Sensei Logo Sensei Hub

Recipe - Access Control: MvcRequestMatcher is more secure than AntPathRequestMatcher for Spring MVC patterns

Description:
When using Spring MVC it's recommended to use MvcRequestMatcher as it protects the paths Spring annotations will match on, instead of only the one provided.
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • Spring MVC
  • Spring Security
  • access control
Documentation

For endpoint authorisation, it is recommended to use mvcMatchers instead of antMatchers, as it will provide authorisation for all paths that the @RequestMapping annotation understands. In other words, antMatchers will only authorise /admin, and leave /admin/, which leads to the same endpoint, accessible for unauthorised users. mvcMatchers will protect both paths.

Before
http.authorizeRequests().antMatchers(“/admin”).hasRole("ADMIN");
After
http.authorizeRequests().mvcMatchers(“/admin”).hasRole("ADMIN");
Resources
Recipe
id: scw:spring:access-control-use-mvcMatchers-over-antMatchers
version: 10
metadata:
  name: 'Access Control: MvcRequestMatcher is more secure than AntPathRequestMatcher for Spring MVC patterns'
  shortDescription: When using Spring MVC it's recommended to use MvcRequestMatcher as it protects the paths Spring annotations will match on, instead of only the one provided.
  level: warning
  language: java
  scwCategory: access:functionlevel
  enabled: true
  descriptionFile: descriptions/Access_Control__MvcRequestMatcher_is_more_secure_than_AntPathRequestMatcher_for_Spring_MVC_patterns.html
  tags: Spring;security;Spring MVC;Spring Security;access control
search:
  methodcall:
    name: antMatchers
    declaration:
      type: org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry
availableFixes:
- name: Use MvcRequestMatchers
  actions:
  - rewrite:
      to: '{{{ qualifier }}}.mvcMatchers({{{ arguments.0 }}})'