authorizeRequests() order makes a difference?

Question

I am learning Spring and want to know why there is difference when I change order of these two authorizeRequests() methods:

This works fine:

security.authorizeRequests()
    .antMatchers("/css/**")
    .permitAll();

security.authorizeRequests()
    .anyRequest()
    .authenticated();

This does not:

security.authorizeRequests()
    .anyRequest()
    .authenticated();

security.authorizeRequests()
    .antMatchers("/css/**")
    .permitAll();

What I mean by "doesn't work" is that in my login page CSS is not applied while using second example. Why order of these two methods actually matters?

The rules are considered in the order they are defined in. The first rule that matches is taken. In your second sample that is that each request requires authentication. See https://docs.spring.io/spring-security/site/docs/5.1.6.RELEASE/reference/htmlsingle/#jc-authorize-requests — M. Deinum, Aug 26 '19 at 13:04
I understand now, these rules should be defined from most specific to most general, so when nothing along the way matches, the last rule is applied. Thank you :) — arkpas, Aug 26 '19 at 13:21
As an example of why you can see this: https://stackoverflow.com/q/57304623/5640649 — lealceldeiro, Aug 26 '19 at 13:37

score 2 · Accepted Answer · answered Aug 26 '19 at 13:40

2

When multiple children to the http.authorizeRequests() method each matcher is considered in the order they were declared. In your second example it define every request require authentication.

answered Aug 26 '19 at 13:40

authorizeRequests() order makes a difference?

1 Answers1