DEV Community

Cover image for New requestMatchers in Spring Security 6
JavaFullStackDev.in
JavaFullStackDev.in

Posted on

25

New requestMatchers in Spring Security 6

In Spring Security 6, the requestMatchers methods have replaced the deprecated antMatchers, mvcMatchers, and regexMatchers methods for configuring path-based access control. Here are the key points about the new requestMatchers:

Use requestMatchers in authorizeHttpRequests

The authorizeHttpRequests method in HttpSecurity configuration allows you to configure fine-grained request matching for access control. You can use the requestMatchers method to specify which requests should be permitted or authenticated. For example:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    return http.authorizeHttpRequests(auth -> auth
        .requestMatchers("/greet").permitAll()
        .anyRequest().authenticated())
        .formLogin()
        .build();
}
Enter fullscreen mode Exit fullscreen mode

This configuration permits access to the /greet endpoint without authentication while requiring authentication for all other requests.

requestMatchers vs securityMatchers

There are two similar methods: requestMatchers and securityMatchers. Both choose the most appropriate RequestMatcher implementation based on the presence of Spring MVC in the classpath:

  • If Spring MVC is present, it uses MvcRequestMatcher
  • If Spring MVC is not present, it falls back to AntPathRequestMatcher

The main difference is that securityMatchers is used in places like WebSecurityCustomizer, while requestMatchers is used in authorizeHttpRequests.

Choosing the Right Matcher

The requestMatchers methods allow you to match requests based on patterns or other criteria without relying on specific matchers like AntPathRequestMatcher or RegexRequestMatcher. This provides more flexibility and better defaults.

To use a specific matcher, you can pass a RequestMatcher implementation to the requestMatchers method:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    return http.authorizeHttpRequests(auth -> auth
        .requestMatchers(new AntPathRequestMatcher("/greet")).permitAll()
        .anyRequest().authenticated())
        .formLogin()
        .build();
}
Enter fullscreen mode Exit fullscreen mode

In summary, the new requestMatchers methods in Spring Security 6 provide a more flexible and secure way to configure path-based access control, choosing the most appropriate RequestMatcher implementation based on the application's dependencies.

Billboard image

Deploy and scale your apps on AWS and GCP with a world class developer experience

Coherence makes it easy to set up and maintain cloud infrastructure. Harness the extensibility, compliance and cost efficiency of the cloud.

Learn more

Top comments (0)

Cloudinary image

Video API: manage, encode, and optimize for any device, channel or network condition. Deliver branded video experiences in minutes and get deep engagement insights.

Learn more

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay