matches a request based on IP Address or subnet mask matching against the remote
  * address.
@@ -42,7 +45,7 @@ public final class IpAddressMatcher implements RequestMatcher {
 	 * come.
 	 */
 	public IpAddressMatcher(String ipAddress) {
-		this.matcher = new IpInetAddressMatcher(ipAddress);
+		this.matcher = InetAddressMatchers.fromIpAddress(ipAddress);
 	}
 
 	@Override