30

I am currently following the Spring Documentation and some tutorials on Web Security. But now I have a problem, that I can't call the method antMatchers. This is the error I'm getting when building the project:

java: cannot find symbol
  symbol:   method antMatchers(java.lang.String)
  location: variable requests of type org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>.AuthorizationManagerRequestMatcherRegistry

In terms of my understanding, I should be able to use this method, so I can permit or not permit HTTP Requests to a certain URL. So my question is, why can't I use the antMatchers() method?

SecurityConfiguration class:

package de.gabriel.vertretungsplan.security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests((requests) -> requests
                        .antMatchers("/vertretungsplan").hasAnyRole("SCHUELER", "LEHRER", "VERWALTUNG")
                        .anyRequest().authenticated()
                )
                .formLogin((form) -> form
                        .loginPage("/login")
                        .permitAll()
                )
                .logout((logout) -> logout.permitAll());

        return http.build();
    }

}

pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.0.0</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>de.gabriel</groupId>
    <artifactId>vertretungsplan</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>vertretungsplan</name>
    <description>Demo project for Spring Boot</description>
    <properties>
        <java.version>17</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>com.mysql</groupId>
            <artifactId>mysql-connector-j</artifactId>
            <scope>runtime</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>
Improve this question

5 Answers 5

Reset to default
60

In antMatchers() (as well as mvcMathcers() and regexMatchers()) have been deprecated and removed with Spring Security 6.0. Thus, you can't use them in a Spring Boot 3 project.

Have a look at this link if you wonder what was the rationale behind this change: Deprecate trailing slash match.

Overloaded method requestMatchers() was provided as a uniform mean for securing requests. It facilitates all the functionality of the configuration methods that have been removed from the API.

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(requests -> requests
            .requestMatchers("/vertretungsplan").hasAnyRole("SCHUELER", "LEHRER", "VERWALTUNG")
            .anyRequest().authenticated()
        )
        .formLogin(form -> form
            .loginPage("/login")
            .permitAll()
        )
        .logout(logout -> logout
            .permitAll());
    
    return http.build();
}
Improve this answer
9
  • Thank you very much, it seems like I missed a lot in my 6 months pause😅 They also changed from javax.persistenc to jakarte.persistence and now the thing with the antMatchers. Seems like I am going to have to get used to all the new things now, but really thanks for your answer and the link you provided ^^
    – Gabriel
    Commented Dec 10, 2022 at 15:02
  • @Gabriel Many interesting things has come with the latest Spring release, I guess the most important change in regard to Spring Security (if you're using OAuth 2.0 or OpenID in your projects) is a new production-ready Authorization Server.
    – Alexander Ivanchenko
    Commented Dec 10, 2022 at 15:16
  • yeah that sounds interesting, but currently I am only using JPA Authentication or want to, but because this update is new or at least it seems like that there a not so many tutorials out there so I have to watch the whole new Amigoscode course on spring security xD
    – Gabriel
    Commented Dec 10, 2022 at 15:37
  • Why do you think this worked: .requestMatchers("/user/**").hasAuthority("USER"), but this didn't: .requestMatchers("/user/**").hasRole("USER")? Even though I explicitly removed the default prefix and never set it or used anywhere: @Bean public GrantedAuthorityDefaults grantedAuthorityDefaults() { return new GrantedAuthorityDefaults(""); }. When I configured Spring Security with WebSecurityConfigurerAdapter, hasRole() worked just fine (as long as I removed the prefix)
    – Sergey Zolotarev
    Commented Apr 2, 2023 at 19:12
  • @SergeyZolotarev There's not enough code to reproduce the problem, but I'll try to clarify things. Firstly, in Spring Security we have a notion of GrantedAuthority which might be represented either as a Role or an Authorities (it's advisable to stick with either of the two, although technically you can use both, but it can cause a mess). In essence, both Roles and Authorities are plain strings (GrantedAuthority interface defines a single method getAuthority() returning a string). Roles describe who you are (USER, ADMIN, VISITOR, etc.), Authorities what you can do (READ, WRITE, etc.).
    – Alexander Ivanchenko
    Commented Apr 3, 2023 at 0:40
1

the best solution is here:

https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html

and second one additiona informationa are here as well: https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

Improve this answer
1 
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/user/**").hasRole("USER")
            .antMatchers("/admin/**").hasRole("ADMIN")
            .anyRequest().authenticated()
            .and()
            .formLogin(withDefaults());

    return http.build();
}
Improve this answer
1
  • Answers that contain only code are generally considered to be poor quality answers. If you look at the other answers, you will see that they also explain what the code does and how it solves the problem described in the posted question. You should consider editing your answer and adding some explanation.
    – Abra
    Commented May 7 at 5:26
0

.requestMatchers("/assets/**").permitAll()

works for me But make sure you check your link is the same with where you insert

for example

If you use:
  <link href="assets/css/style.css" rel="stylesheet">
  
Here you need to use:
  .requestMatchers("/assets/**").permitAll()
  
If you use:
  <link href="resources/**" rel="stylesheet">
  
Here you need to use:
  .requestMatchers("/resources/**").permitAll()

Improve this answer
0

RequestMatcher works if you are talking about requests, but if you used antMatchers before the authorizeHttpRequests now you need to use .securityMatcher

Like this:

    http
    .securityMatcher("/api/**", "/app/**")
    .authorizeHttpRequests((authz) -> authz
        .requestMatchers("/api/admin/**").hasRole("ADMIN")
        .anyRequest().authenticated()
    );

See more in spring documentation: Spring Documentation

Leaving this awnser here because this was the solution I needed.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.