Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

antMatchers that matches any beginning of path

I've got REST service that will be used for authentication. The authentication endpoint will look like /api/v.1/authentication. The API version is a variable that can be changed to reflect updated versions. One example would be /api/v.2/authentication. I like to have an antMatcher that can deal with both these cases so I tried .antMatchers(HttpMethod.POST,"**/authenticate").permitAll() using ** to match any beginning of the endpoint but this doesn't work. The full setup below.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
        .csrf().disable()
        .authorizeRequests()
             .antMatchers(HttpMethod.POST, "**/authenticate").permitAll()
             .antMatchers(HttpMethod.GET, "**/get-public-key").permitAll()
             .and()
        .authorizeRequests()
             .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
             .anyRequest().authenticated();
}

Any suggestions how I can solve this?

like image 480
g3blv Avatar asked Apr 30 '17 08:04

g3blv


Video Answer


1 Answers

You have to use absolute pattern, see AntPathMatcher:

Note: a pattern and a path must both be absolute or must both be relative in order for the two to match. Therefore it is recommended that users of this implementation to sanitize patterns in order to prefix them with "/" as it makes sense in the context in which they're used.

Your modified and simplified configuration:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
        .csrf().disable()
        .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/**/authenticate").permitAll()
            .antMatchers(HttpMethod.GET, "/**/get-public-key").permitAll()
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            .anyRequest().authenticated();
}
like image 56
dur Avatar answered Sep 22 '22 15:09

dur