URL patterns configured on a HttpSecurity.authorizeRequests()
method are considered in the order they were declared. It's easy to do a
mistake and to declare a less restrictive configuration before a more restrictive one. Therefore, it's required to review the order of the
"antMatchers" declarations. The /**
one should be the last one if it is declared.
This rule raises an issue when:
- A pattern is preceded by another that ends with **
and has the same beginning. E.g.: /page*-admin/db/**
is after
/page*-admin/**
- A pattern without wildcard characters is preceded by another that matches. E.g.: /page-index/db
is after /page*/**
protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/resources/**", "/signup", "/about").permitAll() // Compliant .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/admin/login").permitAll() // Noncompliant; the pattern "/admin/login" should occurs before "/admin/**" .antMatchers("/**", "/home").permitAll() .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // Noncompliant; the pattern "/db/**" should occurs before "/**" .and().formLogin().loginPage("/login").permitAll().and().logout().permitAll(); }
protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/resources/**", "/signup", "/about").permitAll() // Compliant .antMatchers("/admin/login").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") // Compliant .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") .antMatchers("/**", "/home").permitAll() // Compliant; "/**" is the last one .and().formLogin().loginPage("/login").permitAll().and().logout().permitAll(); }