How exactly works the Spring Security intercept-url's?

Question

I am studying Spring Security and I am finding some difficulties understand the intercept-url's concept and to answer to this questiong that I find on my study material:

In which order do you have to write multiple intercept-url's?

So, on my study material, I found this practical example:

<beans>
    <security:http>
        <security:intercept-url pattern="/accounts/edit*"
access="ROLE_ADMIN" />
        <security:intercept-url pattern="/accounts/account*"
access="ROLE_ADMIN,ROLE_USER" />
        <security:intercept-url pattern="/accounts/**"
access="IS_AUTHENTICATED_FULLY" />
        <security:intercept-url pattern="/customers/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
    </security:http>
</beans>

And it is specified that:

intercept-urls are evaluated in the order listed: first match is used, put specific matches first.

But what exatly means?

So I know that the intercept-url's of the security namespace are used to define what URL are to secure (correct me if I am asserting wrong thing).

So in the previous example are secured these URLs:

• /accounts/edit*
• /accounts/account*
• /accounts/**
• /customers/**

But what exatly represent the following access roles?

For example for the /accounts/edit* URL is specified the access="ROLE_ADMIN"

For the /accounts/account* URL is specified the access="ROLE_ADMIN,ROLE_USER"

and so on. What exactly means? I think that it means, but I am abssolutly not sure about it, that if an user try to access to the /accounts/edit* it have to be an administrator instead if he try to access to /accounts/account* it could be an administrator but also a normal user.

Is this interpretation correct or is it not correct?

If it is correct how can I specify if an user "belong" to ROLE_ADMIN or ROLE_USER? What exactly represent and where is it definied?

And what exactly means that intercept-urls are evaluated in the order listed: first match is used, put specific matches first ?

Answer 1

Roles can be defined by you arbitrarily and permission access set for each role as you like.

The intercept URLs need to be listed from most to least specific, because if you put the least specific one first, like this:

pattern="/foo/bar/**" pattern="/foo/bar/baz*"

when someone navigates to /foo/bar/baz, the permission settings from /foo/bar will get applied, because it is matched first in the list of intercept URLs. This requires more effort on the part of the developer, but it is faster than matching the exact string over every URL in the list. Hope this helps.