Spring HttpSecurity: Custom web security expressions

Question

I am trying to configure the security of a new spring web application to check requests done against some of my urls. Since none of the built-in expressions were valid for my logic, I decided to write my own, but it is not working at all.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().cacheControl();
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/**/actuator/**").permitAll()
                .antMatchers("/**/instances/**").permitAll()

                //Custom expresion to check against
                .antMatchers("/(?!login|user-profiles)/**").access("@checkAccess.hasRoleSelected()")


                .anyRequest().authenticated()
                .and()
                .httpBasic().disable()
                .addFilterBefore(new JWTLoginFilter(jwtConfig.getUri(), authenticationManager(), tokenService), UsernamePasswordAuthenticationFilter.class)
                .addFilterBefore(new JwtTokenAuthenticationFilter(tokenService), UsernamePasswordAuthenticationFilter.class);
    }

@Service
public class CheckAccess {
    public boolean hasRoleSelected() {
        return true;
    }
}

As you can see in the documentation, to get this done you need a bean with a method returning a boolean value. While I do have both, the method is never called and no error is thrown.

What am I missing?

Btw, I am running 5.2.2 version of spring security.

Answer 1

Your antMatcher is invalid.

.antMatchers("/(?!login|user-profiles)/**").

Have a look at the allowed patterns in the AntPathMatcher doc.

It is basically, "?", "*" and "**".

You might want to give the regexMatcher a try, instead.