@Override
protected void configure(final HttpSecurity http) throws Exception {
// @formatter:off
http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/admin/**")
.hasRole("ADMIN")
.antMatchers("/anonymous*")
.anonymous()
.antMatchers("/login*")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login.html")
.loginProcessingUrl("/perform_login")
.defaultSuccessUrl("/homepage.html", true)
.failureUrl("/login.html?error=true")
.and()
.logout()
.logoutUrl("/perform_logout")
.deleteCookies("JSESSIONID")
.logoutSuccessHandler(logoutSuccessHandler());
// @formatter:on
}
@Override
public void configure(HttpSecurity http) throws Exception {
ContentNegotiationStrategy contentNegotiationStrategy =
http.getSharedObject(ContentNegotiationStrategy.class);
if (contentNegotiationStrategy == null) {
contentNegotiationStrategy = new HeaderContentNegotiationStrategy();
}
MediaTypeRequestMatcher preferredMatcher =
new MediaTypeRequestMatcher(
contentNegotiationStrategy,
MediaType.APPLICATION_FORM_URLENCODED,
MediaType.APPLICATION_JSON,
MediaType.MULTIPART_FORM_DATA);
http.csrf()
.disable()
.authorizeRequests()
.and()
.anonymous()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.httpBasic()
.and()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.defaultAuthenticationEntryPointFor(authenticationEntryPoint, preferredMatcher)
.and()
.authorizeRequests()
.antMatchers("/api/**")
.fullyAuthenticated();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.authorizeRequests()
.and()
.formLogin()
.loginProcessingUrl("/api/authentication")
.successHandler(ajaxAuthenticationSuccessHandler)
.failureHandler(ajaxAuthenticationFailureHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.and()
.rememberMe()
.rememberMeServices(rememberMeServices)
.key(env.getProperty("jhipster.security.rememberme.key"))
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.exceptionHandling();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/admin/**")
.hasRole("ADMIN")
.and()
.formLogin()
.loginProcessingUrl("/j_spring_security_check")
.loginPage("/login")
.defaultSuccessUrl("/protected/home/")
.failureUrl("/login")
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/?logout");
//
// http.authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')").antMatchers("/dba/**")
// .access("hasRole('ROLE_ADMIN') or
// hasRole('ROLE_DBA')").and().formLogin().loginPage("/login");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.requireCsrfProtectionMatcher(new CSRFRequestMatcher())
.and()
.authorizeRequests()
.antMatchers("/entrar", "/registrar/**", "/jobs/**", "/css/**", "/fonts/**", "/js/**")
.permitAll()
.antMatchers("/admin/**")
.hasRole("Administrator")
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/entrar")
.loginProcessingUrl("/entrar")
.failureUrl("/entrar?error=true")
.defaultSuccessUrl("/")
.usernameParameter("nomeDeUsuario")
.passwordParameter("senha")
.and()
.logout()
.logoutUrl("/sair")
.logoutSuccessUrl("/entrar?logout=true")
.invalidateHttpSession(true);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// secure endpoints
RequestMatcher matcher =
this.management.getSecurity().isEnabled()
? LazyEndpointPathRequestMatcher.getRequestMatcher(this.contextResolver)
: null;
if (matcher != null) {
// Always protect them if present
if (this.security.isRequireSsl()) {
http.requiresChannel().anyRequest().requiresSecure();
}
AuthenticationEntryPoint entryPoint = entryPoint();
http.exceptionHandling().authenticationEntryPoint(entryPoint);
// Match all the requests for actuator endpoints ...
