Class AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.AuthorizationManagerServletRequestMatcherRegistry

java.lang.Object
org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry<C>
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.AuthorizationManagerServletRequestMatcherRegistry
Enclosing class:
AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry

public final class AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.AuthorizationManagerServletRequestMatcherRegistry extends AbstractRequestMatcherRegistry<C>
A decorator class for registering RequestMatcher instances based on the type of servlet. If the servlet is DispatcherServlet, then it will use a MvcRequestMatcher; otherwise, it will use a AntPathRequestMatcher.

This class is designed primarily for use with the HttpSecurity DSL. For that reason, please use HttpSecurity.authorizeHttpRequests() instead as it exposes this class fluently alongside related DSL configurations.

NOTE: In many cases, which kind of request matcher is needed is apparent by the servlet configuration, and so you should generally use the methods found in AbstractRequestMatcherRegistry instead of this these. Use this class when you want or need to indicate which request matcher URIs belong to which servlet.

In all cases, though, you may arrange your request matchers by servlet pattern with the AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.forServletPattern(java.lang.String, org.springframework.security.config.Customizer<org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.AuthorizationManagerServletRequestMatcherRegistry>) method in the HttpSecurity.authorizeHttpRequests() DSL.

Consider, for example, the circumstance where you have Spring MVC configured and also Spring Boot H2 Console. Spring MVC registers a servlet of type DispatcherServlet as the default servlet and Spring Boot registers a servlet of its own as well at `/h2-console/*`.

Such might have a configuration like this in Spring Security: http .authorizeHttpRequests((authorize) -> authorize .requestMatchers("/js/**", "/css/**").permitAll() .requestMatchers("/my/controller/**").hasAuthority("CONTROLLER") .requestMatchers("/h2-console/**").hasAuthority("H2") ) // ...

Spring Security by default addresses the above configuration on its own.

However, consider the same situation, but where DispatcherServlet is mapped to a path like `/mvc/*`. In this case, the above configuration is ambiguous, and you should use this class to clarify the rest of each MVC URI like so: http .authorizeHttpRequests((authorize) -> authorize .forServletPattern("/", (root) -> root .requestMatchers("/js/**", "/css/**").permitAll() ) .forServletPattern("/mvc/*", (mvc) -> mvc .requestMatchers("/my/controller/**").hasAuthority("CONTROLLER") ) .forServletPattern("/h2-console/*", (h2) -> h2 .anyRequest().hasAuthority("OTHER") ) ) // ...

In the above configuration, it's now clear to Spring Security that the following matchers map to these corresponding URIs:

  • <default> + `/js/**` ==> `/js/**`
  • <default> + `/css/**` ==> `/css/**`
  • `/mvc` + `/my/controller/**` ==> `/mvc/my/controller/**`
  • `/h2-console` + <any request> ==> `/h2-console/**`
Since:
6.2
See Also: