When to use Spring Security`s antMatcher()?

by

You need antMatcher for multiple HttpSecurity, see Spring Security Reference:

5.7 Multiple HttpSecurity

We can configure multiple HttpSecurity instances just as we can have multiple <http> blocks. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL’s that start with /api/.

@EnableWebSecurity
public class MultiHttpSecurityConfig {
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) { 1
      auth
          .inMemoryAuthentication()
              .withUser("user").password("password").roles("USER").and()
              .withUser("admin").password("password").roles("USER", "ADMIN");
  }

  @Configuration
  @Order(1)                                                        2
  public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
      protected void configure(HttpSecurity http) throws Exception {
          http
              .antMatcher("/api/**")                               3
              .authorizeRequests()
                  .anyRequest().hasRole("ADMIN")
                  .and()
              .httpBasic();
      }
  }    

  @Configuration                                                   4
  public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

      @Override
      protected void configure(HttpSecurity http) throws Exception {
          http
              .authorizeRequests()
                  .anyRequest().authenticated()
                  .and()
              .formLogin();
      }
  }
}

1 Configure Authentication as normal

2 Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.

3 The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/

4 Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).

In your case you need no antMatcher, because you have only one configuration. Your modified code:

http
    .authorizeRequests()
        .antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
        .antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
        .somethingElse() // for /high_level_url_A/**
        .antMatchers("/high_level_url_A/**").authenticated()
        .antMatchers("/high_level_url_B/sub_level_1").permitAll()
        .antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
        .somethingElse() // for /high_level_url_B/**
        .antMatchers("/high_level_url_B/**").authenticated()
        .anyRequest().permitAll()

More Related Contents:

  1. Serving static web resources in Spring Boot & Spring Security application
  2. CharacterEncodingFilter don’t work together with Spring Security 3.2.0
  3. Spring 5.0.3 RequestRejectedException: The request was rejected because the URL was not normalized
  4. StrictHttpFirewall in spring security 4.2 vs spring MVC @MatrixVariable
  5. Spring Security : Multiple HTTP Config not working
  6. Filter invoke twice when register as Spring bean
  7. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  8. How to use Session attributes in Spring-mvc
  9. Neither BindingResult nor plain target object for bean name available as request attribute [duplicate]
  10. How to disable spring security for particular url
  11. Difference between Role and GrantedAuthority in Spring Security
  12. Spring mvc @PathVariable
  13. How to enable HTTP response caching in Spring Boot
  14. RESTful Authentication via Spring
  15. Spring webSecurity.ignoring() doesn’t ignore custom filter
  16. Spring + Web MVC: dispatcher-servlet.xml vs. applicationContext.xml (plus shared security)
  17. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  18. Can Spring MVC handle multivalue query parameter?
  19. How to configure Spring Security to allow Swagger URL to be accessed without authentication
  20. Load different application.yml in SpringBoot Test
  21. Multiple antMatchers in Spring security
  22. An Authentication object was not found in the SecurityContext – Spring 3.2.2
  23. Spring Security 3.2 CSRF disable for specific URLs
  24. With Spring Security 3.2.0.RELEASE, how can I get the CSRF token in a page that is purely HTML with no tag libs
  25. Spring REST security – Secure different URLs differently
  26. What does do?
  27. Spring Boot exception: Could not open ServletContext resource [/WEB-INF/dispatcherServlet-servlet.xml]
  28. How to handle IO streams in Spring MVC
  29. Angular 2 Spring Boot Login CORS Problems
  30. Custom Authentication Manager with Spring Security and Java Configuration

Leave a Comment