67

What is difference of HttpSecurity's antMatcher() and mvcMatcher() functions?

Could anyone explain when to use them ?

DimaSan
  • 12,264
  • 11
  • 65
  • 75
Javad Kargar
  • 1,275
  • 1
  • 12
  • 27

3 Answers3

82

As this methods' signatures clearly say is also stated in the official documentation -

antMatcher(String antPattern) - Allows configuring the HttpSecurity to only be invoked when matching the provided ant pattern.

mvcMatcher(String mvcPattern) - Allows configuring the HttpSecurity to only be invoked when matching the provided Spring MVC pattern.

Generally mvcMatcher is more secure than an antMatcher. As an example:

  • antMatchers("/secured") matches only the exact /secured URL
  • mvcMatchers("/secured") matches /secured as well as /secured/, /secured.html, /secured.xyz

and therefore is more general and can also handle some possible configuration mistakes.

mvcMatcher uses the same rules that Spring MVC uses for matching (when using @RequestMapping annotation).

If the current request will not be processed by Spring MVC, a reasonable default using the pattern as a ant pattern will be used. Source

It may be added that mvcMatchers API (since 4.1.1) is newer than the antMatchers API (since 3.1).

Community
  • 1
  • 1
DimaSan
  • 12,264
  • 11
  • 65
  • 75
  • Spring Reference: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-authorization-filtersecurityinterceptor – Harinath Dec 30 '20 at 10:24
  • 4
    > mvcMatcher is more secure than antMatcher > shows example, that mvcMatcher can match more things than what you actually write down. I don't know about you, but this is clearly the opposite – newhouse Dec 09 '22 at 14:26
  • 1
    It sounds it's quite opposite, but mvcMatchers are more secure because they can match more... for example, imagine example: `.mvcMatchers("/employee").hasRole("xyz").anyRequest().aunthenticated() ... permitAll()`... if you want to get to employee resource and type `/employee/` or `/employee.html`, the mvcMatcher will match your request and filter through authentication ... antMatcher would not catch `/employee/` case and would not filter request through auth and can exploit resource ... DispatcherServlet will server request .. this is just a security filtering ... – Marek Bernád Mar 05 '23 at 14:21
  • I recommend Dominik Cebula - he nicely explained the difference between ant and mvc matchers by example here: https://www.udemy.com/course/spring-professional-certification-exam-tutorial-module-06/learn/lecture/17919632#overview – Marek Bernád Mar 05 '23 at 14:28
  • I would also have a look at this video: https://youtu.be/WsH8qn8hjgE It does a great job demonstrating how a single slash can break antMatchers, whereas mvcMatchers is able to catch it. – Mingju Roberts Jul 26 '23 at 17:16
8

AntMatcher() is an implementation for Ant-style path patterns. Part of this mapping code has been kindly borrowed from Apache Ant.

MvcMatcher() uses Spring MVC's HandlerMappingIntrospector to match the path and extract variables.

So they both implement RequestMatcher interface, but use different expression languages under the hood.

bausov
  • 387
  • 3
  • 12
5
antMatcher("/users/**") matches any path starting with /users
antMatchers("/users") matches only the exact /users URL
mvcMatchers("/users") matches /users, /users/, /users.html

public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
  .authorizeRequests()
  .antMatchers("/users/movie/**") // matches any path starting with /users/movie
  .hasRole("ADMIN") ...
  }
}
Purushotham CK
  • 425
  • 6
  • 8