Class AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.AuthorizationManagerServletRequestMatcherRegistry
RequestMatcher
instances based on the
type of servlet. If the servlet is DispatcherServlet
, then it will use
a MvcRequestMatcher
; otherwise, it will use a
AntPathRequestMatcher
.
This class is designed primarily for use with the HttpSecurity
DSL. For
that reason, please use HttpSecurity.authorizeHttpRequests()
instead as
it exposes this class fluently alongside related DSL configurations.
NOTE: In many cases, which kind of request matcher is needed is apparent by the
servlet configuration, and so you should generally use the methods found in
AbstractRequestMatcherRegistry
instead of this these. Use this class
when you want or need to indicate which request matcher URIs belong to which
servlet.
In all cases, though, you may arrange your request matchers by servlet pattern
with the AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.forServletPattern(java.lang.String, org.springframework.security.config.Customizer<org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.AuthorizationManagerServletRequestMatcherRegistry>)
method in the HttpSecurity.authorizeHttpRequests()
DSL.
Consider, for example, the circumstance where you have Spring MVC configured
and also Spring Boot H2 Console. Spring MVC registers a servlet of type
DispatcherServlet
as the default servlet and Spring Boot registers a
servlet of its own as well at `/h2-console/*`.
Such might have a configuration like this in Spring Security:
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/js/**", "/css/**").permitAll()
.requestMatchers("/my/controller/**").hasAuthority("CONTROLLER")
.requestMatchers("/h2-console/**").hasAuthority("H2")
)
// ...
Spring Security by default addresses the above configuration on its own.
However, consider the same situation, but where DispatcherServlet
is
mapped to a path like `/mvc/*`. In this case, the above configuration is
ambiguous, and you should use this class to clarify the rest of each MVC URI
like so:
http
.authorizeHttpRequests((authorize) -> authorize
.forServletPattern("/", (root) -> root
.requestMatchers("/js/**", "/css/**").permitAll()
)
.forServletPattern("/mvc/*", (mvc) -> mvc
.requestMatchers("/my/controller/**").hasAuthority("CONTROLLER")
)
.forServletPattern("/h2-console/*", (h2) -> h2
.anyRequest().hasAuthority("OTHER")
)
)
// ...
In the above configuration, it's now clear to Spring Security that the following matchers map to these corresponding URIs:
- <default> + `/js/**` ==> `/js/**`
- <default> + `/css/**` ==> `/css/**`
- `/mvc` + `/my/controller/**` ==> `/mvc/my/controller/**`
- `/h2-console` + <any request> ==> `/h2-console/**`
- Since:
- 6.2
- See Also:
-
Method Summary
Modifier and TypeMethodDescriptionprotected AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl
chainRequestMatchers
(List<RequestMatcher> requestMatchers) Subclasses should implement this method for returning the object that is chained to the creation of theRequestMatcher
instances.final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl
requestMatchers
(String... patterns) If theHandlerMappingIntrospector
is available in the classpath, maps to anMvcRequestMatcher
that does not care whichHttpMethod
is used.final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl
requestMatchers
(org.springframework.http.HttpMethod method) If theHandlerMappingIntrospector
is available in the classpath, maps to anMvcRequestMatcher
that matches on a specificHttpMethod
.final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl
requestMatchers
(org.springframework.http.HttpMethod method, String... patterns) If theHandlerMappingIntrospector
is available in the classpath, maps to anMvcRequestMatcher
that also specifies a specificHttpMethod
to match on.Methods inherited from class org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry
anyRequest, createMvcMatchers, dispatcherTypeMatchers, dispatcherTypeMatchers, getApplicationContext, requestMatchers, setApplicationContext
-
Method Details
-
chainRequestMatchers
protected AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl chainRequestMatchers(List<RequestMatcher> requestMatchers) Description copied from class:AbstractRequestMatcherRegistry
Subclasses should implement this method for returning the object that is chained to the creation of theRequestMatcher
instances.- Specified by:
chainRequestMatchers
in classAbstractRequestMatcherRegistry<AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder<H>>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl>
- Parameters:
requestMatchers
- theRequestMatcher
instances that were created- Returns:
- the chained Object for the subclass which allows association of something
else to the
RequestMatcher
-
requestMatchers
public final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl requestMatchers(String... patterns) Description copied from class:AbstractRequestMatcherRegistry
If the
HandlerMappingIntrospector
is available in the classpath, maps to anMvcRequestMatcher
that does not care whichHttpMethod
is used. This matcher will use the same rules that Spring MVC uses for matching. For example, often times a mapping of the path "/path" will match on "/path", "/path/", "/path.html", etc. If theHandlerMappingIntrospector
is not available, maps to anAntPathRequestMatcher
.If a specific
RequestMatcher
must be specified, useAbstractRequestMatcherRegistry.requestMatchers(RequestMatcher...)
instead- Overrides:
requestMatchers
in classAbstractRequestMatcherRegistry<C>
- Parameters:
patterns
- the patterns to match on. The rules for matching are defined by Spring MVC ifMvcRequestMatcher
is used- Returns:
- the object that is chained after creating the
RequestMatcher
.
-
requestMatchers
public final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl requestMatchers(org.springframework.http.HttpMethod method, String... patterns) Description copied from class:AbstractRequestMatcherRegistry
If the
HandlerMappingIntrospector
is available in the classpath, maps to anMvcRequestMatcher
that also specifies a specificHttpMethod
to match on. This matcher will use the same rules that Spring MVC uses for matching. For example, often times a mapping of the path "/path" will match on "/path", "/path/", "/path.html", etc. If theHandlerMappingIntrospector
is not available, maps to anAntPathRequestMatcher
.If a specific
RequestMatcher
must be specified, useAbstractRequestMatcherRegistry.requestMatchers(RequestMatcher...)
instead- Overrides:
requestMatchers
in classAbstractRequestMatcherRegistry<C>
- Parameters:
method
- theHttpMethod
to use ornull
for anyHttpMethod
.patterns
- the patterns to match on. The rules for matching are defined by Spring MVC ifMvcRequestMatcher
is used- Returns:
- the object that is chained after creating the
RequestMatcher
.
-
requestMatchers
public final AuthorizeHttpRequestsConfigurer<H>.AuthorizationManagerRequestMatcherRegistry.ServletAuthorizedUrl requestMatchers(org.springframework.http.HttpMethod method) Description copied from class:AbstractRequestMatcherRegistry
If the
HandlerMappingIntrospector
is available in the classpath, maps to anMvcRequestMatcher
that matches on a specificHttpMethod
. This matcher will use the same rules that Spring MVC uses for matching. For example, often times a mapping of the path "/path" will match on "/path", "/path/", "/path.html", etc. If theHandlerMappingIntrospector
is not available, maps to anAntPathRequestMatcher
.If a specific
RequestMatcher
must be specified, useAbstractRequestMatcherRegistry.requestMatchers(RequestMatcher...)
instead- Overrides:
requestMatchers
in classAbstractRequestMatcherRegistry<C>
- Parameters:
method
- theHttpMethod
to use ornull
for anyHttpMethod
.- Returns:
- the object that is chained after creating the
RequestMatcher
.
-