@ -128,7 +128,7 @@ This is helpful when, for example, wanting to run HTTP locally and HTTPS in prod
@@ -128,7 +128,7 @@ This is helpful when, for example, wanting to run HTTP locally and HTTPS in prod
Defines the `RequestMatcher` strategy used in the `FilterChainProxy` and the beans created by the `intercept-url` to match incoming requests.
Options are currently `mvc`, `ant`, `regex` and `ciRegex`, for Spring MVC, ant, regular-expression and case-insensitive regular-expression respectively.
A separate instance is created for each <<nsa-intercept-url,intercept-url>> element using its <<nsa-intercept-url-pattern,pattern>>, <<nsa-intercept-url-method,method>> and <<nsa-intercept-url-servlet-path,servlet-path>> attributes.
Ant paths are matched using an `AntPathRequestMatcher`, regular expressions are matched using a `RegexRequestMatcher` and for Spring MVC path matching the `MvcRequestMatcher` is used.
By default, paths are matched using a `PathPatternRequestMatcher`; however, regular expressions are matched using a `RegexRequestMatcher`.
See the Javadoc for these classes for more details on exactly how the matching is performed.
MVC is the default strategy if Spring MVC is present in the classpath, if not, Ant paths are used.
@ -226,7 +226,8 @@ Defines a reference to a Spring bean of type `AccessDeniedHandler`.
@@ -226,7 +226,8 @@ Defines a reference to a Spring bean of type `AccessDeniedHandler`.
[[nsa-cors]]
== <cors>
This element allows for configuring a `CorsFilter`.
If no `CorsFilter` or `CorsConfigurationSource` is specified and Spring MVC is on the classpath, a `HandlerMappingIntrospector` is used as the `CorsConfigurationSource`.
Either a `CorsFilter` or a `CorsConfigurationSource` must be specified.
If Spring MVC is present, then it will attempt to look up its `CorsConfigurationSource`.
@ -1084,7 +1084,7 @@ open class SecurityConfig {
@@ -1084,7 +1084,7 @@ open class SecurityConfig {
<3> Allow access to URLs that start with `/api/admin/` to users with the `ADMIN` role
<4> Any other request that doesn't match the rules above, will require authentication
The `securityMatcher(s)` and `requestMatcher(s)` methods will decide which `RequestMatcher` implementation fits best for your application: If {spring-framework-reference-url}web.html#spring-web[Spring MVC] is in the classpath, then javadoc:org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher[] will be used, otherwise, javadoc:org.springframework.security.web.util.matcher.AntPathRequestMatcher[] will be used.
The `securityMatcher(s)` and `requestMatcher(s)` methods will construct ``RequestMatcher``s using a javadoc:org.springframework.security.web.util.matcher.PathPatternRequestMatcher.Builder[] bean, if available.
You can read more about the Spring MVC integration xref:servlet/integrations/mvc.adoc[here].
If you want to use a specific `RequestMatcher`, just pass an implementation to the `securityMatcher` and/or `requestMatcher` methods:
@ -132,7 +132,7 @@ public class MvcWebApplicationInitializer extends
@@ -132,7 +132,7 @@ public class MvcWebApplicationInitializer extends
----
The reason for this is that Spring Security needs to be able to inspect some Spring MVC configuration in order to appropriately configure xref:servlet/authorization/authorize-http-requests.adoc#authorizing-endpoints[underlying request matchers], so they need to be in the same application context.
Placing Spring Security in `getRootConfigClasses` places it into a parent application context that may not be able to find Spring MVC's `HandlerMappingIntrospector`.
Placing Spring Security in `getRootConfigClasses` places it into a parent application context that may not be able to find Spring MVC's `PathPatternParser`.
==== Configuring for Multiple Spring MVC Dispatchers
@ -24,7 +24,7 @@ It is, therefore, essential that a `FilterChainProxy` is used to manage the secu
@@ -24,7 +24,7 @@ It is, therefore, essential that a `FilterChainProxy` is used to manage the secu
Note that the `servletPath` and `pathInfo` values are decoded by the container, so your application should not have any valid paths that contain semi-colons, as these parts are removed for matching purposes.
As mentioned earlier, the default strategy is to use Ant-style paths for matching, and this is likely to be the best choice for most users.
The strategy is implemented in the class `AntPathRequestMatcher`, which uses Spring's `AntPathMatcher` to perform a case-insensitive match of the pattern against the concatenated `servletPath` and `pathInfo`, ignoring the `queryString`.
The strategy is implemented in the class `PathPatternRequestMatcher`, which uses Spring's `PathPattern` to perform a case-insensitive match of the pattern against the concatenated `servletPath` and `pathInfo`, ignoring the `queryString`.
If you need a more powerful matching strategy, you can use regular expressions.
The strategy implementation is then `RegexRequestMatcher`.
@ -698,7 +698,7 @@ If we use XML-based configuration, we can use thexref:servlet/appendix/namespace
@@ -698,7 +698,7 @@ If we use XML-based configuration, we can use thexref:servlet/appendix/namespace
Josh Cummings
6 months ago