Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Difference between antMatcher and mvcMatcher

Tags:

spring

spring-security

What is difference of HttpSecurity's antMatcher() and mvcMatcher() functions?

Could anyone explain when to use them ?

like image 622
Javad Kargar Avatar asked May 25 '18 20:05

Javad Kargar

People also ask

Why is the usage of mvcMatcher recommended over antMatcher?

Generally mvcMatcher is more secure than an antMatcher . As an example: antMatchers("/secured") matches only the exact /secured URL. mvcMatchers("/secured") matches /secured as well as /secured/ , /secured.

What is antMatcher?

The antMatchers() is a Springboot HTTP method used to configure the URL paths from which the Springboot application security should permit requests based on the user's roles. The antmatchers() method is an overloaded method that receives both the HTTP request methods and the specific URLs as its arguments.

Is Spring security necessary?

Spring Security is probably the best choice for your cases. It became the de-facto choice in implementing the application-level security for Spring applications. Spring Security, however, doesn't automatically secure your application. It's not a kind of magic that guarantees a vulnerability-free app.

What is Spring Security in Java?

Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications. Spring Security is a framework that focuses on providing both authentication and authorization to Java applications.

1 Answers

As this methods' signatures clearly say is also stated in the official documentation -

antMatcher(String antPattern) - Allows configuring the HttpSecurity to only be invoked when matching the provided ant pattern.

mvcMatcher(String mvcPattern) - Allows configuring the HttpSecurity to only be invoked when matching the provided Spring MVC pattern.

Generally mvcMatcher is more secure than an antMatcher. As an example:

  • antMatchers("/secured") matches only the exact /secured URL
  • mvcMatchers("/secured") matches /secured as well as /secured/, /secured.html, /secured.xyz

and therefore is more general and can also handle some possible configuration mistakes.

mvcMatcher uses the same rules that Spring MVC uses for matching (when using @RequestMapping annotation).

If the current request will not be processed by Spring MVC, a reasonable default using the pattern as a ant pattern will be used. Source

It may be added that mvcMatchers API (since 4.1.1) is newer than the antMatchers API (since 3.1).

like image 63
DimaSan Avatar answered Sep 29 '22 02:09

DimaSan
Sign in to Comment

Related questions

How to send email with attachment using InputStream and Spring?
How do I read the response header from RestTemplate?
alternative to GrantedAuthorityImpl() class
@ConfigurationProperties prefix not working
No property found for type error when try to create custom repository with Spring Data JPA
No adapter for handler exception
What's the difference between Spring Data MongoDB and Hibernate OGM for MongoDB?
Spring Profiles on method level?
Spring MVC - Multiple submit button to a Form
How can I run a Spring Boot application on port 80
Using Maven properties in application.properties in Spring Boot
ClassNotFoundException for javax.xml.bind.JAXBException with Spring Boot when switch to Java 9
Spring Boot CORS filter - CORS preflight channel did not succeed
javax.validation to validate list of values?
Spring Boot Controller not mapping
Spring Scheduling - Cron expression for everyday at midnight not working?
PreAuthorize not working on Controller
Why always have single implementation interfaces in service and dao layers?
Failed to load ApplicationContext from Unit Test: FileNotFound
Flyway repair with Spring Boot

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!