In Spring Security 6, the requestMatchers
methods have replaced the deprecated antMatchers
, mvcMatchers
, and regexMatchers
methods for configuring path-based access control. Here are the key points about the new requestMatchers
:
Use requestMatchers
in authorizeHttpRequests
The authorizeHttpRequests
method in HttpSecurity
configuration allows you to configure fine-grained request matching for access control. You can use the requestMatchers
method to specify which requests should be permitted or authenticated. For example:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.authorizeHttpRequests(auth -> auth
.requestMatchers("/greet").permitAll()
.anyRequest().authenticated())
.formLogin()
.build();
}
This configuration permits access to the /greet
endpoint without authentication while requiring authentication for all other requests.
requestMatchers
vs securityMatchers
There are two similar methods: requestMatchers
and securityMatchers
. Both choose the most appropriate RequestMatcher
implementation based on the presence of Spring MVC in the classpath:
- If Spring MVC is present, it uses
MvcRequestMatcher
- If Spring MVC is not present, it falls back to
AntPathRequestMatcher
The main difference is that securityMatchers
is used in places like WebSecurityCustomizer
, while requestMatchers
is used in authorizeHttpRequests
.
Choosing the Right Matcher
The requestMatchers
methods allow you to match requests based on patterns or other criteria without relying on specific matchers like AntPathRequestMatcher
or RegexRequestMatcher
. This provides more flexibility and better defaults.
To use a specific matcher, you can pass a RequestMatcher
implementation to the requestMatchers
method:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.authorizeHttpRequests(auth -> auth
.requestMatchers(new AntPathRequestMatcher("/greet")).permitAll()
.anyRequest().authenticated())
.formLogin()
.build();
}
In summary, the new requestMatchers
methods in Spring Security 6 provide a more flexible and secure way to configure path-based access control, choosing the most appropriate RequestMatcher
implementation based on the application's dependencies.
Top comments (0)