Example #1
0
 @Override
 protected void configure(final HttpSecurity http) throws Exception {
   // @formatter:off
   http.csrf()
       .disable()
       .authorizeRequests()
       .antMatchers("/admin/**")
       .hasRole("ADMIN")
       .antMatchers("/anonymous*")
       .anonymous()
       .antMatchers("/login*")
       .permitAll()
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .loginPage("/login.html")
       .loginProcessingUrl("/perform_login")
       .defaultSuccessUrl("/homepage.html", true)
       .failureUrl("/login.html?error=true")
       .and()
       .logout()
       .logoutUrl("/perform_logout")
       .deleteCookies("JSESSIONID")
       .logoutSuccessHandler(logoutSuccessHandler());
   // @formatter:on
 }
    @Override
    public void configure(HttpSecurity http) throws Exception {
      ContentNegotiationStrategy contentNegotiationStrategy =
          http.getSharedObject(ContentNegotiationStrategy.class);
      if (contentNegotiationStrategy == null) {
        contentNegotiationStrategy = new HeaderContentNegotiationStrategy();
      }
      MediaTypeRequestMatcher preferredMatcher =
          new MediaTypeRequestMatcher(
              contentNegotiationStrategy,
              MediaType.APPLICATION_FORM_URLENCODED,
              MediaType.APPLICATION_JSON,
              MediaType.MULTIPART_FORM_DATA);

      http.csrf()
          .disable()
          .authorizeRequests()
          .and()
          .anonymous()
          .disable()
          .sessionManagement()
          .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
          .and()
          .httpBasic()
          .and()
          .exceptionHandling()
          .authenticationEntryPoint(authenticationEntryPoint)
          .defaultAuthenticationEntryPointFor(authenticationEntryPoint, preferredMatcher)
          .and()
          .authorizeRequests()
          .antMatchers("/api/**")
          .fullyAuthenticated();
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {

      http.csrf()
          .disable()
          .authorizeRequests()
          .and()
          .formLogin()
          .loginProcessingUrl("/api/authentication")
          .successHandler(ajaxAuthenticationSuccessHandler)
          .failureHandler(ajaxAuthenticationFailureHandler)
          .usernameParameter("j_username")
          .passwordParameter("j_password")
          .permitAll()
          .and()
          .rememberMe()
          .rememberMeServices(rememberMeServices)
          .key(env.getProperty("jhipster.security.rememberme.key"))
          .and()
          .logout()
          .logoutUrl("/api/logout")
          .logoutSuccessHandler(ajaxLogoutSuccessHandler)
          .deleteCookies("JSESSIONID")
          .permitAll()
          .and()
          .exceptionHandling();
    }
Example #4
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http.csrf()
        .disable()
        .authorizeRequests()
        .antMatchers("/admin/**")
        .hasRole("ADMIN")
        .and()
        .formLogin()
        .loginProcessingUrl("/j_spring_security_check")
        .loginPage("/login")
        .defaultSuccessUrl("/protected/home/")
        .failureUrl("/login")
        .permitAll()
        .and()
        .logout()
        .logoutSuccessUrl("/?logout");

    //
    //	http.authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')").antMatchers("/dba/**")
    //				.access("hasRole('ROLE_ADMIN') or
    // hasRole('ROLE_DBA')").and().formLogin().loginPage("/login");

