Yusufu
Reputation: 115
spring security architecture filter chain and request matcher
I have been reading spring security docs which is from here . There is an example:
@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER - 10)
public class ApplicationConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/foo/**")
.authorizeRequests()
.antMatchers("/foo/bar").hasRole("BAR")
.antMatchers("/foo/spam").hasRole("SPAM")
.anyRequest().isAuthenticated();
}
}
And it says
One of the easiest mistakes to make with configuring Spring Security is to forget that these matchers apply to different processes, one is a request matcher for the whole filter chain, and the other is only to choose the access rule to apply.
I want to learn what it is this forget ? I couldn't get the relation and filter chain and request matcher
Upvotes: 0
Views: 770
Answers (1)
Marco Behler
Reputation: 3724
It is a very convoluted way to say:
- .anyRequest().isAuthenticated(); makes sure that to access any url in your application, a user needs to be authenticated.
- In addition, the two ant matchers are simply checking the needed roles (=access rules), in addition to the user being authenticated.
The paragraph is badly written, imho.
Upvotes: 2
Related Questions
- How Spring Security Filter Chain works
- Spring Security Custom Authentication Filter and Authorization
- Spring security and custom AuthenticationFilter with Spring boot
- How to use filters in spring security and develop Authentication in filters
- spring authentication filter pattern
- Spring security adding filter before authentication filter
- Confusion in Spring Security Filter Chain
- spring security filter chain url pattern matching
- Custom authenticationFilter Spring Security 3.2
- extend spring security filter chain