http.requestMatcher(matcher);
// ... but permitAll() for the non-sensitive ones
configurePermittedRequests(http.authorizeRequests());
http.httpBasic().authenticationEntryPoint(entryPoint);
// No cookies for management endpoints by default
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(this.management.getSecurity().getSessions());
SpringBootWebSecurityConfiguration.configureHeaders(
http.headers(), this.security.getHeaders());
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
if (this.security.isRequireSsl()) {
http.requiresChannel().anyRequest().requiresSecure();
}
if (!this.security.isEnableCsrf()) {
http.csrf().disable();
}
// No cookies for application endpoints by default
http.sessionManagement().sessionCreationPolicy(this.security.getSessions());
SpringBootWebSecurityConfiguration.configureHeaders(
http.headers(), this.security.getHeaders());
String[] paths = getSecureApplicationPaths();
if (paths.length > 0) {
AuthenticationEntryPoint entryPoint = entryPoint();
http.exceptionHandling().authenticationEntryPoint(entryPoint);
http.httpBasic().authenticationEntryPoint(entryPoint);
http.requestMatchers().antMatchers(paths);
String[] roles = this.security.getUser().getRole().toArray(new String[0]);
SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode();
if (mode == null || mode == SecurityAuthorizeMode.ROLE) {
http.authorizeRequests().anyRequest().hasAnyRole(roles);
} else if (mode == SecurityAuthorizeMode.AUTHENTICATED) {
http.authorizeRequests().anyRequest().authenticated();
}
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers()
.addHeaderWriter(new StaticHeadersWriter("Server", "Spontaneous Running Backend"));
http.requestMatchers().antMatchers("/spontaneous/**");
http.csrf().disable();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
HttpSessionCsrfTokenRepository csrfTokenRepository = new HttpSessionCsrfTokenRepository();
csrfTokenRepository.setHeaderName(CSRF_HEADER_NAME);
http.csrf().csrfTokenRepository(csrfTokenRepository);
http.authorizeRequests()
.antMatchers("/assets/**", "/webjars/**", "/login/**", "/api-docs/**")
.permitAll()
.antMatchers("/jsondoc/**", "/jsondoc-ui.html")
.permitAll()
.anyRequest()
.fullyAuthenticated();
http.formLogin().loginProcessingUrl("/login").loginPage("/login").failureUrl("/login?error");
http.httpBasic();
http.logout().logoutUrl("/logout").logoutSuccessUrl("/login?logout");
http.headers()
.defaultsDisabled()
.contentTypeOptions()
.and()
.xssProtection()
.and()
.httpStrictTransportSecurity()
.and()
.addHeaderWriter(
new StaticHeadersWriter(
"Access-Control-Allow-Origin", "http://petstore.swagger.wordnik.com"))
.addHeaderWriter(new CsrfTokenCookieWriter(csrfTokenRepository, CSRF_COOKIE_NAME));
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable() // for "oauth/authorize" for grant_type "implicit", otherwise "Expected CSRF
// token not found."
.httpBasic()
.realmName("OAuth Server") // so that for "implicit" the "authorize" endpoint can be reached
;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
if (this.security.isRequireSsl()) {
http.requiresChannel().anyRequest().requiresSecure();
}
if (!this.security.isEnableCsrf()) {
http.csrf().disable();
}
SpringBootWebSecurityConfiguration.configureHeaders(http.headers(), this.security.getHeaders());
http.headers()
.addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy", "script-src 'self'"));
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/")
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/console/**")
.permitAll();
// don't use in a production environment
httpSecurity.csrf().disable();
httpSecurity.headers().frameOptions().disable();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/")
.permitAll()
.anyRequest()
.authenticated();
http.httpBasic();
// @formatter:on
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
/**
* Defines the web based security configuration.
*
* @param http It allows configuring web based security for specific http requests.
