Cannot resolve method 'antMatchers()' in AuthorizationManagerRequestMatcherRegistry

Question

I am currently following the Spring Documentation and some tutorials on Web Security. But now I have a problem, that I can't call the method antMatchers. This is the error I'm getting when building the project:

java: cannot find symbol
  symbol:   method antMatchers(java.lang.String)
  location: variable requests of type org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>.AuthorizationManagerRequestMatcherRegistry

In terms of my understanding, I should be able to use this method, so I can permit or not permit HTTP Requests to a certain URL. So my question is, why can't I use the antMatchers() method?

SecurityConfiguration class:

package de.gabriel.vertretungsplan.security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests((requests) -> requests
                        .antMatchers("/vertretungsplan").hasAnyRole("SCHUELER", "LEHRER", "VERWALTUNG")
                        .anyRequest().authenticated()
                )
                .formLogin((form) -> form
                        .loginPage("/login")
                        .permitAll()
                )
                .logout((logout) -> logout.permitAll());

        return http.build();
    }

}

pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.0.0</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>de.gabriel</groupId>
    <artifactId>vertretungsplan</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>vertretungsplan</name>
    <description>Demo project for Spring Boot</description>
    <properties>
        <java.version>17</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>com.mysql</groupId>
            <artifactId>mysql-connector-j</artifactId>
            <scope>runtime</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

Answer 1

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/user/**").hasRole("USER")
            .antMatchers("/admin/**").hasRole("ADMIN")
            .anyRequest().authenticated()
            .and()
            .formLogin(withDefaults());

    return http.build();
}

Answer 2

the best solution is here:

https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html

and second one additiona informationa are here as well: https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

Answer 3

RequestMatcher works if you are talking about requests, but if you used antMatchers before the authorizeHttpRequests now you need to use .securityMatcher

Like this:

    http
    .securityMatcher("/api/**", "/app/**")
    .authorizeHttpRequests((authz) -> authz
        .requestMatchers("/api/admin/**").hasRole("ADMIN")
        .anyRequest().authenticated()
    );

See more in spring documentation: Spring Documentation

Leaving this awnser here because this was the solution I needed.

Answer 4

In antMatchers() (as well as mvcMathcers() and regexMatchers()) have been deprecated and removed with Spring Security 6.0. Thus, you can't use them in a Spring Boot 3 project.

Have a look at this link if you wonder what was the rationale behind this change: Deprecate trailing slash match.

Overloaded method requestMatchers() was provided as a uniform mean for securing requests. It facilitates all the functionality of the configuration methods that have been removed from the API.

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(requests -> requests
            .requestMatchers("/vertretungsplan").hasAnyRole("SCHUELER", "LEHRER", "VERWALTUNG")
            .anyRequest().authenticated()
        )
        .formLogin(form -> form
            .loginPage("/login")
            .permitAll()
        )
        .logout(logout -> logout
            .permitAll());
    
    return http.build();
}

Answer 5

.requestMatchers("/assets/**").permitAll()

works for me But make sure you check your link is the same with where you insert

for example

If you use:
  <link href="assets/css/style.css" rel="stylesheet">
  
Here you need to use:
  .requestMatchers("/assets/**").permitAll()
  
If you use:
  <link href="resources/**" rel="stylesheet">
  
Here you need to use:
  .requestMatchers("/resources/**").permitAll()