Jazzepi
Reputation: 5490
What is the correct antmatcher for this URI?
I have a controller with a mapping as such. I've provided values for the constants.
Constants.restApiUriPrefix = "rest/"
UserController.uriExtension = "users"
@RequestMapping(value = Constants.restApiUriPrefix + UserController.uriExtension)
public class UserController {
@RequestMapping(params = "username")
@ResponseBody
public ResponseWithView<User> getUserByName(@RequestParam String username, @ModelAttribute User authenticatingUser) {
return new ResponseWithView<User>(userService.findByUsername(username));
}
}
When I run a test I use the following URI from the root context of the web server.
/rest/users?username=testUser%40gmail.com
Here are is my security config.
@Override
protected void configure(HttpSecurity http) throws Exception {
if(environment == Environment.DEVELOPMENT) {
http.authorizeRequests().antMatchers("/" + Constants.restApiUriPrefix + TestHelperController.uriExtension + "/**").permitAll();
}
http.csrf().disable(); //TODO Someday fix this and turn csrf back on safely
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/" + Constants.restApiUriPrefix + UserController.uriExtension + "?username=**").permitAll()
.antMatchers(HttpMethod.POST, "/" + Constants.restApiUriPrefix + UserController.uriExtension + "/").permitAll()
.antMatchers(HttpMethod.POST, "/" + Constants.restApiUriPrefix + UserController.uriExtension).permitAll()
.antMatchers("/" + Constants.restApiUriPrefix + "**").hasRole("USER");
}
I expect
.antMatchers(HttpMethod.GET, "/" + Constants.restApiUriPrefix + UserController.uriExtension + "?username=**").permitAll()
to match my request to discover a user by username to come through without being challenged for authentication, but I am.
I'm using Spring 4.0.2.RELEASE and Spring Security 3.2.0.RELEASE
Upvotes: 1
Views: 2551
Answers (1)
Jazzepi
Reputation: 5490
I was able to get it working with the following ant matcher.
.antMatchers(HttpMethod.GET, "/" + Constants.restApiUriPrefix + UserController.uriExtension + "*")
.permitAll()
Upvotes: 2
Related Questions
- Spring security antMatcher does not work
- spring security http antMatcher with multiple paths
- Spring Security ant matcher for path and it's path variable
- How to apply Spring Security AntMatchers pattern only to url with pathVariable
- Spring security antMatcher not working as expected
- spring boot ant matchers parameters
- Regex doesn't match antMatcher URL pattern
- AntPathRequestMatcher is deprecated. What is the replacment method?
- Spring Security (Java Config): Using antmatchers for same URL with differing HTTP methods
- Spring AntRequestMatcher does not match