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().authenticationEntryPoint(samlEntryPoint());
http.csrf().disable();
http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
http.authorizeRequests()
.antMatchers("/")
.permitAll()
.antMatchers("/error")
.permitAll()
.antMatchers("/saml/**")
.permitAll()
.anyRequest()
.authenticated();
http.logout().logoutSuccessUrl("/");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.csrf().disable().authorizeRequests().antMatchers("/", "/signin",
// "/korisnici").permitAll() // #4
// .antMatchers("/knjige").hasRole("USER") // #6
// .antMatchers("/admin/**").hasRole("ADMIN") // #6
// .anyRequest().authenticated() // 7
// .and().formLogin() // #8
// .permitAll() // #5
// ;
// OD Chrisa
// http.csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and().formLogin()
// .successHandler(authSuccess).failureHandler(authFailure)
// .and().logout()
// .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).deleteCookies("JSESSIONID")
// .invalidateHttpSession(true)
// .and().authorizeRequests().antMatchers("/", "/login", "/register")
// .permitAll().antMatchers("/admin/**").hasRole("ADMIN").anyRequest().authenticated()
// .antMatchers("/knjige/**").hasRole("USER").anyRequest().authenticated();
http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/", "/login", "/service/registracija")
.permitAll() // #4
.antMatchers("/knjige")
.hasRole("USER") // #6
.antMatchers("/admin/**")
.hasRole("ADMIN") // #6
.anyRequest()
.authenticated() // 7
.and()
.formLogin()
.successHandler(authSuccess)
.failureHandler(authFailure)
. // #8
permitAll()
.and()
.logout()
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true) // #5
;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// .antMatchers("/drucker").authenticated()
// .antMatchers("/").permitAll()
// .antMatchers("/*").permitAll()
.anyRequest()
.permitAll()
.and()
.formLogin()
// .loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
// http.httpBasic();
http.csrf().disable();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
String[] restEndpointsToSecure = {"api", "manage"};
for (String endpoint : restEndpointsToSecure) {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/" + endpoint + "/**")
.hasRole(CustomUserDetailsService.ROLE_USER);
}
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
new XAuthTokenConfigurer(userDetailsServiceBean());
http.apply(securityConfigurerAdapter);
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable();
httpSecurity.headers().frameOptions().disable();
httpSecurity
.authorizeRequests()
.antMatchers("/console/**")
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/")
.permitAll()
.antMatchers("/javax.faces.resource/**")
.permitAll()
.antMatchers("/register.jsf", "/login.jsf")
.not()
.authenticated()
.antMatchers("/roles.jsf")
.hasAuthority(Role.ADMIN.name())
.antMatchers("/enter.jsf")
.hasAnyAuthority(Role.ADMIN.name(), Role.USER.name())
.anyRequest()
.fullyAuthenticated()
.and()
.formLogin()
.loginPage("/login.jsf")
.failureUrl("/login.jsf?error=wrong")
.defaultSuccessUrl("/index.jsf")
.usernameParameter("username")
.passwordParameter("password")
.permitAll(false)
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login.jsf")
.clearAuthentication(true)
.invalidateHttpSession(true)
.permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/index.jsf");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
log.info("WebSecurityConfiguration.configure(HttpSecurity http)");
http.csrf()
.disable()
.antMatcher("/**")
.authorizeRequests()
// .antMatchers("/approval/**").hasRole("MANAGER")
// .antMatchers("/tracker/**").hasRole("USER")
// .anyRequest().hasAnyRole("MANAGER", "USER")
.antMatchers("/**")
.hasAnyAuthority("MANAGER", "USER")
.and()
.httpBasic();
// http.authorizeRequests()
// .antMatchers("/**").authenticated()
// .and()
// .httpBasic();
}
/**
* Disabling Spring Security's CSRF support as we do not implement pre-flight request handling
* for the sake of simplicity. Setting up basic security and defining login and logout options.
