4

I have two configuration:

@Order(1)

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/api/**")
        .authorizeRequests()
        .anyRequest().hasRole("USER")
        .and()
        .httpBasic()
        .and()
        .csrf().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .exceptionHandling()
        .authenticationEntryPoint(new ApiAuthenticationEntryPoint(objectMapper));
}

@Order(2)

http.authorizeRequests()
    .antMatchers("/product/**").hasRole(SecurityRoles.USER)
    .and()
    .formLogin()
    .loginPage("/login")
    .loginProcessingUrl("/authenticateTheUser")
    .successHandler(customAuthenticationSuccessHandler)
    .permitAll()
    .and()
    .logout()
    .permitAll()
    .and()
    .exceptionHandling()
    .accessDeniedPage("/access-denied");

I need to add functionality to register a new user with the REST endpoint /api/users with no authentication. The other /api/** endpoints should remain with basic authentication. How to do this? I can't see the method antMatcher with an option to choose the http method type.

Edit:

I need something like this:

http.antMatcher("/api/users", HttpMethod.POST.toString).permitAll()
    .and()
    .antMatcher("/api/**")
            .authorizeRequests()
            .anyRequest().hasRole("USER")
(...)
AppiDevo
  • 3,195
  • 3
  • 33
  • 51
  • There isn't one for `antMatcher` (singular). The interface is intentionally minimal. [The JavaDoc says](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/builders/HttpSecurity.html#antMatcher-java.lang.String-) "If more advanced configuration is necessary, consider using `requestMatchers()` or `requestMatcher(RequestMatcher)`." – Michael Mar 25 '19 at 13:30
  • See my edit. Could you show me how to do this, please? Because of two configurations (REST + WWW) I have a problem how to properly configure my API endpoints with use of antMatchers (plural). I could only configure all API endpoints `/api/**`. But don't know how to permit one specific `/api/users/` with POST. – AppiDevo Mar 25 '19 at 13:38

1 Answers1

9

You can do that with antMatchers() though:

http
    .antMatcher("/api/**")
        .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/api/user").permitAll()
            .anyRequest().hasRole("USER")

The difference between antMatcher(..) and antMatchers(..) is that you use antMatcher(..) when you have separate security configuration classes. This could be necessary when you need to differentiate between:

  • Authentication mechanisms (form login, basic authentication, ...)
  • CSRF handling
  • Session management
  • Filters
  • User details services
  • ...

The antMatchers(..) on the other hand (within authorizeRequests(..)) is used to differentiate between authorization levels (which roles have access to certain endpoint).

In your case, the configuration falls under the latter, as you only need to differentiate between the authority of the POST /api/user endpoint.

However, if you really need mor granular control over which security configuration class that should be applied, then you should use RequestMatcher as mentioned in the comments.

This interface has a single HttpServletRequest argument and expects you to return a boolean. Since HttpServletRequest contains all information you need, such as the path and the HTTP method, you could properly tune which configuration class should apply. However, in this case it isn't necessary.

g00glen00b
  • 41,995
  • 13
  • 95
  • 133