1

The project I am working has spring security antMatcher implemented as follows:

http.authorizeRequests()
    .antMatchers("/v1/users/**").authenticated()
    .antMatchers(HttpMethod.POST, "/v1/users/*/do").permitAll()

When I try to access /v1/users/2/do i get an unauthorized error but I expected it to be accessible since I added "permitAll()" to the URL pattern.

I have tried:

.antMatchers(HttpMethod.POST, "/v1/users/{id}/do").permitAll()

I still get unauthorized access.

Sana
  • 360
  • 3
  • 13
ad3bay0
  • 123
  • 1
  • 9

1 Answers1

6

You need to switch the lines in order to put the most specific rule(s) first:

http.authorizeRequests()
    .antMatchers(HttpMethod.POST, "/v1/users/*/do").permitAll()
    .antMatchers("/v1/users/**").authenticated()

This is because the first match (in the same order they were declared) is the one used.

Since you have the most general rule first, this is the one taken into account, ignoring the next possible match (and forbidding the request).

lealceldeiro
  • 14,342
  • 6
  • 49
  • 80