  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.csrf()
       .requireCsrfProtectionMatcher(new CSRFRequestMatcher())
       .and()
       .authorizeRequests()
       .antMatchers("/entrar", "/registrar/**", "/jobs/**", "/css/**", "/fonts/**", "/js/**")
       .permitAll()
       .antMatchers("/admin/**")
       .hasRole("Administrator")
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .loginPage("/entrar")
       .loginProcessingUrl("/entrar")
       .failureUrl("/entrar?error=true")
       .defaultSuccessUrl("/")
       .usernameParameter("nomeDeUsuario")
       .passwordParameter("senha")
       .and()
       .logout()
       .logoutUrl("/sair")
       .logoutSuccessUrl("/entrar?logout=true")
       .invalidateHttpSession(true);
 }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   // secure endpoints
   RequestMatcher matcher =
       this.management.getSecurity().isEnabled()
           ? LazyEndpointPathRequestMatcher.getRequestMatcher(this.contextResolver)
           : null;
   if (matcher != null) {
     // Always protect them if present
     if (this.security.isRequireSsl()) {
       http.requiresChannel().anyRequest().requiresSecure();
     }
     AuthenticationEntryPoint entryPoint = entryPoint();
     http.exceptionHandling().authenticationEntryPoint(entryPoint);
     // Match all the requests for actuator endpoints ...
     http.requestMatcher(matcher);
     // ... but permitAll() for the non-sensitive ones
     configurePermittedRequests(http.authorizeRequests());
     http.httpBasic().authenticationEntryPoint(entryPoint);
     // No cookies for management endpoints by default
     http.csrf().disable();
     http.sessionManagement().sessionCreationPolicy(this.management.getSecurity().getSessions());
     SpringBootWebSecurityConfiguration.configureHeaders(
         http.headers(), this.security.getHeaders());
   }
 }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   if (this.security.isRequireSsl()) {
     http.requiresChannel().anyRequest().requiresSecure();
   }
   if (!this.security.isEnableCsrf()) {
     http.csrf().disable();
   }
   // No cookies for application endpoints by default
   http.sessionManagement().sessionCreationPolicy(this.security.getSessions());
   SpringBootWebSecurityConfiguration.configureHeaders(
       http.headers(), this.security.getHeaders());
   String[] paths = getSecureApplicationPaths();
   if (paths.length > 0) {
     AuthenticationEntryPoint entryPoint = entryPoint();
     http.exceptionHandling().authenticationEntryPoint(entryPoint);
     http.httpBasic().authenticationEntryPoint(entryPoint);
     http.requestMatchers().antMatchers(paths);
     String[] roles = this.security.getUser().getRole().toArray(new String[0]);
     SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode();
     if (mode == null || mode == SecurityAuthorizeMode.ROLE) {
       http.authorizeRequests().anyRequest().hasAnyRole(roles);
     } else if (mode == SecurityAuthorizeMode.AUTHENTICATED) {
       http.authorizeRequests().anyRequest().authenticated();
     }
   }
 }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.headers()
       .addHeaderWriter(new StaticHeadersWriter("Server", "Spontaneous Running Backend"));
   http.requestMatchers().antMatchers("/spontaneous/**");
   http.csrf().disable();
 }
Example #9
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    HttpSessionCsrfTokenRepository csrfTokenRepository = new HttpSessionCsrfTokenRepository();
    csrfTokenRepository.setHeaderName(CSRF_HEADER_NAME);
    http.csrf().csrfTokenRepository(csrfTokenRepository);

    http.authorizeRequests()
        .antMatchers("/assets/**", "/webjars/**", "/login/**", "/api-docs/**")
        .permitAll()
        .antMatchers("/jsondoc/**", "/jsondoc-ui.html")
        .permitAll()
        .anyRequest()
        .fullyAuthenticated();

    http.formLogin().loginProcessingUrl("/login").loginPage("/login").failureUrl("/login?error");

    http.httpBasic();

    http.logout().logoutUrl("/logout").logoutSuccessUrl("/login?logout");

    http.headers()
        .defaultsDisabled()
        .contentTypeOptions()
        .and()
        .xssProtection()
        .and()
        .httpStrictTransportSecurity()
        .and()
        .addHeaderWriter(
            new StaticHeadersWriter(
                "Access-Control-Allow-Origin", "http://petstore.swagger.wordnik.com"))
        .addHeaderWriter(new CsrfTokenCookieWriter(csrfTokenRepository, CSRF_COOKIE_NAME));
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.csrf()
       .disable() // for "oauth/authorize" for grant_type "implicit", otherwise "Expected CSRF
                  // token not found."
       .httpBasic()
       .realmName("OAuth Server") // so that for "implicit" the "authorize" endpoint can be reached
   ;
 }
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    if (this.security.isRequireSsl()) {
      http.requiresChannel().anyRequest().requiresSecure();
    }
    if (!this.security.isEnableCsrf()) {
      http.csrf().disable();
    }
    SpringBootWebSecurityConfiguration.configureHeaders(http.headers(), this.security.getHeaders());

    http.headers()
        .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy", "script-src 'self'"));
  }
 @Override
 protected void configure(HttpSecurity httpSecurity) throws Exception {
   httpSecurity
       .authorizeRequests()
       .antMatchers("/")
       .permitAll()
       .and()
       .authorizeRequests()
       .antMatchers("/console/**")
       .permitAll();
   // don't use in a production environment
   httpSecurity.csrf().disable();
   httpSecurity.headers().frameOptions().disable();
 }
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http.csrf()
        .disable()
        .authorizeRequests()
        .antMatchers("/")
        .permitAll()
        .anyRequest()
        .authenticated();

    http.httpBasic();
    // @formatter:on
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.csrf()
       .disable()
       .authorizeRequests()
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .loginPage("/login")
       .permitAll()
       .and()
       .logout()
       .permitAll();
 }
 /**
  * Defines the web based security configuration.
  *
  * @param http It allows configuring web based security for specific http requests.
  * @throws Exception
  */
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.httpBasic().authenticationEntryPoint(samlEntryPoint());
   http.csrf().disable();
   http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
       .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
   http.authorizeRequests()
       .antMatchers("/")
       .permitAll()
       .antMatchers("/error")
       .permitAll()
       .antMatchers("/saml/**")
       .permitAll()
       .anyRequest()
       .authenticated();
   http.logout().logoutSuccessUrl("/");
 }
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    // http.csrf().disable().authorizeRequests().antMatchers("/", "/signin",
    // "/korisnici").permitAll() // #4
    // .antMatchers("/knjige").hasRole("USER") // #6
    // .antMatchers("/admin/**").hasRole("ADMIN") // #6
    // .anyRequest().authenticated() // 7
    // .and().formLogin() // #8
    // .permitAll() // #5
    // ;

