Access Control: MvcRequestMatcher is more secure than AntPathRequestMatcher for Spring MVC patterns :: Recipe Details

Recipe Name:

Access Control: MvcRequestMatcher is more secure than AntPathRequestMatcher for Spring MVC patterns

Description:

When using Spring MVC it's recommended to use MvcRequestMatcher as it protects the paths Spring annotations will match on, instead of only the one provided.

Level:

warning

Language:

java

Tags:

Spring
security
Spring MVC
Spring Security
access control

Documentation

For endpoint authorisation, it is recommended to use mvcMatchers instead of antMatchers, as it will provide authorisation for all paths that the @RequestMapping annotation understands. In other words, antMatchers will only authorise /admin, and leave /admin/, which leads to the same endpoint, accessible for unauthorised users. mvcMatchers will protect both paths.

Before

http.authorizeRequests().antMatchers(“/admin”).hasRole("ADMIN");

After

http.authorizeRequests().mvcMatchers(“/admin”).hasRole("ADMIN");

Resources

Spring docs - mvcMatchers

Recipe

id: scw:spring:access-control-use-mvcMatchers-over-antMatchers
version: 10
metadata:
  name: 'Access Control: MvcRequestMatcher is more secure than AntPathRequestMatcher for Spring MVC patterns'
  shortDescription: When using Spring MVC it's recommended to use MvcRequestMatcher as it protects the paths Spring annotations will match on, instead of only the one provided.
  level: warning
  language: java
  scwCategory: access:functionlevel
  enabled: true
  descriptionFile: descriptions/Access_Control__MvcRequestMatcher_is_more_secure_than_AntPathRequestMatcher_for_Spring_MVC_patterns.html
  tags: Spring;security;Spring MVC;Spring Security;access control
search:
  methodcall:
    name: antMatchers
    declaration:
      type: org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry
availableFixes:
- name: Use MvcRequestMatchers
  actions:
  - rewrite:
      to: '{{{ qualifier }}}.mvcMatchers({{{ arguments.0 }}})'