When do we use antMatcher()
vs antMatchers()
?
For example:
http
.antMatcher("/high_level_url_A/**")
.authorizeRequests()
.antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
.antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
.somethingElse()
.anyRequest().authenticated()
.and()
.antMatcher("/high_level_url_B/**")
.authorizeRequests()
.antMatchers("/high_level_url_B/sub_level_1").permitAll()
.antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
.somethingElse()
.anyRequest().authenticated()
.and()
...
What I expect here is,
/high_level_url_A/**
should be authenticated + /high_level_url_A/sub_level_1
only for USER and /high_level_url_A/sub_level_2
only for USER2/high_level_url_B/**
should be authenticated + /high_level_url_B/sub_level_1
for public access and /high_level_url_A/sub_level_2
only for USER3.I have seen latest examples do not include antMatcher()
these days. Why is that? Is antMatcher()
no longer required?
This question is related to
spring-mvc
spring-security
spring-security4
Basically http.antMatcher()
tells Spring to only configure HttpSecurity
if the path matches this pattern.
I'm updating my answer...
antMatcher()
is a method of HttpSecurity
, it doesn't have anything to do with authorizeRequests()
. Basically, http.antMatcher()
tells Spring to only configure HttpSecurity
if the path matches this pattern.
The authorizeRequests().antMatchers()
is then used to apply authorization to one or more paths you specify in antMatchers()
. Such as permitAll()
or hasRole('USER3')
. These only get applied if the first http.antMatcher()
is matched.
Source: Stackoverflow.com