Reputation: 6611
Spring-Security: Difference Between /** and /* url pattern in Spring-Security
I am little bit confuse with URL-pattern in spring security. Because, in servlet core http security, the / and /* url patterns are used for specify one or more directories. / is use for one directory and /* is used of many directories. But in spring-security, the /** is also introduce, what is the main purpose of /** url-pattern in security.
Upvotes: 35
Views: 33720
Answers (4)
Reputation: 129
"/api/v1/user/*" - will match any value, up to another "/"
"/api/v1/user/**" - will match all values beginning with start of string (including if another "/" is found.
Upvotes: 3
Reputation: 343
@Override
protected void configure(HttpSecurity http) throws Exception {
// ...
.antMatchers(HttpMethod.GET, "/**").permitAll
.antMatchers(HttpMethod.POST, "/*").permitAll
// ...
}
In this configuration any "Get" request will be permitted, for example:
- /book
- /book/20
- /book/20/author
So, all this urls match text with pattern "/**".
Permitted urls for "Post":
- /book
- /magazine
Urls above match with "/*"
Upvotes: 17
Reputation: 658
The difference between /* & /** is that the second matches the entire directory tree, including subdirectories, where as /* only matches at the level it's specified at.
Upvotes: 34
Reputation: 2655
According to Spring Security documentation the main purpose of /** is to catch-all wildcards:
In practice we recommend that you use method security at your service layer, to control access to your application, and do not rely entirely on the use of security constraints defined at the web-application level. URLs change and it is difficult to take account of all the possible URLs that an application might support and how requests might be manipulated. You should try and restrict yourself to using a few simple ant paths which are simple to understand. Always try to use a “deny-by-default” approach where you have a catch-all wildcard (/** or **) defined last and denying access.
We also should not forget that
Patterns are always evaluated in the order they are defined. Thus it is important that more specific patterns are defined higher in the list than less specific patterns.
Thus we can have something like this:
<security:http pattern="/rest-service/**" authentication-manager-ref="authenticationManager" auto-config="false" access-decision-manager-ref="accessDecisionManager">
<security:intercept-url pattern="/rest-service/report/export/xml" access="AUTH_REPORT_EXPORTXML" />
<security:intercept-url pattern="/**" access="AUTH_SYSTEM_LOGIN" />
<security:http-basic />
</security:http>
which means that for all requests we will need AUTH_SYSTEM_LOGIN authority, but specifically for /rest-service/report/export/xml the user will need AUTH_REPORT_EXPORTXML authority as well because it is defined above. As they also say it is better not rely only on this security constrains which means that it is good also to duplicate those in service methods with secured annotation like this:
@Secured("AUTH_REPORT_EXPORTXML")
In general as I understand there is no difference between /* and /** except that the last one catches all the wildcards.
Upvotes: 8
Related Questions
- Spring: Difference of /** and /* with regards to paths
- What is the difference between /* and /** pattern in Spring boot?
- Spring Security, trailing slashes, and dots in URLs
- what does double star regex means in spring security url
- difference between /** and /* in Spring
- Java EE Security Model Web collection: Difference URL pattern "/" and "/*"
- Difference between / and /**
- secure two or more /** url in spring security
- Spring and the /* url pattern
- How to unsecure /** URL pattern in spring-security