Understanding requestMatchers() on spring-security

Question

I am studying some code of spring-security. I would like to understand this example that I found on internet 1:

http.requestMatchers()
        .antMatchers("/management/**") // (1)
        .and()
        .authorizeRequests() // (2)
        .antMatchers("/management/health")
        .permitAll()
        .antMatchers("/management/info")
        .permitAll()
        .antMatchers("/management/**")
        .hasRole("ACTUATOR")
        .anyRequest().permitAll()
        .and()
        .httpBasic(); (3)

}

I can not understand this configuration, why this code:

http.requestMatchers()
        .antMatchers("/management/**")
        .and()

Is before the .authorizeRequests() ? (1)

What does that mean?

Can you explanation this example?

2: In the second case, what is the difference?

http.requestMatchers().antMatchers("/rest2/**")
.and()
.authorizeRequests()
.antMatchers("/rest/v1/test/hello").permitAll()
.antMatchers("/rest/v1/test/**").denyAll()
.and()
.requestMatchers().antMatchers("/rest/**")
.and()
.authorizeRequests()
.antMatchers("/rest/v1/test/hello").permitAll();

What is the impact using requestMatchers()?

If I send a request to "/rest/v1/test/hello2" I received a 401 Why if the rule that deny a request does not match with the antMatchers("/rest2/**") ?

Don't ask two different questions in one question. You should open two separate question, because they are unrelated. — dur, Aug 26 '18 at 20:23
However, the answer of your first question is that your understanding of the default is wrong. In this case default means no custom Spring Security configuration, but you have a custom Sprig Security configuration. — dur, Aug 26 '18 at 20:26
Your second question is very likely a duplicate. See for example: https://stackoverflow.com/questions/35890540/when-to-use-spring-securitys-antmatcher (it is about `antMatcher`, but the explaination is the same for `requestMatchers`. — dur, Aug 26 '18 at 20:29
@dur, I split my quesiton in two question, see https://stackoverflow.com/questions/52039148/understanding-default-rule-on-spring-security-httpsecurity. I still have doubts why requestMatchers(), was used before other configurations, I almost see only authorizeRequests() in examples. — javaTry, Aug 27 '18 at 12:17

score 37 · Accepted Answer · answered Jul 17 '19 at 17:24

The purpose of requestMatchers() is to specify which requests the spring security configuration will be applied to.

For example if you have 2 endpoints "/public" and "/private" and you only want security (specifically csrf protection) applied to "/private", then you could add the following configuration:

http
    .requestMatchers()
        .antMatchers("/private/**")
        .and()
    .csrf();

Then, if you POST to "/private" you will get a 403 response.
But if you POST to "/public" you will get a 200, because there has been no security applied.

This is separate from authorizeRequests which indicates the type of access that is required for that endpoint, as opposed to whether security is applied at all.

In example 1 that you mention

http
    .requestMatchers()
        .antMatchers("/management/**")
        .and() 
        ...

the security configuration is only applied to "/management/**", so if you were to make a request to "/foo", it would not be secured.

In example 2 that you mention,

http
    .requestMatchers()
        .antMatchers("/rest2/**")
        .and()
    .authorizeRequests()
        .antMatchers("/rest/v1/test/hello").permitAll()
        .antMatchers("/rest/v1/test/**").denyAll()
        .and()
    .requestMatchers()
        .antMatchers("/rest/**")
        .and()
    .authorizeRequests()
        .antMatchers("/rest/v1/test/hello").permitAll();

the reason why "/rest/v1/test/hello2" responds with a 401 is because "/rest/**" is in a request matcher, so your security rule .antMatchers("/rest/v1/test/hello").permitAll() will apply.
If you were to make a request to "/rest3/v1/test/hello2", then it would respond with a 200 because "/rest3/**" is not part of any request matcher.

score 10 · Answer 2 · answered Mar 30 '23 at 14:10

Spring Boot 3 Update

WebSecurityConfigurerAdapter has been removed and Spring Security 5.5 introduced a new approach to configuring security using the SecurityFilterChain interface - with this the HttpSecurity builder API has been deprecated.

e.g. to allow requests on /public/ and everything further, while keeping the ant-pattern annotation, use:

  @Bean
  public SecurityFilterChain configure(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests((requests) -> requests
            .requestMatchers(new AntPathRequestMatcher("/public/**")).permitAll()
            .anyRequest().authenticated()) //other URLs are only allowed authenticated users.
        .httpBasic();
    return http.build();
  }

The definition of "Authenticated users" can be specified using a JwtTokenFilter extending a OncePerRequestFilter (for example).

score -6 · Answer 3 · answered Sep 19 '18 at 08:01

-6

Spring security API: public final class HttpSecurity.RequestMatcherConfigurer extends AbstractRequestMatcherRegistry

Allows mapping HTTP requests that this HttpSecurity will be used for

answered Sep 19 '18 at 08:01

何金水

1

unclear answer. You should add an explanation – stereo Jun 30 '22 at 09:24

Understanding requestMatchers() on spring-security

3 Answers3

Spring Boot 3 Update

Linked

Related