Spring security - what does authorizerequest(), anyRequest() and authenticated() do?

In the below code what do the different chained methods do? PUBLIC_URL is an array of a string containing public URLs.

protected void configure(HttpSecurity http ) throws Exception {

    http.authorizeRequests()
        .antMatchers(PUBLIC_URL).permitAll()
        .anyRequest().authenticated();

}

2 answers

  • answered 2020-05-31 15:36 Manta

    It means that all requests must be authenticated except those matching PUBLIC_URL

  • answered 2020-05-31 16:49 Patel Romil

    • authorizeRequests() Allows restricting access based upon the HttpServletRequest using RequestMatcher implementations.

    • permitAll() This will allow the public access that is anyone can access endpoint PUBLIC_URL without authentication.

    • anyRequest().authenticated() will restrict the access for any other endpoint other than PUBLIC_URL, and the user must be authenticated.

    We can also configure access based on authorities, can manage the sessions, HTTPS channel, and much more. You may find more details from configure(HttpSecurity http)