1

I have REST APIs and I wish to secure them using Spring Security -

override fun configure(http: HttpSecurity?) {
        http?.authorizeRequests()
                ?.antMatchers("/podcast/**")?.hasRole("admin")
                ?.antMatchers(HttpMethod.GET, "/podcast/details/**")?.permitAll()
                ?.antMatchers("/")?.permitAll()
                ?.and()
                ?.formLogin()
    }

?.antMatchers("/podcast/**")?.hasRole("admin") is working but, ?.antMatchers(HttpMethod.GET, "/podcast/details/**")?.permitAll() gets completely ignored when I'm trying to hit http://localhost:8080/podcast/details/all API.

However, when I reverse the pattenr checks like this -

override fun configure(http: HttpSecurity?) {
        http?.authorizeRequests()
                ?.antMatchers(HttpMethod.GET, "/podcast/details/**")?.permitAll()
                ?.antMatchers("/podcast/**")?.hasRole("admin")
                ?.antMatchers("/")?.permitAll()
                ?.and()
                ?.formLogin()
    }

It works as expected.

I was of belief that the strictest pattern has to be first but the above case is proving otherwise. What am I missing?

krtkush
  • 1,378
  • 4
  • 23
  • 46

1 Answers1

2

When you say stricter pattern first, it is not about the permission. It is about which url patterns are more specific. So /podcast/details/** is more specific than /podcast/**

I.e when you receive request /podcast/details/123, it will go for url matching in the order you defined. So if you put /podcast/** as first, it will match it and it does not check the rest

Kavithakaran Kanapathippillai
  • 7,883
  • 1
  • 11
  • 29