If you don’t like to read, you haven’t found the right book

What is antMatcher in Spring Security?

antMatcher() tells Spring to only configure HttpSecurity if the path matches this pattern. The authorizeRequests(). antMatchers() is then used to apply authorization to one or more paths you specify in antMatchers() . Such as permitAll() or hasRole(‘USER3’) . These only get applied if the first http.

Why is the usage of mvcMatcher recommended over antMatcher?

antMatcher(String antPattern) – Allows configuring the HttpSecurity to only be invoked when matching the provided ant pattern. mvcMatcher(String mvcPattern) – Allows configuring the HttpSecurity to only be invoked when matching the provided Spring MVC pattern. Generally mvcMatcher is more secure than an antMatcher .

What is Ant matcher?

Here is the website Apache Ant Home and in Spring Doc for AntPathMatcher it says “Part of this mapping code has been kindly borrowed from Apache Ant.” So “antMatchers” means an implementation of Ant-style path patterns in mappings.

What is the difference between hasAuthority and hasRole?

4.2. The main difference is that, roles have special semantics – starting with Spring Security 4, the ‘ROLE_’ prefix is automatically added (if it’s not already there) by any role related method. So hasAuthority(‘ROLE_ADMIN’) is similar to hasRole(‘ADMIN’) because the ‘ROLE_’ prefix gets added automatically.

How do I use WebSecurityConfigurerAdapter?


  1. Require the user to be authenticated prior to accessing any URL within our application.
  2. Create a user with the username “user”, password “password”, and role of “ROLE_USER”
  3. Enables HTTP Basic and Form based authentication.

Is Spring security necessary?

The Spring Security framework is a reliable way for Java developers to secure applications. However, proper implementation is critical to prevent the most common vulnerabilities.

What is anyRequest () authenticated ()?

anyRequest(). authenticated() is that any request must be authenticated otherwise my Spring app will return a 401 response.

What is @EnableWebSecurity?

The @EnableWebSecurity is a marker annotation. It allows Spring to find (it’s a @Configuration and, therefore, @Component ) and automatically apply the class to the global WebSecurity . If I don’t annotate any of my class with @EnableWebSecurity still the application prompting for username and password.

Is Spring Security necessary?

Should I learn Spring Security?

Since security is a paramount concern for enterprise Java applications, a good knowledge of a security framework, like Spring Security, goes a long way in your career. It not only helps you become a full-stack developer but also opens a lot of opportunity in terms of job and career growth.

What is GrantedAuthority in Spring Security?

Think of a GrantedAuthority as being a “permission” or a “right”. Those “permissions” are (normally) expressed as strings (with the getAuthority() method). Those strings let you identify the permissions and let your voters decide if they grant access to something.