Use PathPatternRequestMatcher in docs
Issue gh-16886 Issue gh-16887
This commit is contained in:
Josh Cummings
@@ -128,7 +128,7 @@ This is helpful when, for example, wanting to run HTTP locally and HTTPS in prod
|
||||
Defines the `RequestMatcher` strategy used in the `FilterChainProxy` and the beans created by the `intercept-url` to match incoming requests.
|
||||
Options are currently `mvc`, `ant`, `regex` and `ciRegex`, for Spring MVC, ant, regular-expression and case-insensitive regular-expression respectively.
|
||||
A separate instance is created for each <<nsa-intercept-url,intercept-url>> element using its <<nsa-intercept-url-pattern,pattern>>, <<nsa-intercept-url-method,method>> and <<nsa-intercept-url-servlet-path,servlet-path>> attributes.
|
||||
Ant paths are matched using an `AntPathRequestMatcher`, regular expressions are matched using a `RegexRequestMatcher` and for Spring MVC path matching the `MvcRequestMatcher` is used.
|
||||
By default, paths are matched using a `PathPatternRequestMatcher`; however, regular expressions are matched using a `RegexRequestMatcher`.
|
||||
See the Javadoc for these classes for more details on exactly how the matching is performed.
|
||||
MVC is the default strategy if Spring MVC is present in the classpath, if not, Ant paths are used.
|
||||
|
||||
@@ -226,7 +226,8 @@ Defines a reference to a Spring bean of type `AccessDeniedHandler`.
|
||||
[[nsa-cors]]
|
||||
== <cors>
|
||||
This element allows for configuring a `CorsFilter`.
|
||||
If no `CorsFilter` or `CorsConfigurationSource` is specified and Spring MVC is on the classpath, a `HandlerMappingIntrospector` is used as the `CorsConfigurationSource`.
|
||||
Either a `CorsFilter` or a `CorsConfigurationSource` must be specified.
|
||||
If Spring MVC is present, then it will attempt to look up its `CorsConfigurationSource`.
|
||||
|
||||
[[nsa-cors-attributes]]
|
||||
=== <cors> Attributes
|
||||
|
||||
@@ -1084,7 +1084,7 @@ open class SecurityConfig {
|
||||
<3> Allow access to URLs that start with `/api/admin/` to users with the `ADMIN` role
|
||||
<4> Any other request that doesn't match the rules above, will require authentication
|
||||
|
||||
The `securityMatcher(s)` and `requestMatcher(s)` methods will decide which `RequestMatcher` implementation fits best for your application: If {spring-framework-reference-url}web.html#spring-web[Spring MVC] is in the classpath, then javadoc:org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher[] will be used, otherwise, javadoc:org.springframework.security.web.util.matcher.AntPathRequestMatcher[] will be used.
|
||||
The `securityMatcher(s)` and `requestMatcher(s)` methods will construct ``RequestMatcher``s using a javadoc:org.springframework.security.web.util.matcher.PathPatternRequestMatcher.Builder[] bean, if available.
|
||||
You can read more about the Spring MVC integration xref:servlet/integrations/mvc.adoc[here].
|
||||
|
||||
If you want to use a specific `RequestMatcher`, just pass an implementation to the `securityMatcher` and/or `requestMatcher` methods:
|
||||
@@ -1095,7 +1095,7 @@ Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher; <1>
|
||||
import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.withDefaults; <1>
|
||||
import static org.springframework.security.web.util.matcher.RegexRequestMatcher.regexMatcher;
|
||||
|
||||
@Configuration
|
||||
@@ -1107,7 +1107,7 @@ public class SecurityConfig {
|
||||
http
|
||||
.securityMatcher(antMatcher("/api/**")) <2>
|
||||
.authorizeHttpRequests((authorize) -> authorize
|
||||
.requestMatchers(antMatcher("/api/user/**")).hasRole("USER") <3>
|
||||
.requestMatchers(withDefaults().matcher("/api/user/**")).hasRole("USER") <3>
|
||||
.requestMatchers(regexMatcher("/api/admin/.*")).hasRole("ADMIN") <4>
|
||||
.requestMatchers(new MyCustomRequestMatcher()).hasRole("SUPERVISOR") <5>
|
||||
.anyRequest().authenticated()
|
||||
@@ -1130,7 +1130,7 @@ Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher <1>
|
||||
import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.withDefaults <1>
|
||||
import org.springframework.security.web.util.matcher.RegexRequestMatcher.regexMatcher
|
||||
|
||||
@Configuration
|
||||
@@ -1142,7 +1142,7 @@ open class SecurityConfig {
|
||||
http {
|
||||
securityMatcher(antMatcher("/api/**")) <2>
|
||||
authorizeHttpRequests {
|
||||
authorize(antMatcher("/api/user/**"), hasRole("USER")) <3>
|
||||
authorize(withDefaults().matcher("/api/user/**"), hasRole("USER")) <3>
|
||||
authorize(regexMatcher("/api/admin/**"), hasRole("ADMIN")) <4>
|
||||
authorize(MyCustomRequestMatcher(), hasRole("SUPERVISOR")) <5>
|
||||
authorize(anyRequest, authenticated)
|
||||
@@ -1155,9 +1155,9 @@ open class SecurityConfig {
|
||||
----
|
||||
======
|
||||
|
||||
<1> Import the static factory methods from `AntPathRequestMatcher` and `RegexRequestMatcher` to create `RequestMatcher` instances.
|
||||
<2> Configure `HttpSecurity` to only be applied to URLs that start with `/api/`, using `AntPathRequestMatcher`
|
||||
<3> Allow access to URLs that start with `/api/user/` to users with the `USER` role, using `AntPathRequestMatcher`
|
||||
<1> Import the static factory methods from `PathPatternRequestMatcher` and `RegexRequestMatcher` to create `RequestMatcher` instances.
|
||||
<2> Configure `HttpSecurity` to only be applied to URLs that start with `/api/`, using `PathPatternRequestMatcher`
|
||||
<3> Allow access to URLs that start with `/api/user/` to users with the `USER` role, using `PathPatternRequestMatcher`
|
||||
<4> Allow access to URLs that start with `/api/admin/` to users with the `ADMIN` role, using `RegexRequestMatcher`
|
||||
<5> Allow access to URLs that match the `MyCustomRequestMatcher` to users with the `SUPERVISOR` role, using a custom `RequestMatcher`
|
||||
|
||||
|
||||
@@ -132,7 +132,7 @@ public class MvcWebApplicationInitializer extends
|
||||
----
|
||||
|
||||
The reason for this is that Spring Security needs to be able to inspect some Spring MVC configuration in order to appropriately configure xref:servlet/authorization/authorize-http-requests.adoc#authorizing-endpoints[underlying request matchers], so they need to be in the same application context.
|
||||
Placing Spring Security in `getRootConfigClasses` places it into a parent application context that may not be able to find Spring MVC's `HandlerMappingIntrospector`.
|
||||
Placing Spring Security in `getRootConfigClasses` places it into a parent application context that may not be able to find Spring MVC's `PathPatternParser`.
|
||||
|
||||
==== Configuring for Multiple Spring MVC Dispatchers
|
||||
|
||||
|
||||
@@ -1276,7 +1276,7 @@ XML::
|
||||
<b:constructor-arg value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_CSRF_MATCHER}"/>
|
||||
<b:constructor-arg>
|
||||
<b:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
|
||||
<b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<b:bean class="org.springframework.security.config.http.PathPatternRequestMatcherFactoryBean">
|
||||
<b:constructor-arg value="/api/*"/>
|
||||
</b:bean>
|
||||
</b:bean>
|
||||
@@ -1387,7 +1387,7 @@ public class SecurityConfig {
|
||||
http
|
||||
// ...
|
||||
.logout((logout) -> logout
|
||||
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
|
||||
.logoutRequestMatcher(PathPatternRequestMatcher.withDefaults().matcher("/logout"))
|
||||
);
|
||||
return http.build();
|
||||
}
|
||||
@@ -1409,7 +1409,7 @@ class SecurityConfig {
|
||||
http {
|
||||
// ...
|
||||
logout {
|
||||
logoutRequestMatcher = AntPathRequestMatcher("/logout")
|
||||
logoutRequestMatcher = PathPatternRequestMatcher.withDefaults().matcher("/logout")
|
||||
}
|
||||
}
|
||||
return http.build()
|
||||
|
||||
@@ -24,7 +24,7 @@ It is, therefore, essential that a `FilterChainProxy` is used to manage the secu
|
||||
Note that the `servletPath` and `pathInfo` values are decoded by the container, so your application should not have any valid paths that contain semi-colons, as these parts are removed for matching purposes.
|
||||
|
||||
As mentioned earlier, the default strategy is to use Ant-style paths for matching, and this is likely to be the best choice for most users.
|
||||
The strategy is implemented in the class `AntPathRequestMatcher`, which uses Spring's `AntPathMatcher` to perform a case-insensitive match of the pattern against the concatenated `servletPath` and `pathInfo`, ignoring the `queryString`.
|
||||
The strategy is implemented in the class `PathPatternRequestMatcher`, which uses Spring's `PathPattern` to perform a case-insensitive match of the pattern against the concatenated `servletPath` and `pathInfo`, ignoring the `queryString`.
|
||||
|
||||
If you need a more powerful matching strategy, you can use regular expressions.
|
||||
The strategy implementation is then `RegexRequestMatcher`.
|
||||
|
||||
@@ -1218,7 +1218,7 @@ public class WebSecurityConfig {
|
||||
|
||||
@Bean
|
||||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
RequestMatcher matcher = new AntPathRequestMatcher("/login");
|
||||
RequestMatcher matcher = PathPatternRequestMatcher.withDefaults().matcher("/login");
|
||||
DelegatingRequestMatcherHeaderWriter headerWriter =
|
||||
new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
|
||||
http
|
||||
@@ -1248,7 +1248,7 @@ XML::
|
||||
<beans:bean id="headerWriter"
|
||||
class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
|
||||
<beans:constructor-arg>
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
|
||||
<bean class="org.springframework.security.config.http.PathPatternRequestMatcherFactoryBean"
|
||||
c:pattern="/login"/>
|
||||
</beans:constructor-arg>
|
||||
<beans:constructor-arg>
|
||||
@@ -1268,7 +1268,7 @@ class SecurityConfig {
|
||||
|
||||
@Bean
|
||||
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||
val matcher: RequestMatcher = AntPathRequestMatcher("/login")
|
||||
val matcher: RequestMatcher = PathPatternRequestMatcher.withDefaults().matcher("/login")
|
||||
val headerWriter = DelegatingRequestMatcherHeaderWriter(matcher, XFrameOptionsHeaderWriter())
|
||||
http {
|
||||
headers {
|
||||
|
||||
@@ -698,7 +698,7 @@ If we use XML-based configuration, we can use thexref:servlet/appendix/namespace
|
||||
<b:constructor-arg value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_CSRF_MATCHER}"/>
|
||||
<b:constructor-arg>
|
||||
<b:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
|
||||
<b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<b:bean class="org.springframework.security.config.http.PathPatternRequestMatcherFactoryBean">
|
||||
<b:constructor-arg value="/chat/**"/>
|
||||
</b:bean>
|
||||
</b:bean>
|
||||
|
||||
Reference in New Issue
Block a user