Everything need to know about Matchers methods in Spring Security




Hey guys in this post, we will discuss everything need to know about Spring security matcher methods. This is the continuation of the previous post, please follow the previous post before proceeding with this.

Overview


Spring Security offers three types of matchers methods to configure endpoints in security
  1.  MVC matchers
  2. Ant matchers
  3. Regex matchers

MVC matchers


MvcMatcher() uses Spring MVC’s HandlerMappingIntrospector to match the path and extract variables.

  • mvcMatchers(HttpMethod method, String... patterns): We can specify both HTTP method and path pattern to configure restrictions
http.authorizeRequests().mvcMatchers(HttpMethod.GET, "/protected").authenticated()
		.mvcMatchers(HttpMethod.GET, "/home").permitAll()
		.anyRequest().denyAll()
		.and()
		.formLogin()
		.and()
		.httpBasic();
  • mvcMatchers(String... patterns): We can specify only path patterns to configure restrictions and all the HTTP methods will be allowed.
http.authorizeRequests().mvcMatchers("/protected/**").authenticated()
		.mvcMatchers("/home/**").permitAll()
		.anyRequest().denyAll()
		.and()
		.formLogin()
		.and()
		.httpBasic();

Note:

  • ** indicates any number of paths. For example, /x/**/z will match both /x/y/z and /x/y/abc/z
  • Single * indicates single path. For example, /x/*/z will /x/y/z, /x/abc/z but not /x/y/abc/z

ANT matchers


It is an implementation for Ant-style path patterns. Part of this mapping code has been kindly borrowed from Apache Ant.

  • antMatchers(HttpMethod method, String... patterns): We can specify both the HTTP method and path pattern to configure restrictions
http.authorizeRequests().antMatchers(HttpMethod.GET, "/protected").authenticated()
		.antMatchers(HttpMethod.GET, "/home").permitAll()
		.anyRequest().denyAll()
		.and()
		.formLogin()
		.and()
		.httpBasic();
  • antMatchers(String... patterns): We can specify only path pattern to configure restrictions and all the HTTP methods will be allowed
http.authorizeRequests().antMatchers("/protected/**").authenticated()
		.antMatchers("/home/**").permitAll()
		.anyRequest().denyAll()
		.and()
		.formLogin()
		.and()
		.httpBasic();
  • antMatchers(HttpMethod method): We can specify only the HTTP method ignoring path patterns to configure restrictions. This is the same as antMatchers(HttpMethod)
http.authorizeRequests().antMatchers(HttpMethod.GET).authenticated()
		.antMatchers(HttpMethod.POST).permitAll()
		.anyRequest().denyAll()
		.and()
		.formLogin()
		.and()
		.httpBasic();

Note: Generally mvcMatcher() is more secure than an antMatcher(). As an example

  • antMatchers("/protected") matches only the exact /protected URL
  • mvcMatchers("/protected") matches /protected as well as /protected/, /protected.html, /protected.xyz

REGEX matchers


Regexes can be used to represent any format of a string, so they offer unlimited possibilities for this matter.
  • regexMatchers(HttpMethod method, String regex): We can specify both the HTTP method and path regex to configure restrictions
http.authorizeRequests().regexMatchers(HttpMethod.GET, "/(en|es|zh)").authenticated()
		.anyRequest().denyAll()
		.and()
		.formLogin()
		.and()
		.httpBasic();
  • regexMatchers(String regex): We can specify only path regex to configure restrictions and all the HTTP methods will be allowed
http.authorizeRequests().regexMatchers("/(en|es|zh)").authenticated()
		.anyRequest().denyAll()
		.and()
		.formLogin()
		.and()
		.httpBasic();

That’s it for this post. I hope you guys enjoyed this post, if you like this post, then please share this with your friends and colleagues. Also, share this in your social media profile. Thank you I will see you in the next post.



About the author

Bushan Sirgur

Hey guys, I am Bushan Sirgur from Banglore, India. Currently, I am working as an Associate project in an IT company.

View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *