8 Configuring authorization: applying restrictions
This chapter covers
- Selecting requests for applying restrictions using matcher methods.
In chapter 7, you learned how to configure access based on authorities and roles. But we have only applied the configurations to all of the endpoints. In this chapter, you’ll learn how to apply authorization constraints to a specific group of requests. In production applications, it’s less probable that you’ll apply the same rules for all the requests. You’ll have endpoints that only some specific users can call, while other endpoints might be accessible to everyone. Each application, depending on the business requirements, has its custom authorization configuration. Let’s discuss the options you have to refer to different requests when you write the access configurations.
Even if we didn’t call it this way, the first matcher method you have used is the anyRequest() method. As you have used it in the previous examples, you know now that it refers to all the requests, regardless of the path, or HTTP method. It is the way you say “any request” or, sometimes, “any other request”.
First of all, let’s talk about selecting requests by path, then we will also add the HTTP method to the scenario. To choose the requests to which we apply the authorization configuration, we’ll use matcher methods. Spring Security offers you three types of matcher methods: