[spring-mvc] When to use Spring Security`s antMatcher()?

When do we use antMatcher() vs antMatchers()?

For example:

http
   .antMatcher("/high_level_url_A/**")
   .authorizeRequests()
      .antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
      .antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
      .somethingElse()
      .anyRequest().authenticated()
      .and()
   .antMatcher("/high_level_url_B/**")
   .authorizeRequests()
      .antMatchers("/high_level_url_B/sub_level_1").permitAll()
      .antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
      .somethingElse()
      .anyRequest().authenticated()
      .and()
   ...

What I expect here is,

• Any request matches to /high_level_url_A/** should be authenticated + /high_level_url_A/sub_level_1 only for USER and /high_level_url_A/sub_level_2 only for USER2
• Any request matches to /high_level_url_B/** should be authenticated + /high_level_url_B/sub_level_1 for public access and /high_level_url_A/sub_level_2 only for USER3.
• Any other pattern I don't care - But should be public ?

I have seen latest examples do not include antMatcher() these days. Why is that? Is antMatcher() no longer required?

Basically http.antMatcher() tells Spring to only configure HttpSecurity if the path matches this pattern.

I'm updating my answer...

antMatcher() is a method of HttpSecurity, it doesn't have anything to do with authorizeRequests(). Basically, http.antMatcher() tells Spring to only configure HttpSecurity if the path matches this pattern.

The authorizeRequests().antMatchers() is then used to apply authorization to one or more paths you specify in antMatchers(). Such as permitAll() or hasRole('USER3'). These only get applied if the first http.antMatcher() is matched.