Difference between antMatcher and mvcMatcher
As this methods' signatures clearly say is also stated in the official documentation -
antMatcher(String antPattern)- Allows configuring theHttpSecurityto only be invoked when matching the provided ant pattern.
mvcMatcher(String mvcPattern)- Allows configuring theHttpSecurityto only be invoked when matching the provided Spring MVC pattern.
Generally mvcMatcher is more secure than an antMatcher. As an example:
antMatchers("/secured")matches only the exact/securedURLmvcMatchers("/secured")matches/securedas well as/secured/,/secured.html,/secured.xyz
and therefore is more general and can also handle some possible configuration mistakes.
mvcMatcher uses the same rules that Spring MVC uses for matching (when using @RequestMapping annotation).
If the current request will not be processed by Spring MVC, a reasonable default using the pattern as a ant pattern will be used. Source
It may be added that mvcMatchers API (since 4.1.1) is newer than the antMatchers API (since 3.1).
AntMatcher() is an implementation for Ant-style path patterns. Part of this mapping code has been kindly borrowed from Apache Ant.
MvcMatcher() uses Spring MVC's HandlerMappingIntrospector to match the path and extract variables.
So they both implement RequestMatcher interface, but use different expression languages under the hood.
antMatcher("/users/**") matches any path starting with /users
antMatchers("/users") matches only the exact /users URL
mvcMatchers("/users") matches /users, /users/, /users.html
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/users/movie/**") // matches any path starting with /users/movie
.hasRole("ADMIN") ...
}
}