Your example means that Spring (Web) Security ignores URL patterns that match the expression you defined ("/static/**") . This URL is skipped by Spring Security and is therefore not secure.
Allows you to add RequestMatcher instances that Spring Security should ignore. Web security provided by Spring Security (including SecurityContext) will not be available for the corresponding HttpServletRequest request. As a rule, registered requests should refer only to static resources. For queries that are dynamic, consider matching the query to all users.
See the WebSecurity API Documentation for more information.
You can have as many protected or insecure URL patterns as you want.
In Spring Security, you have authentication and access control features for the application web layer. You can also restrict access for users with a specific role to a specific URL, etc.
Read the link for Spring Security for more details:
http://docs.spring.io/spring-security/site/docs/current/reference/html/
URL Pattern Ordering Priority
When matching specified patterns with an incoming request, matching is performed in the order in which the items are declared. Thus, the most specific match patterns should be the first, and the most common, the last.
The http.authorizeRequests () method has several children, each mapper is considered in the order in which they were declared.
Templates are always evaluated in the order they are defined. Thus, it is important that more specific patterns are defined higher in the list than less specific patterns.
Read here for more details:
http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#filter-security-interceptor
Example 1
The general use of the ignoring() WebSecurity method does not include Spring Security, and none of the Spring Securitys features will be available. WebSecurity is based above HttpSecurity
(in the XML configuration you can write this: <http pattern="/resources/**" security="none"/> ).
@Override public void configure(WebSecurity web) throws Exception { web .ignoring() .antMatchers("/resources/**") .antMatchers("/publics/**"); } @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/publics/**").hasRole("USER")
WebSecurity in the example above allows Spring to ignore /resources/** and /publics/** . Therefore .antMatchers("/publics/**").hasRole("USER") is not considered in HttpSecurity.
This will completely exclude the request template from the security filter chain. Please note that authentication or authorization services will not be applied to anything matching this path, and they will be freely available.
Example 2
Templates are always ranked in order. The matching below is not valid because the first matches each query and never applies the second match:
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/**").hasRole("USER") .antMatchers("/admin/**").hasRole("ADMIN"): }