According to Spring Security documentation the main purpose of /**is to catch-all wildcards:

根据 Spring Security 文档，主要目的/**是捕获所有通配符：

In practice we recommend that you use method security at your service layer, to control access to your application, and do not rely entirely on the use of security constraints defined at the web-application level. URLs change and it is difficult to take account of all the possible URLs that an application might support and how requests might be manipulated. You should try and restrict yourself to using a few simple ant paths which are simple to understand. Always try to use a “deny-by-default” approach where you have a catch-all wildcard (/** or **) defined last and denying access.

在实践中，我们建议您在服务层使用方法安全来控制对应用程序的访问，不要完全依赖在 Web 应用程序级别定义的安全约束的使用。URL 会发生变化，并且很难考虑应用程序可能支持的所有可能的 URL 以及如何操作请求。您应该尝试并限制自己使用一些简单易懂的简单蚂蚁路径。始终尝试使用“默认拒绝”方法，在这种方法中，您最后定义了一个全能通配符（/** 或 **）并拒绝访问。

We also should not forget that

我们也不应该忘记

Patterns are always evaluated in the order they are defined. Thus it is important that more specific patterns are defined higher in the list than less specific patterns.

模式总是按照定义的顺序进行评估。因此，与不太具体的模式相比，在列表中定义更具体的模式是很重要的。

Thus we can have something like this:

因此，我们可以有这样的事情：

<security:http pattern="/rest-service/**"  authentication-manager-ref="authenticationManager" auto-config="false" access-decision-manager-ref="accessDecisionManager">
    <security:intercept-url pattern="/rest-service/report/export/xml" access="AUTH_REPORT_EXPORTXML" />        
    <security:intercept-url pattern="/**" access="AUTH_SYSTEM_LOGIN" />
    <security:http-basic />
</security:http>

which means that for all requests we will need AUTH_SYSTEM_LOGIN authority, but specifically for /rest-service/report/export/xml the user will need AUTH_REPORT_EXPORTXML authority as well because it is defined above. As they also say it is better not rely only on this security constrains which means that it is good also to duplicate those in service methods with secured annotation like this:

这意味着对于所有请求，我们将需要 AUTH_SYSTEM_LOGIN 权限，但特别是对于 /rest-service/report/export/xml，用户还需要 AUTH_REPORT_EXPORTXML 权限，因为它在上面定义。正如他们所说，最好不要仅仅依赖于这种安全约束，这意味着最好在服务方法中复制那些具有安全注释的安全约束，如下所示：

@Secured("AUTH_REPORT_EXPORTXML")

In general as I understand there is no difference between /*and /**except that the last one catches all the wildcards.

一般来说，据我所知/*，/**除了最后一个捕获所有通配符之外，两者之间没有区别。

The difference between /* & /** is that the second matches the entire directory tree, including subdirectories, where as /* only matches at the level it's specified at.

/* & /** 之间的区别在于第二个匹配整个目录树，包括子目录，而 /* 仅匹配它指定的级别。

 @Override
    protected void configure(HttpSecurity http) throws Exception {
    // ...
    .antMatchers(HttpMethod.GET, "/**").permitAll
    .antMatchers(HttpMethod.POST, "/*").permitAll
    // ...
 }

In this configuration any "Get" request will be permitted, for example:

在此配置中，任何“ Get”请求都将被允许，例如：

• /book
• /book/20
• /book/20/author

• /书
• /书/20
• /书/20/作者

So, all this urls match text with pattern "/**".

因此，所有这些 url 都匹配带有模式“/**”的文本。

Permitted urls for "Post":

“ Post”的允许网址：

• /book
• /magazine

• /书
• /杂志

Urls above match with "/*"

上面的网址与“/*”匹配