Which .antMatchers () should I determine if I want to block every request of my application if the user is not logged in?
If you just want to block every request if the user is not logged in:
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login").permitAll() .and() .logout().permitAll() .and() .csrf().disable(); }
You really do not need antMatcher , not even for the login page, as in the .formLogin() , there is already .permitAll() for this page.
Now for static resources (css, js, images) and with VAADIN in mind, you can do this by overriding another method:
@Override public void configure(WebSecurity web) throws Exception { web.ignoring() .antMatchers("/resources/**", "/VAADIN/**"); }
Using the Spring boot project, I also found problems if I did not resolve the requests "/vaadinServlet/**" in web.ignoring().antMatchers(...) .
What are these patterns like "/ UIDL / **" and what are they for?
When the server receives the request, Spring Security uses these patterns to determine whether to allow or deny access to the request.
They are part of the URI after the context root of your application, for example. in the case of your context root being / , then a request such as http://server.com/UIDL/hello , the part of the URI that Spring Security will use to determine whether or not to give access will be /UIDL/hello
** represents anything, including any additional level, for example. for the template /UIDL/** request /UIDL/hello/world/and/any/more/levels will match.
There is also a single * that represents anything, but does not include auxiliary levels, for example. for the template /UIDL/* request /UIDL/hello will match, but not /UIDL/hello/world .
Regarding VAAININ views and user interfaces, I'm not sure you can use antMatchers to grant or deny access, but instead you can annotate the configuration class with @EnableGlobalMethodSecurity(prePost = enabled) and then be able to use @PreAuthorize( /* spel expression */) view annotation to grant or deny access.
UPDATE : answer to the question:
- Why do you use configure (WebSecurity web) method with ignoring resources instead of configure (HttpSecurity http) with accessibility? Are there significant differences?
The difference is that WebSecurity#ignoring() skips the request from the Spring filter chain, and this is the recommended way for static resources, everything except static resources should be processed inside configure(HttpSecurity http) .
a source
- Why are you ignoring the path "/ VAADIN / **"?
Since this path is used to serve themes, widget sets, and settings, which is static content, this path is used to service it dynamically from the Vaadin bank, but, as suggested in the Vaadin documentation, it should be statically served in production environments, since it is faster .
a source
- I could imagine the meaning of "/ *" and "/ **", but what does UIDL and HEARTBEAT really mean? Why are they allowed?
UIDL:
User Interface Definition Language (UIDL) is a language for serializing the contents of a user interface and modifying responses from a network server to a browser. The idea is that the server components βdrawβ themselves on the screen (web page) in the language. UIDL messages are parsed in a browser and translated into GWT widgets.
a source
Heartbeat requests are performed periodically to ensure that the connection is still maintained between the server and the client, or that the session has not expired.
- see sections 4.8.5, 4.8.6, 4.8.7 and 4.8.8