This chapter covers
- Selecting requests to apply restrictions using matcher methods
- Learning best-case scenarios for each matcher method
In chapter 7, you learned how to configure access based on authorities and roles. But we only applied the configurations for all endpoints. In this chapter, you’ll learn how to apply authorization constraints to a specific group of requests. In production applications, it’s less probable that you’ll apply the same rules for all requests. You have endpoints that can be called only by specific users, while other endpoints might be accessible to everyone. Depending on the business requirements, each application has its own custom authorization configuration. Let’s discuss the options available to refer to different requests when we write access configurations.
Even though we didn’t pay attention to it, the first matcher method you used was the anyRequest() method. And because it was used in previous chapters, you know now that it refers to all requests, regardless of the path or HTTP method. It is the way to say “any request” or, sometimes, “any other request.”
First, let’s talk about selecting requests by path; then we can also add the HTTP method to the scenario. To choose the requests to which we apply authorization configuration, we use the requestMatchers() method.