*
* @see
* org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity)
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/**")
.permitAll()
.and()
. //
formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.and()
. //
logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// Sync HTTP Header names to AngularJs name (default Spring: X-CSRF-TOKEN)
HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();
tokenRepository.setHeaderName("X-XSRF-TOKEN");
// ~~
http.csrf()
// .csrfTokenRepository(tokenRepository)
.disable()
.csrf() // for testing purposes
.and()
.authorizeRequests()
.antMatchers("/admin/**")
.hasRole("ADMIN")
.and()
.authorizeRequests()
.antMatchers("/**")
.hasRole("USER");
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// injects filter to read out x-auth-token header and validates it
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
new XAuthTokenConfigurer(userDetailsServiceBean());
http.apply(securityConfigurerAdapter);
// Since we use the client-side AngularJS login view, we do not have to cover redirection
/*
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/")
.usernameParameter("usr")
.passwordParameter("pwd")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login")
.permitAll();
*/
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/", "/**", "/index")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.failureUrl("/login-error.html")
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/index")
.permitAll();
}
// This method configures the OAuth scopes required by clients to access
// all of the paths in the video service.
@Override
public void configure(HttpSecurity http) throws Exception {
// TODO: Update scope of client requests here
http.csrf().disable();
http.authorizeRequests().antMatchers("/oauth/token").anonymous();
// If you were going to reuse this class in another
// application, this is one of the key sections that you
// would want to change
// Require all GET requests to have client "read" scope
http.authorizeRequests()
.antMatchers(HttpMethod.GET, "/**")
.access("#oauth2.hasScope('read')");
http.authorizeRequests().antMatchers("/**").access("#oauth2.hasScope('write')");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.headers()
.cacheControl()
.contentTypeOptions()
.httpStrictTransportSecurity()
.and()
.authorizeRequests()
.antMatchers("/static/**", "/connect/facebook/")
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.antMatchers(
"/",
"/home",
"/css/**",
"/scss/**",
"/images/**",
"/js/**",
"/webjars/**",
"/fonts/**",
"/register",
"/rest/**",
"/rest/register",
"/send-mail",
"/index.html",
"/about-us.html",
"/contact-us.html",
"/services.html",
"/blog.html",
"/send-mail",
"/register&login.html",
"/register&login")
.permitAll()
.antMatchers("/doctor")
.hasRole("DOCTOR")
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.sessionManagement()
.maximumSessions(1);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(
"/",
"/403",
"/404",
"/500",
"/generatedResources/**",
"/resources/**",
"/signup/**",
"/signin/**",
"/forgotMyPassword/**",
"/themes/**")
.permitAll();
http.authorizeRequests().regexMatchers("/user/.*/.*").permitAll();
http.authorizeRequests()
.antMatchers("/challenges/**", "/user")
.hasAnyRole("USER")
.antMatchers("/manage/**")
.hasRole("ADMIN")
.anyRequest()
.authenticated();
http.formLogin().loginPage("/signin").failureUrl("/signin?error").permitAll();
http.logout()
.logoutUrl("/signout")
.logoutSuccessUrl("/signin?signout")
.deleteCookies("JSESSIONID")
.permitAll();
http.rememberMe()
.tokenRepository(persistentTokenRepository())
.tokenValiditySeconds(DateUtils.ONE_WEEK);
http.apply(new SpringSocialConfigurer().signupUrl("/signup/social"));
http.csrf().disable();
}
// @Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/", "/home")
.permitAll()
.antMatchers("/css/**", "/js/**", "/images/**", "**/favicon.ico")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.failureUrl("/login?error")
.loginPage("/login")
.defaultSuccessUrl("/login.do")
.permitAll()
.and()
.logout()
.permitAll();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable() // don't use in prod
.authorizeRequests()
.antMatchers("/")
.permitAll()
.antMatchers("/console/**")
.permitAll()
.antMatchers("/users/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.logout()
.logoutSuccessUrl("/")
.permitAll()
.and()
.formLogin()
.successHandler(customAuthenticationSuccessHandler);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// super.configure(http);
http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/register", "/resources/**")
.permitAll()
.antMatchers("/**")
.authenticated()
.and()
.logout()
.logoutUrl("/logout")
.permitAll()
.and()
.formLogin()
.loginPage("/login")
// .defaultSuccessUrl("/", true)
.failureUrl("/login?error")
.permitAll();
}