AntMatchers are not working in Spring Security

Question

I've two URLs in my application:

• /sa/abc (which should be accessible to role - ABC)
• /sa/practice (which should be accessible to role - ADMIN)

For this I've configured:

http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
    .authorizeRequests()
        .antMatchers("/sa/**").authenticated()
        .antMatchers("/sa/abc/**").hasAnyAuthority("ABC")
        .antMatchers("/sa/practices/**").hasAnyAuthority("ADMIN")

I was expecting user with role ABC will not be able to access /sa/practices/link1 , but he is able to.

Also I want to know what will happen to the links which are not mentioned in antMatchers . My guess is they can be accessed without any issue regardless of the role.

Am I correct?

Answer 1

Order matters. The first ant pattern that matches decides the access. So in your case:

http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
    .authorizeRequests()
        .antMatchers("/sa/abc/**").hasAnyAuthority("ABC")
        .antMatchers("/sa/practices/**").hasAnyAuthority("ADMIN")
        .antMatchers("/sa/**").authenticated()

Note that the least specific path is last.