Why is this an issue?
URL patterns configured on a HttpSecurity.authorizeRequests() method are considered in the order they were declared. It’s easy to make
a mistake and declare a less restrictive configuration before a more restrictive one. Therefore, it’s required to review the order of the
"antMatchers" declarations. The /** one should be the last one if it is declared.
This rule raises an issue when:
- A pattern is preceded by another that ends with
** and has the same beginning. E.g.: /page*-admin/db/** is after
/page*-admin/**
- A pattern without wildcard characters is preceded by another that matches. E.g.:
/page-index/db is after /page*/**
Noncompliant code example
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/resources/**", "/signup", "/about").permitAll() // Compliant
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/admin/login").permitAll() // Noncompliant; the pattern "/admin/login" should appear before "/admin/**"
.antMatchers("/**", "/home").permitAll()
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // Noncompliant; the pattern "/db/**" should occurs before "/**"
.and().formLogin().loginPage("/login").permitAll().and().logout().permitAll();
}
Compliant solution
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/resources/**", "/signup", "/about").permitAll() // Compliant
.antMatchers("/admin/login").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN") // Compliant
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
.antMatchers("/**", "/home").permitAll() // Compliant; "/**" is the last one
.and().formLogin().loginPage("/login").permitAll().and().logout().permitAll();
}
Resources
