How to apply Spring Security AntMatchers pattern only to url with pathVariable

Question

I am using Spring boot and WebSecurityConfigurerAdapter to configure security.

Method to configure ignored security antMatches looks like this:

    @Override
    public void configure(final WebSecurity web) {
        web
           .ignoring()
           .antMatchers("/items")
           .antMatchers("/items/{itemId}")

where {itemId} is in UUID format

The issues is that with this configuration endpoints like/items/report, /items/images are also opened, but they should not.

Is there a way to apply ignoring rule only to uri with path variables ?

Answer 1

According to the documentation for AntPathMatcher, you need to specify the path variable with the regex as per documentation:

{spring:[a-z]+} matches the regexp [a-z]+ as a path variable named "spring".

In your case it will be:

@Override
    public void configure(final WebSecurity web) {
        web
           .ignoring()
           .antMatchers("/items/{itemId:[\\d+]}")

Answer 2

You can use @preAuthorize annotation on the handler method for that url in the controller or check out this link https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/el-access.html

Answer 3

You can try this, d represent itemId

antMatchers("/items/{\\d+}").access("hasAnyAuthority('ROLE')")

if you want to give permit all

antMatchers("/items/**").permitAll()

Answer 4

For more sophisticated matching, than an Ant pattern can do, use method based security on your controller or (better) service layer methods.