Spring Boot: antMatchers and user roles and authorities
221209
Intro
Here is a quick intro about .antMatchers(), as well as user roles and authorities.
.antMatchers()
antMatchers() are used to configure the URL paths which either can be permitted or denied to a user http request, according the role or the authorization of that particular user.
The authorizeRequests().antMatchers() are used to apply authorization to one or more paths you specify in antMatchers(). Such as permitAll() or hasRole(‘USER3’).
The “ant” in antMatcher stands for a reference to Apache’s Ant build tool. A path-matcher implementation for Ant-style path patterns. Part of this mapping code has been kindly borrowed from Apache Ant.
The mapping matches URLs using the following rules:
? matches one character
* matches zero or more characters
** matches zero or more directories in a path
{spring:[a-z]+} matches the regexp [a-z]+ as a path variable named “spring”
Examples
- com/t?st.jsp — matches com/test.jsp but also com/tast.jsp or com/txst.jsp
- com/*.jsp — matches all .jsp files in the com directory
- com/**/test.jsp — matches all test.jsp files underneath the com path
- org/springframework/**/*.jsp — matches all .jsp files underneath the org/springframework path
- org/**/servlet/bla.jsp — matches org/springframework/servlet/bla.jsp but also org/springframework/testing/servlet/bla.jsp and org/servlet/bla.jsp
- com/{filename:\\w+}.jsp will match com/test.jsp and assign the value test to the filename variable
The following are some of the methods applied on antmatchers():
- hasAnyRole(): This binds the URL to any user whose role is included in the configured roles created in the application. It receives a variable-length argument of roles.
- hasRole(): This method receives a single role argument bound to the URL.
- hasAuthority(): This method binds the URL to the granted authorities of the client. Any client who has been granted certain authorities is authorized to send a request to the URL.
- hasAnyAuthority(): This binds the URL to any user whose granted authorities is included in the configured authorities/permissions created in the application. It receives a variable-length argument of granted authorities.
- anonymous(): This binds the URL to an unauthenticated client.
- authenticated(): This binds the URL to any authenticated client.
Example usage of antMatchers in 1 HttpSecurity implementation – http.authorizeRequests
http .authorizeRequests() .antMatchers("/high_level_url_A/sub_level_1").hasRole('USER') .antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2') .somethingElse() // for /high_level_url_A/** .antMatchers("/high_level_url_A/**").authenticated() .antMatchers("/high_level_url_B/sub_level_1").permitAll() .antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3') .somethingElse() // for /high_level_url_B/** .antMatchers("/high_level_url_B/**").authenticated() .anyRequest().permitAll()
hasRole vs hasAuthority
Roles are intended as coarse-grained permissions, and Authorities are considered as fine-grained permissions.
Both cases are actually string values that are searched for in the authenticated user’s GrantedAuthorities list when the framework needs to determine if the user is authorized to perform an action or not; they don’t carry any semantic value.
In Spring Boot, an Authority granted to a user, i.e.: a GrantedAuthority has an arbitrary value (e.g.: READ_AUTHORITY, WRITE_PRIVILEGE, or even CAN_EXECUTE_AS_ROOT).
From the other hand, a Role is nothing but an arbitrary also value (like an Authority), prefixed this time with a prefix, which by default is the “ROLE_” prefix.
So, generally, you can keep in your mind that a role value is just an authority value with a special ROLE_ prefix.
in Spring security 3:
.hasRole('ROLE_XYZ')
is the same as
.hasAuthority('ROLE_XYZ')
However, from Spring security version 4 and onwards, when you use the the “.hasRole you can omit that prefix.”
So, the following antMatcher setting uses the “.hasRole”:
.antMatchers("/protectedbyrole").hasRole("ADMIN")
Means that only the users having the authority “ROLE_ADMIN” can access the protected endpoint.
Similarly, an antMatcher setting which uses the ”.hasAuthority” can have any authority, e.g.:
.antMatchers("/protectedbyrole").hasRole("ADMIN").antMatchers("/protectedbyauthority").hasAuthority("READ_PRIVILEGE")
References:
https://stackoverflow.com/questions/35890540/when-to-use-spring-securitys-antmatcher
https://www.section.io/engineering-education/springboot-antmatchers
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/util/AntPathMatcher.html
That’s it for now! I hope you enjoyed it!
Thanks for reading and stay tuned!