Spring Security - POST method for antMatcher (not antMatchers)

Question

I have two configuration:

@Order(1)

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/api/**")
        .authorizeRequests()
        .anyRequest().hasRole("USER")
        .and()
        .httpBasic()
        .and()
        .csrf().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .exceptionHandling()
        .authenticationEntryPoint(new ApiAuthenticationEntryPoint(objectMapper));
}

@Order(2)

http.authorizeRequests()
    .antMatchers("/product/**").hasRole(SecurityRoles.USER)
    .and()
    .formLogin()
    .loginPage("/login")
    .loginProcessingUrl("/authenticateTheUser")
    .successHandler(customAuthenticationSuccessHandler)
    .permitAll()
    .and()
    .logout()
    .permitAll()
    .and()
    .exceptionHandling()
    .accessDeniedPage("/access-denied");

I need to add functionality to register a new user with the REST endpoint /api/users with no authentication. The other /api/** endpoints should remain with basic authentication. How to do this? I can't see the method antMatcher with an option to choose the http method type.

Edit:

I need something like this:

http.antMatcher("/api/users", HttpMethod.POST.toString).permitAll()
    .and()
    .antMatcher("/api/**")
            .authorizeRequests()
            .anyRequest().hasRole("USER")
(...)

Answer 1

You can do that with antMatchers() though:

http
    .antMatcher("/api/**")
        .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/api/user").permitAll()
            .anyRequest().hasRole("USER")

The difference between antMatcher(..) and antMatchers(..) is that you use antMatcher(..) when you have separate security configuration classes. This could be necessary when you need to differentiate between:

• Authentication mechanisms (form login, basic authentication, ...)
• CSRF handling
• Session management
• Filters
• User details services
• ...

The antMatchers(..) on the other hand (within authorizeRequests(..)) is used to differentiate between authorization levels (which roles have access to certain endpoint).

In your case, the configuration falls under the latter, as you only need to differentiate between the authority of the POST /api/user endpoint.

---

However, if you really need mor granular control over which security configuration class that should be applied, then you should use RequestMatcher as mentioned in the comments.

This interface has a single HttpServletRequest argument and expects you to return a boolean. Since HttpServletRequest contains all information you need, such as the path and the HTTP method, you could properly tune which configuration class should apply. However, in this case it isn't necessary.