Skip to content

ApiVersionConfigurer.addSupportedVersions is not enforced when controller methods(api) declare unsupported versions #36552

New issue
New issue
Closed as not planned
Closed as not planned
ApiVersionConfigurer.addSupportedVersions is not enforced when controller methods(api) declare unsupported versions#36552
Assignees
rstoyanchev
Labels
in: webIssues in web modules (web, webmvc, webflux, websocket)status: invalidAn issue that we don't feel is valid
@parvati-thapa

Description

@parvati-thapa
parvati-thapa
opened on Mar 27, 2026

While using ApiVersionConfigurer for path-based API versioning, I observed that versions declared via @GetMapping(version = "...") are still accepted even when they are not included in addSupportedVersions(...).
This creates an inconsistency where the configured supported versions are not strictly enforced, and controller-level mappings effectively override the configuration.


Configuration
@Override
public void configureApiVersioning(@NonNull ApiVersionConfigurer configurer) {
    configurer
            .usePathSegment(1)
            .setVersionRequired(true)
            .addSupportedVersions("1", "2");
}


Controller 
@RestController
@RequestMapping("/controller")
public class TestController {

 @GetMapping(value = "/users", version = "1")
    public String getResponseVersion1() {
        return "v1 response";
    }
 @GetMapping(value = "/users", version = "2")
    public String getResponseVersionTwo() {
        return "v2 response";
    }
    @GetMapping(value = "/users", version = "3")
    public String getResponseVersionThree() {
        return "v3 response";
    }
}

Expected Behavior
Request:
GET /controller/v3/users
Should fail with an error (e.g., 400 BAD_REQUEST) because:

  • Version 3 is not listed in addSupportedVersions("1", "2")

Actual Behavior
The request:
GET /controller/v3/users
✔ Successfully resolves to the controller method annotated with @GetMapping(version = "3") and provide respective respons.

Analysis
It appears that:

  • addSupportedVersions(...) does not act as a strict whitelist
  • Controller-level version mappings (@GetMapping(version = "...")) take precedence
  • Version validation is not enforced against the configured supported versions

Questions

  1. Is this behaviour intentional?
  2. Shouldn’t addSupportedVersions(...) act as a strict validation mechanism?
  3. Is there a recommended way (within ApiVersionConfigurer) to enforce supported versions globally?
  4. How can i restrict this behaviour and allow only supported versions configured in addSupportedVersions(..).
    Environment
  • Spring Boot version: [4.0.4]
  • Java version: [25]

Thank you!

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)status: invalidAn issue that we don't feel is valid

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions