Web URL

Spring Security can be used to set up URL-based authorization. HTTP Security configured can be used with Spring Security configuration to achieve the desired authorization. In many examples that we have gone through so far, we have seen pattern matching authorization. Here is one such example:

• AntPathRequestMatcher: Uses an Ant-style pattern for URL matching:

http
    .antMatcher("/rest/**")
    .httpBasic()
        .disable()
    .authorizeRequests()
        .antMatchers("/rest/movie/**", "/rest/ticket/**", "/index")
            .hasRole("ROLE_USER");

In the preceding code snippet, the /rest URL's basic authentication is disabled, and for other URLs (/rest/movie, /rest/ticket and /index), users with the USER role have access. The snippet also shows single match (using antMatcher) and multiple matches (using antMatchers).

• MvcRequestMatcher: This uses Spring MVC to match the path and then extracts variables. The matching is relative to the servlet path.
• RegexRequestMatcher: This uses a regular expression to match the URL. It can also be used to match the HTTP method, if needed. The matching is case-sensitive and takes the form (servletPath + pathInfo + queryString):

http
    .authorizeRequests()
    .regexMatchers("^((?!(/rest|/advSearch)).)*$").hasRole("ADMIN")
    .regexMatchers("^((?!(/rest|/basicSearch)).)*$").access("hasRole(USER)")
        .anyRequest()
    .authenticated()
    .and()
    .httpBasic();