Menu
There is a common practice in the Spring security oauth implementation to secure the oauth endpoints with the following line:
.requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
The entire setup looks like this:
http
.formLogin().loginPage("/login").permitAll()
.and()
.requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
.and()
.authorizeRequests().anyRequest().authenticated();
Can someone explain me why that specific line is needed, since the next line explicitly says that all the requests have to be authenticated?
379
The antMatchers() is a Springboot HTTP method used to configure the URL paths from which the Springboot application security should permit requests based on the user's roles. The antmatchers() method is an overloaded method that receives both the HTTP request methods and the specific URLs as its arguments.
requestMatchers : To enable HTTPSecurity for multiple url pattern for multiple http method. http.requestMatchers(). antMatchers(HttpMethod.GET,"/restricgted/get/**","/restricgted2/get/**"). antMatchers(HttpMethod.POST,"/restricgted/post/**","/restricgted2/post/**").
anyRequest(). authenticated() is that any request must be authenticated otherwise my Spring app will return a 401 response.
The requestMatchers line specifies to which requests the security check applies. The authorizeRequests line does the actual security check.
If you leave out the requestMatchers line, all requests will get checked in the way authorizeRequests specifies. If there are no checks for some requests, checking will succeed by default.
With the requestMatchers line, requests that don't match will get checked by the other remaining chains.
182
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
