@Override
protected void configure(HttpSecurity http) throws Exception {
ResourceServerSecurityConfigurer resources = new ResourceServerSecurityConfigurer();
ResourceServerTokenServices services = resolveTokenServices();
if (services != null) {
resources.tokenServices(services);
} else {
if (tokenStore != null) {
resources.tokenStore(tokenStore);
} else if (endpoints != null) {
resources.tokenStore(endpoints.getEndpointsConfigurer().getTokenStore());
}
}
if (eventPublisher != null) {
resources.eventPublisher(eventPublisher);
}
for (ResourceServerConfigurer configurer : configurers) {
configurer.configure(resources);
}
// @formatter:off
http
// N.B. exceptionHandling is duplicated in resources.configure() so that
// it works
.exceptionHandling()
.accessDeniedHandler(resources.getAccessDeniedHandler())
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf()
.disable();
// @formatter:on
http.apply(resources);
RequestMatcherConfigurer requests = http.requestMatchers();
if (endpoints != null) {
// Assume we are in an Authorization Server
requests.requestMatchers(
new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping()));
}
for (ResourceServerConfigurer configurer : configurers) {
// Delegates can add authorizeRequests() here
configurer.configure(http);
}
if (configurers.isEmpty()) {
// Add anyRequest() last as a fall back. Spring Security would
// replace an existing anyRequest() matcher
// with this one, so to avoid that we only add it if the user hasn't
// configured anything.
http.authorizeRequests().anyRequest().authenticated();
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
String[] restEndpointsToSecure = {"api", "manage"};
for (String endpoint : restEndpointsToSecure) {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/" + endpoint + "/**")
.hasRole(CustomUserDetailsService.ROLE_USER);
}
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
new XAuthTokenConfigurer(userDetailsServiceBean());
http.apply(securityConfigurerAdapter);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// Sync HTTP Header names to AngularJs name (default Spring: X-CSRF-TOKEN)
HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();
tokenRepository.setHeaderName("X-XSRF-TOKEN");
// ~~
http.csrf()
// .csrfTokenRepository(tokenRepository)
.disable()
.csrf() // for testing purposes
.and()
.authorizeRequests()
.antMatchers("/admin/**")
.hasRole("ADMIN")
.and()
.authorizeRequests()
.antMatchers("/**")
.hasRole("USER");
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// injects filter to read out x-auth-token header and validates it
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
new XAuthTokenConfigurer(userDetailsServiceBean());
http.apply(securityConfigurerAdapter);
// Since we use the client-side AngularJS login view, we do not have to cover redirection
/*
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/")
.usernameParameter("usr")
.passwordParameter("pwd")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login")
.permitAll();
*/
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(
"/",
"/403",
"/404",
"/500",
"/generatedResources/**",
"/resources/**",
"/signup/**",
"/signin/**",
"/forgotMyPassword/**",
"/themes/**")
.permitAll();
http.authorizeRequests().regexMatchers("/user/.*/.*").permitAll();
http.authorizeRequests()
.antMatchers("/challenges/**", "/user")
.hasAnyRole("USER")
.antMatchers("/manage/**")
.hasRole("ADMIN")
.anyRequest()
.authenticated();
http.formLogin().loginPage("/signin").failureUrl("/signin?error").permitAll();
http.logout()
.logoutUrl("/signout")
.logoutSuccessUrl("/signin?signout")
.deleteCookies("JSESSIONID")
.permitAll();
http.rememberMe()
.tokenRepository(persistentTokenRepository())
.tokenValiditySeconds(DateUtils.ONE_WEEK);
http.apply(new SpringSocialConfigurer().signupUrl("/signup/social"));
http.csrf().disable();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer();
FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping();
http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping);
configure(configurer);
http.apply(configurer);
String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token");
String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key");
String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token");
// @formatter:off
http.authorizeRequests()
.antMatchers(tokenEndpointPath)
.fullyAuthenticated()
.antMatchers(tokenKeyPath)
.access(configurer.getTokenKeyAccess())
.antMatchers(checkTokenPath)
.access(configurer.getCheckTokenAccess())
.and()
.requestMatchers()
.antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath);
// @formatter:on
http.setSharedObject(ClientDetailsService.class, clientDetailsService);
}