How to distinguish antMatchers with path variable from the rest of context path

Question

I have two paths:

/api/posts/{postId}
/api/posts/myPosts

I want to permit all for the first path and protect second path with role USER.

I tried below patterns but when I add first pattern, the second stop working (user can GET myPosts even if he doesn't have USER role). What I'm doing wrong?

.antMatchers(HttpMethod.GET, "/api/posts/{postId}").permitAll()
.antMatchers(HttpMethod.GET, "/api/posts/myPosts").hasRole("USER")

Switch the lines. Order matters. – dur Apr 14 '19 at 12:20 — dur, Apr 14 '19 at 12:20

score 1 · Answer 1 · answered Apr 14 '19 at 12:23

1

The problem is in the order of your rules. Reversing the order will work.

.antMatchers(HttpMethod.GET, "/api/posts/myPosts").hasRole("USER")
.antMatchers(HttpMethod.GET, "/api/posts/{postId}").permitAll()

answered Apr 14 '19 at 12:23

Anant Goswami

318
3
14

score -1 · Answer 2 · answered Apr 14 '19 at 12:31

-1

The thing here is that you have to specify that all the paths are authenticated since it is not the default implementation of the HttpSecurity object.

.antMatchers(HttpMethod.GET, "/api/posts/{postId}").permitAll()
.antMatchers(HttpMethod.GET, "/api/posts/myPosts").hasRole("USER")
.anyRequest().authenticated()

I suggest to check this link here by the guys over at baeldung, they give a brief intro to Spring Security.

answered Apr 14 '19 at 12:31

Fares Youssef

24
4

Your answer is wrong. Did you try it? – dur Apr 14 '19 at 12:34
1

I have already this line : .anyRequest().authenticated(). @AnantGoswami's answer is good. – enyoucky Apr 14 '19 at 12:37

How to distinguish antMatchers with path variable from the rest of context path

2 Answers2