In Spring Security 6, the requestMatchers methods have replaced the deprecated antMatchers, mvcMatchers, and regexMatchers methods for configuring path-based access control. Here are the key points about the new requestMatchers:
The authorizeHttpRequests method in HttpSecurity configuration allows you to configure fine-grained request matching for access control. You can use the requestMatchers method to specify which requests should be permitted or authenticated. For example:
@Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { return http.authorizeHttpRequests(auth -> auth .requestMatchers("/greet").permitAll() .anyRequest().authenticated()) .formLogin() .build(); }
This configuration permits access to the /greet endpoint without authentication while requiring authentication for all other requests.
There are two similar methods: requestMatchers and securityMatchers. Both choose the most appropriate RequestMatcher implementation based on the presence of Spring MVC in the classpath:
The main difference is that securityMatchers is used in places like WebSecurityCustomizer, while requestMatchers is used in authorizeHttpRequests.
The requestMatchers methods allow you to match requests based on patterns or other criteria without relying on specific matchers like AntPathRequestMatcher or RegexRequestMatcher. This provides more flexibility and better defaults.
To use a specific matcher, you can pass a RequestMatcher implementation to the requestMatchers method:
@Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { return http.authorizeHttpRequests(auth -> auth .requestMatchers(new AntPathRequestMatcher("/greet")).permitAll() .anyRequest().authenticated()) .formLogin() .build(); }
In summary, the new requestMatchers methods in Spring Security 6 provide a more flexible and secure way to configure path-based access control, choosing the most appropriate RequestMatcher implementation based on the application's dependencies.
The above is the detailed content of New requestMatchers in Spring Security 6. For more information, please follow other related articles on the PHP Chinese website!