6

I have been struggling to understand how and when to use HttpSecurity.requestMatchers. Though I use HttpSecurity.requestMatchers but I have call authorizeRequests and antMatchers to specify the security rules.

When should I use 

 http.requestMatchers()
              .antMatchers("/secure/**","/patients/**","/patient/**", "/hello/**")
              .and()
              .authorizeRequests().antMatchers("/secure/**","/books/**","/book/**", "/hello/**")
              .hasAnyRole("ADMIN","USER");

over

      http
      .authorizeRequests().antMatchers("/secure/**","/books/**","/hello/**", "/hello/**")
      .hasAnyRole("ADMIN","USER");

A scenario would help me to understand the use-case of HttpSecurity.requestMatchers

I did look into requestMatchers, but still not clear to me

Shiva
  • 1,962
  • 2
  • 13
  • 31
  • Possible duplicate of https://stackoverflow.com/questions/35890540/when-to-use-spring-securitys-antmatcher – dur Dec 06 '18 at 19:16

1 Answers1

10

If you need to configure multiple HttpSecurity in your application, than you would typically use HttpSecurity.requestMatchers() or one of the alternative (but similar) configuration options:

  • HttpSecurity.requestMatcher(RequestMatcher)
  • HttpSecurity.antMatcher(String)
  • HttpSecurity.mvcMatcher(String)
  • HttpSecurity.regexMatcher(String)

See the reference in 6.10 Multiple HttpSecurity

For example, if your application has a set of API's rooted at the base path /api and another category of endpoints for the admin section of the application rooted at the base path /admin, than you might define 2x WebSecurityConfigurerAdapter for your application as such:

@EnableWebSecurity
public class SecurityConfig {

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            http
                .requestMatchers()
                    .antMatchers("/api/**")
                    .and()
                .authorizeRequests()
                    .antMatchers("/api/endpoint1")
                        .hasRole("USER1");
        }
    }

    @Configuration
    public static class AdminWebSecurityConfig extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            http
                .requestMatchers()
                    .antMatchers("/admin/**")
                    .and()
                .authorizeRequests()
                    .antMatchers("/admin/endpoint1")
                        .hasRole("ADMIN1");

        }
    }
}

However, if you only provide 1x WebSecurityConfigurerAdapter than you don't need to configure HttpSecurity.requestMatchers() (or any of the alternatives) because it will automatically default to HttpSecurity.requestMatcher(AnyRequestMatcher.INSTANCE). So for these configuration cases, this is sufficient:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers(...
    }
}

Hopefully, this makes sense?

Joe Grandja
  • 618
  • 4
  • 12
  • So, you mean when I make call to `requestMathers` and then `antMatchers` , it does tell that this http security configuration (or **filter chain**) responsible to handle the the patterns( for example`api/endpoint1`).. Is my understanding correct? – Shiva Dec 07 '18 at 04:17
  • 1
    Yes, that is correct. Using `http.requestMatchers().antMatchers("/api/**")` matches on a specific `SecurityFilterChain` (which is built from a `WebSecurityConfigurerAdapter `) – Joe Grandja Dec 07 '18 at 16:37