antMatchers deprecated in 24.8.0

steve.perks · June 19, 2025, 10:25am

Could anyone point me in the right direction (either documentation or in this forum) to replace the deprecated antMatchers in 24.8.0. Here is my existing code in a class that extends VaadinWebSecurity. It currently works fine but will be effectively deprecated:

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeHttpRequests(a -> a.requestMatchers(antMatchers("/api/**")).permitAll());
        http.headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin));
        http.csrf(c -> c.ignoringRequestMatchers(antMatchers("/api/**")));

        super.configure(http);

        setLoginView(http, LoginView.class);
    }

I need to allow any request to /api/* including cross site (csrf). Thanks in advance.

marcoc_753 · June 19, 2025, 11:49am

In a VaadinWebSecurity extension, you can use pathMatchers(...) as suggested in the antMatchers(...) Javadoc and double-check if the paths need some changes according to Spring PathPattern class Javadoc.

I’d say that pathMatchers("/api/**") should be OK.

marcoc_753 · June 19, 2025, 11:57am

A couple of more info here Web Migrations :: Spring Security