Package org.springframework.security.config.annotation.web.configurers

Class AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.AuthorizationManagerServletRequestMatcherRegistry

java.lang.Object

org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry<C>

org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.AuthorizationManagerServletRequestMatcherRegistry

Enclosing class:

AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry

public final class AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.AuthorizationManagerServletRequestMatcherRegistry
extends AbstractRequestMatcherRegistry<C>

A decorator class for registering RequestMatcher instances based on the type of servlet. If the servlet is DispatcherServlet, then it will use a MvcRequestMatcher; otherwise, it will use a AntPathRequestMatcher.

This class is designed primarily for use with the HttpSecurity DSL. For that reason, please use HttpSecurity.authorizeHttpRequests() instead as it exposes this class fluently alongside related DSL configurations.

NOTE: In many cases, which kind of request matcher is needed is apparent by the servlet configuration, and so you should generally use the methods found in AbstractRequestMatcherRegistry instead of this these. Use this class when you want or need to indicate which request matcher URIs belong to which servlet.

In all cases, though, you may arrange your request matchers by servlet pattern with the AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.forServletPattern(java.lang.String, org.springframework.security.config.Customizer<org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.AuthorizationManagerServletRequestMatcherRegistry>) method in the HttpSecurity.authorizeHttpRequests() DSL.

Consider, for example, the circumstance where you have Spring MVC configured and also Spring Boot H2 Console. Spring MVC registers a servlet of type DispatcherServlet as the default servlet and Spring Boot registers a servlet of its own as well at `/h2-console/*`.

Such might have a configuration like this in Spring Security: http .authorizeHttpRequests((authorize) -> authorize .requestMatchers("/js/**", "/css/**").permitAll() .requestMatchers("/my/controller/**").hasAuthority("CONTROLLER") .requestMatchers("/h2-console/**").hasAuthority("H2") ) // ...

Spring Security by default addresses the above configuration on its own.

However, consider the same situation, but where DispatcherServlet is mapped to a path like `/mvc/*`. In this case, the above configuration is ambiguous, and you should use this class to clarify the rest of each MVC URI like so: http .authorizeHttpRequests((authorize) -> authorize .forServletPattern("/", (root) -> root .requestMatchers("/js/**", "/css/**").permitAll() ) .forServletPattern("/mvc/*", (mvc) -> mvc .requestMatchers("/my/controller/**").hasAuthority("CONTROLLER") ) .forServletPattern("/h2-console/*", (h2) -> h2 .anyRequest().hasAuthority("OTHER") ) ) // ...

In the above configuration, it's now clear to Spring Security that the following matchers map to these corresponding URIs:

• <default> + `/js/**` ==> `/js/**`
• <default> + `/css/**` ==> `/css/**`
• `/mvc` + `/my/controller/**` ==> `/mvc/my/controller/**`
• `/h2-console` + <any request> ==> `/h2-console/**`

Since:

6.2

See Also:

• AbstractRequestMatcherRegistry
• AuthorizeHttpRequestsConfigurer

Method Summary

Modifier and Type	Method	Description
protected AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl	chainRequestMatchers(List<RequestMatcher> requestMatchers)	Subclasses should implement this method for returning the object that is chained to the creation of the RequestMatcher instances.
final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl	requestMatchers(String... patterns)	If the HandlerMappingIntrospector is available in the classpath, maps to an MvcRequestMatcher that does not care which HttpMethod is used.
final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl	requestMatchers(org.springframework.http.HttpMethod method)	If the HandlerMappingIntrospector is available in the classpath, maps to an MvcRequestMatcher that matches on a specific HttpMethod.
final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl	requestMatchers(org.springframework.http.HttpMethod method, String... patterns)	If the HandlerMappingIntrospector is available in the classpath, maps to an MvcRequestMatcher that also specifies a specific HttpMethod to match on.

Methods inherited from class org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry

anyRequest, createMvcMatchers, dispatcherTypeMatchers, dispatcherTypeMatchers, getApplicationContext, requestMatchers, setApplicationContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

chainRequestMatchers

protected AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl chainRequestMatchers(List<RequestMatcher> requestMatchers)

Description copied from class: AbstractRequestMatcherRegistry

Subclasses should implement this method for returning the object that is chained to the creation of the RequestMatcher instances.

Specified by:

chainRequestMatchers in class AbstractRequestMatcherRegistry<AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder<H>>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl>

Parameters:

requestMatchers - the RequestMatcher instances that were created

Returns:

the chained Object for the subclass which allows association of something else to the RequestMatcher

requestMatchers

public final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl requestMatchers(String... patterns)

Description copied from class: AbstractRequestMatcherRegistry

If the HandlerMappingIntrospector is available in the classpath, maps to an MvcRequestMatcher that does not care which HttpMethod is used. This matcher will use the same rules that Spring MVC uses for matching. For example, often times a mapping of the path "/path" will match on "/path", "/path/", "/path.html", etc. If the HandlerMappingIntrospector is not available, maps to an AntPathRequestMatcher.

If a specific RequestMatcher must be specified, use AbstractRequestMatcherRegistry.requestMatchers(RequestMatcher...) instead

Overrides:

requestMatchers in class AbstractRequestMatcherRegistry<C>

Parameters:

patterns - the patterns to match on. The rules for matching are defined by Spring MVC if MvcRequestMatcher is used

Returns:

the object that is chained after creating the RequestMatcher.

requestMatchers

public final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl requestMatchers(org.springframework.http.HttpMethod method,
 String... patterns)

Description copied from class: AbstractRequestMatcherRegistry

If the HandlerMappingIntrospector is available in the classpath, maps to an MvcRequestMatcher that also specifies a specific HttpMethod to match on. This matcher will use the same rules that Spring MVC uses for matching. For example, often times a mapping of the path "/path" will match on "/path", "/path/", "/path.html", etc. If the HandlerMappingIntrospector is not available, maps to an AntPathRequestMatcher.

If a specific RequestMatcher must be specified, use AbstractRequestMatcherRegistry.requestMatchers(RequestMatcher...) instead

Overrides:

requestMatchers in class AbstractRequestMatcherRegistry<C>

Parameters:

method - the HttpMethod to use or null for any HttpMethod.

patterns - the patterns to match on. The rules for matching are defined by Spring MVC if MvcRequestMatcher is used

Returns:

the object that is chained after creating the RequestMatcher.

requestMatchers

public final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl requestMatchers(org.springframework.http.HttpMethod method)

Description copied from class: AbstractRequestMatcherRegistry

If the HandlerMappingIntrospector is available in the classpath, maps to an MvcRequestMatcher that matches on a specific HttpMethod. This matcher will use the same rules that Spring MVC uses for matching. For example, often times a mapping of the path "/path" will match on "/path", "/path/", "/path.html", etc. If the HandlerMappingIntrospector is not available, maps to an AntPathRequestMatcher.

If a specific RequestMatcher must be specified, use AbstractRequestMatcherRegistry.requestMatchers(RequestMatcher...) instead

Overrides:

requestMatchers in class AbstractRequestMatcherRegistry<C>

Parameters:

method - the HttpMethod to use or null for any HttpMethod.

Returns:

the object that is chained after creating the RequestMatcher.