Spring security: How can I enable anonymous for some matchers, but disable that for the rest?

Question

I am trying to enable the anonymous access to some part of my rest api, but disable that to the rest.

I tried config looks like:

@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anonymous().and()
    .antMatchers(SOME_URL).authenticated()
    .and()
    .anoymous().disable()
    .antMatchers(OTHER_URL).authenticated();

}

But later, I realized that the later anonymous().disable will cover the previous setting.

So is anyone can give me some suggestion that how can I enable the anonymous for part of my url?

Many thanks!!!

score 1 · Accepted Answer · answered Jul 20 '18 at 12:26

You can define a RequestMatcher, one for public urls and other for protected urls. Then, override the configure method which accepts WebSecurity as param. In this method, you can configure web to ignore your public urls.

private static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
    new AntPathRequestMatcher("/public/**")
  );
private static final RequestMatcher PROTECTED_URLS = new NegatedRequestMatcher(PUBLIC_URLS);

 @Override
  public void configure(final WebSecurity web) {
    web.ignoring().requestMatchers(PUBLIC_URLS);
  }

@Override
  protected void configure(final HttpSecurity http) throws Exception {
    http
      .sessionManagement()
      .sessionCreationPolicy(STATELESS)
      .and()
      .exceptionHandling()
      // this entry point handles when you request a protected page and you are not yet
      // authenticated
      .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
      .anyRequest()
      .authenticated();
      // and other clauses you would like to add. 
}

Spring security: How can I enable anonymous for some matchers, but disable that for the rest?

1 Answers1