AntMatcher and contextPath for API security

Question

I have spring boot application. I have configured OAuth2 - both authorization and resource servers (separated). In the resource server (application.properties) I have:

server.servlet.context-path=/api

as well as:

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    (...)

    @Override
    public void configure(HttpSecurity http) throws Exception {
                http
                .requestMatchers()
                .and()
                .authorizeRequests()
                .antMatchers("/actuator/**", "/api-docs/**").permitAll()
                .antMatchers("/api/**" ).authenticated();
    }
}

The problem is that, api is not actually secured at all. Thanks to doc and @dur's answer I know that

The pattern must not contain the context path

Indeed, changing from:

.antMatchers("/api/**" ).authenticated();

to:

.antMatchers("/**" ).authenticated();

works fine. But the question is: is it possible to use context-path in this use case, instead of using /** ? I could repeat .antMatchers() for each and every controller (or use /**) but maybe there is a way to use context-path ?

Why do you need the context path? Why do you think that it is better? However, you could always implement your own `RequestMatcher`. — dur, Dec 31 '18 at 15:58
I think it's more readable when you use specific context `/api/**` more than everything `/**`. It gives me sense that I didn't accidentally influence something beyond `/api/**`. Second reason might be a situation where I have multiple contexts and want to apply different security logic to each. — user3529850, Dec 31 '18 at 16:12

user3852017 · Answer 1 · 2021-10-08T17:34:54.597

Inject the property into variable and use that in code
I am also demonstrating IMHO nicer way of writing the conf with lambda where you do not need to use ".and()" and you can see scope blocks better.
Empty .requestMatchers().and() does nothing, so you can remove it. which would also be more obvious in lambda notation : .requestMatchers(matchers -> matchers)

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    (...)
    @Value("${server.servlet.context-path:''}")
    private String contextPath; // <<<< I am the path !

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests(authorize -> authorize 
                .antMatchers(contextPath + "/actuator/**", "/api-docs/**").permitAll()
                .antMatchers(contextPath + "/**" ).authenticated()
            );
    }
}

But if you really want to, you can also write the code the old way too. It has no effect on using the variable. :

 http. 
    .authorizeRequests()
    .antMatchers(contextPath + "/actuator/**", "/api-docs/**")
    .permitAll()
    .antMatchers(contextPath + "/**" )
    .authenticated()
    .and());

AntMatcher and contextPath for API security

1 Answers1