Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When to use Spring Security`s antMatcher()?

Tags:

spring-mvc

spring-security

spring-security4

When do we use antMatcher() vs antMatchers()?

For example:

http
   .antMatcher("/high_level_url_A/**")
   .authorizeRequests()
      .antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
      .antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
      .somethingElse()
      .anyRequest().authenticated()
      .and()
   .antMatcher("/high_level_url_B/**")
   .authorizeRequests()
      .antMatchers("/high_level_url_B/sub_level_1").permitAll()
      .antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
      .somethingElse()
      .anyRequest().authenticated()
      .and()
   ...

What I expect here is,

  • Any request matches to /high_level_url_A/** should be authenticated + /high_level_url_A/sub_level_1 only for USER and /high_level_url_A/sub_level_2 only for USER2
  • Any request matches to /high_level_url_B/** should be authenticated + /high_level_url_B/sub_level_1 for public access and /high_level_url_A/sub_level_2 only for USER3.
  • Any other pattern I don't care - But should be public ?

I have seen latest examples do not include antMatcher() these days. Why is that? Is antMatcher() no longer required?

like image 223
sura2k Avatar asked Mar 09 '16 11:03

sura2k

People also ask

What is antMatcher in Spring Security?

The antMatchers() is a Springboot HTTP method used to configure the URL paths from which the Springboot application security should permit requests based on the user's roles. The antmatchers() method is an overloaded method that receives both the HTTP request methods and the specific URLs as its arguments.

Why is the usage of mvcMatcher recommended over antMatcher?

Generally mvcMatcher is more secure than an antMatcher . As an example: antMatchers("/secured") matches only the exact /secured URL. mvcMatchers("/secured") matches /secured as well as /secured/ , /secured.

What is the need for @EnableWebSecurity?

The @EnableWebSecurity is a marker annotation. It allows Spring to find (it's a @Configuration and, therefore, @Component ) and automatically apply the class to the global WebSecurity . If I don't annotate any of my class with @EnableWebSecurity still the application prompting for username and password.

What is difference between hasRole and hasAuthority?

The main difference is that roles have special semantics. Starting with Spring Security 4, the 'ROLE_' prefix is automatically added (if it's not already there) by any role related method. So hasAuthority('ROLE_ADMIN') is similar to hasRole('ADMIN') because the 'ROLE_' prefix gets added automatically.

2 Answers

You need antMatcher for multiple HttpSecurity, see Spring Security Reference:

5.7 Multiple HttpSecurity

We can configure multiple HttpSecurity instances just as we can have multiple <http> blocks. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL’s that start with /api/.

@EnableWebSecurity
public class MultiHttpSecurityConfig {
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) { 1
      auth
          .inMemoryAuthentication()
              .withUser("user").password("password").roles("USER").and()
              .withUser("admin").password("password").roles("USER", "ADMIN");
  }

  @Configuration
  @Order(1)                                                        2
  public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
      protected void configure(HttpSecurity http) throws Exception {
          http
              .antMatcher("/api/**")                               3
              .authorizeRequests()
                  .anyRequest().hasRole("ADMIN")
                  .and()
              .httpBasic();
      }
  }    

  @Configuration                                                   4
  public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

      @Override
      protected void configure(HttpSecurity http) throws Exception {
          http
              .authorizeRequests()
                  .anyRequest().authenticated()
                  .and()
              .formLogin();
      }
  }
}

1 Configure Authentication as normal

2 Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.

3 The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/

4 Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).

In your case you need no antMatcher, because you have only one configuration. Your modified code:

http
    .authorizeRequests()
        .antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
        .antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
        .somethingElse() // for /high_level_url_A/**
        .antMatchers("/high_level_url_A/**").authenticated()
        .antMatchers("/high_level_url_B/sub_level_1").permitAll()
        .antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
        .somethingElse() // for /high_level_url_B/**
        .antMatchers("/high_level_url_B/**").authenticated()
        .anyRequest().permitAll()
like image 108
dur Avatar answered Oct 18 '22 19:10

dur

I'm updating my answer...

antMatcher() is a method of HttpSecurity, it doesn't have anything to do with authorizeRequests(). Basically, http.antMatcher() tells Spring to only configure HttpSecurity if the path matches this pattern.

The authorizeRequests().antMatchers() is then used to apply authorization to one or more paths you specify in antMatchers(). Such as permitAll() or hasRole('USER3'). These only get applied if the first http.antMatcher() is matched.

like image 66
Patrick Grimard Avatar answered Oct 18 '22 21:10

Patrick Grimard
Sign in to Comment

Related questions

Spring Bean Scopes
Loading context in Spring using web.xml
How to autowire RestTemplate using annotations
Spring Boot Multiple Datasource
JQuery, Spring MVC @RequestBody and JSON - making it work together
Spring + Web MVC: dispatcher-servlet.xml vs. applicationContext.xml (plus shared security)
How to serve .html files with Spring
Spring - Redirect after POST (even with validation errors)
how to send an array in url request
SpringMVC RequestMapping for GET parameters
Spring MVC controller Test - print the result JSON String
What is the purpose of init binder in spring MVC
Spring MVC vs JSF [duplicate]
Difference between MockMvc and RestTemplate in integration tests
Statement lambda can be replaced with expression lambda
How do I obtain the Jackson ObjectMapper in use by Spring 4.1?
No mapping found for HTTP request with URI.... in DispatcherServlet with name [duplicate]
Spring Boot Actuator without Spring Boot
How do I use Spring Boot to serve static content located in Dropbox folder?
Can Spring Security use @PreAuthorize on Spring controllers methods?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!