Hey guys in this post, we will discuss everything need to know about Spring security matcher methods. This is the continuation of the previous post, please follow the previous post before proceeding with this.
Table of Contents
Overview
- MVC matchers
- Ant matchers
- Regex matchers
MVC matchers
MvcMatcher()
uses Spring MVC’s HandlerMappingIntrospector to match the path and extract variables.
mvcMatchers(HttpMethod method, String... patterns):
We can specify both HTTP method and path pattern to configure restrictions
http.authorizeRequests().mvcMatchers(HttpMethod.GET, "/protected").authenticated()
.mvcMatchers(HttpMethod.GET, "/home").permitAll()
.anyRequest().denyAll()
.and()
.formLogin()
.and()
.httpBasic();
mvcMatchers(String... patterns):
We can specify only path patterns to configure restrictions and all the HTTP methods will be allowed.
http.authorizeRequests().mvcMatchers("/protected/**").authenticated()
.mvcMatchers("/home/**").permitAll()
.anyRequest().denyAll()
.and()
.formLogin()
.and()
.httpBasic();
Note:
- ** indicates any number of paths. For example, /x/**/z will match both /x/y/z and /x/y/abc/z
- Single * indicates single path. For example, /x/*/z will /x/y/z, /x/abc/z but not /x/y/abc/z
ANT matchers
It is an implementation for Ant-style path patterns. Part of this mapping code has been kindly borrowed from Apache Ant.
antMatchers(HttpMethod method, String... patterns):
We can specify both the HTTP method and path pattern to configure restrictions
http.authorizeRequests().antMatchers(HttpMethod.GET, "/protected").authenticated()
.antMatchers(HttpMethod.GET, "/home").permitAll()
.anyRequest().denyAll()
.and()
.formLogin()
.and()
.httpBasic();
antMatchers(String... patterns):
We can specify only path pattern to configure restrictions and all the HTTP methods will be allowed
http.authorizeRequests().antMatchers("/protected/**").authenticated()
.antMatchers("/home/**").permitAll()
.anyRequest().denyAll()
.and()
.formLogin()
.and()
.httpBasic();
antMatchers(HttpMethod method):
We can specify only the HTTP method ignoring path patterns to configure restrictions. This is the same asantMatchers(HttpMethod)
http.authorizeRequests().antMatchers(HttpMethod.GET).authenticated()
.antMatchers(HttpMethod.POST).permitAll()
.anyRequest().denyAll()
.and()
.formLogin()
.and()
.httpBasic();
Note: Generally mvcMatcher() is more secure than an antMatcher(). As an example
antMatchers("/protected")
matches only the exact/protected
URLmvcMatchers("/protected")
matches/protected
as well as/protected/
,/protected.html
,/protected.xyz
REGEX matchers
regexMatchers(HttpMethod method, String regex):
We can specify both the HTTP method and path regex to configure restrictions
http.authorizeRequests().regexMatchers(HttpMethod.GET, "/(en|es|zh)").authenticated()
.anyRequest().denyAll()
.and()
.formLogin()
.and()
.httpBasic();
regexMatchers(String regex):
We can specify only path regex to configure restrictions and all the HTTP methods will be allowed
http.authorizeRequests().regexMatchers("/(en|es|zh)").authenticated()
.anyRequest().denyAll()
.and()
.formLogin()
.and()
.httpBasic();
That’s it for this post. I hope you guys enjoyed this post, if you like this post, then please share this with your friends and colleagues. Also, share this in your social media profile. Thank you I will see you in the next post.
/hello/health*//** if I mention like this in antmatchers, what is the meaning of mentioned *//**
Thanks in advance.