When to use Spring Security s antMatcher

Question

When do we use antMatcher   vs antMatchers     For example   http     antMatcher   high level url A          authorizeRequests          antMatchers   high level url A sub level 1   hasRole  USER          antMatchers   high level url A sub level 2   hasRole  USER2          somethingElse          anyRequest   authenticated          and       antMatcher   high level url B          authorizeRequests          antMatchers   high level url B sub level 1   permitAll          antMatchers   high level url B sub level 2   hasRole  USER3          somethingElse          anyRequest   authenticated          and            What I expect here is     Any request matches to  high level url A    should be authenticated     high level url A sub level 1 only for USER and  high level url A sub level 2 only for USER2 Any request matches to  high level url B    should be authenticated     high level url B sub level 1 for public access and  high level url A sub level 2 only for USER3  Any other pattern I don t care - But should be public     I have seen latest examples do not include antMatcher   these days  Why is that  Is antMatcher   no longer required

User · Answer

I m updating my answer     antMatcher   is a method of HttpSecurity  it doesn t have anything to do with authorizeRequests     Basically  http antMatcher   tells Spring to only configure HttpSecurity if the path matches this pattern   The authorizeRequests   antMatchers   is then used to apply authorization to one or more paths you specify in antMatchers     Such as permitAll   or hasRole  USER3     These only get applied if the first http antMatcher   is matched

User · Answer

Basically http antMatcher   tells Spring to only configure HttpSecurity if the path matches this pattern

User · Answer

You need antMatcher for multiple HttpSecurity  see Spring Security Reference   5 7 Multiple HttpSecurity We can configure multiple HttpSecurity instances just as we can have multiple  lt http gt  blocks  The key is to extend the WebSecurityConfigurationAdapter multiple times  For example  the following is an example of having a different configuration for URL   s that start with  api    EnableWebSecurity public class MultiHttpSecurityConfig      Autowired   public void configureGlobal AuthenticationManagerBuilder auth    1       auth            inMemoryAuthentication                  withUser  quot user quot   password  quot password quot   roles  quot USER quot   and                  withUser  quot admin quot   password  quot password quot   roles  quot USER quot    quot ADMIN quot            Configuration    Order 1                                                         2   public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter         protected void configure HttpSecurity http  throws Exception             http                antMatcher  quot  api    quot                                 3                authorizeRequests                      anyRequest   hasRole  quot ADMIN quot                      and                  httpBasic                        Configuration                                                   4   public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter           Override       protected void configure HttpSecurity http  throws Exception             http                authorizeRequests                      anyRequest   authenticated                      and                  formLogin                   1 Configure Authentication as normal 2 Create an instance of WebSecurityConfigurerAdapter that contains  Order to specify which WebSecurityConfigurerAdapter should be considered first  3 The http antMatcher states that this HttpSecurity will only be applicable to URLs that start with  api  4 Create another instance of WebSecurityConfigurerAdapter  If the URL does not start with  api  this configuration will be used  This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an  Order value after 1  no  Order defaults to last    In your case you need no antMatcher  because you have only one configuration  Your modified code  http      authorizeRequests            antMatchers  quot  high level url A sub level 1 quot   hasRole  USER            antMatchers  quot  high level url A sub level 2 quot   hasRole  USER2            somethingElse      for  high level url A             antMatchers  quot  high level url A    quot   authenticated            antMatchers  quot  high level url B sub level 1 quot   permitAll            antMatchers  quot  high level url B sub level 2 quot   hasRole  USER3            somethingElse      for  high level url B             antMatchers  quot  high level url B    quot   authenticated            anyRequest   permitAll

[spring-mvc] When to use Spring Security`s antMatcher()?

Examples related to spring-mvc

Examples related to spring-security

Examples related to spring-security4