    // OD Chrisa
    // http.csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and().formLogin()
    // .successHandler(authSuccess).failureHandler(authFailure)
    // .and().logout()
    // .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).deleteCookies("JSESSIONID")
    // .invalidateHttpSession(true)
    // .and().authorizeRequests().antMatchers("/", "/login", "/register")
    // .permitAll().antMatchers("/admin/**").hasRole("ADMIN").anyRequest().authenticated()
    // .antMatchers("/knjige/**").hasRole("USER").anyRequest().authenticated();

    http.csrf()
        .disable()
        .authorizeRequests()
        .antMatchers("/", "/login", "/service/registracija")
        .permitAll() // #4
        .antMatchers("/knjige")
        .hasRole("USER") // #6
        .antMatchers("/admin/**")
        .hasRole("ADMIN") // #6
        .anyRequest()
        .authenticated() // 7
        .and()
        .formLogin()
        .successHandler(authSuccess)
        .failureHandler(authFailure)
        . // #8
        permitAll()
        .and()
        .logout()
        .deleteCookies("JSESSIONID")
        .invalidateHttpSession(true) // #5
    ;
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.authorizeRequests()
       //                .antMatchers("/drucker").authenticated()
       //                .antMatchers("/").permitAll()
       //                .antMatchers("/*").permitAll()
       .anyRequest()
       .permitAll()
       .and()
       .formLogin()
       // .loginPage("/login")
       .permitAll()
       .and()
       .logout()
       .permitAll();
   // http.httpBasic();
   http.csrf().disable();
 }
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    String[] restEndpointsToSecure = {"api", "manage"};
    for (String endpoint : restEndpointsToSecure) {
      http.httpBasic()
          .and()
          .authorizeRequests()
          .antMatchers("/" + endpoint + "/**")
          .hasRole(CustomUserDetailsService.ROLE_USER);
    }

    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
        new XAuthTokenConfigurer(userDetailsServiceBean());
    http.apply(securityConfigurerAdapter);
  }
  @Override
  protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity.csrf().disable();
    httpSecurity.headers().frameOptions().disable();

    httpSecurity
        .authorizeRequests()
        .antMatchers("/console/**")
        .permitAll()
        .and()
        .authorizeRequests()
        .antMatchers("/")
        .permitAll()
        .antMatchers("/javax.faces.resource/**")
        .permitAll()
        .antMatchers("/register.jsf", "/login.jsf")
        .not()
        .authenticated()
        .antMatchers("/roles.jsf")
        .hasAuthority(Role.ADMIN.name())
        .antMatchers("/enter.jsf")
        .hasAnyAuthority(Role.ADMIN.name(), Role.USER.name())
        .anyRequest()
        .fullyAuthenticated()
        .and()
        .formLogin()
        .loginPage("/login.jsf")
        .failureUrl("/login.jsf?error=wrong")
        .defaultSuccessUrl("/index.jsf")
        .usernameParameter("username")
        .passwordParameter("password")
        .permitAll(false)
        .and()
        .logout()
        .logoutUrl("/logout")
        .logoutSuccessUrl("/login.jsf")
        .clearAuthentication(true)
        .invalidateHttpSession(true)
        .permitAll()
        .and()
        .exceptionHandling()
        .accessDeniedPage("/index.jsf");
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   log.info("WebSecurityConfiguration.configure(HttpSecurity http)");
   http.csrf()
       .disable()
       .antMatcher("/**")
       .authorizeRequests()
       //        		.antMatchers("/approval/**").hasRole("MANAGER")
       //        		.antMatchers("/tracker/**").hasRole("USER")
       //            	.anyRequest().hasAnyRole("MANAGER", "USER")
       .antMatchers("/**")
       .hasAnyAuthority("MANAGER", "USER")
       .and()
       .httpBasic();
   //        http.authorizeRequests()
   //                .antMatchers("/**").authenticated()
   //                .and()
   //            .httpBasic();
 }
Example #21
0
    /**
     * Disabling Spring Security's CSRF support as we do not implement pre-flight request handling
     * for the sake of simplicity. Setting up basic security and defining login and logout options.
     *
     * @see
     *     org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity)
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {

      http.csrf().disable();

      http.authorizeRequests()
          .antMatchers("/**")
          .permitAll()
          .and()
          . //
          formLogin()
          .loginPage("/login")
          .loginProcessingUrl("/login")
          .and()
          . //
          logout()
          .logoutUrl("/logout")
          .logoutSuccessUrl("/");
    }
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // Sync HTTP Header names to AngularJs name (default Spring: X-CSRF-TOKEN)
    HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();
    tokenRepository.setHeaderName("X-XSRF-TOKEN");
    // ~~
    http.csrf()
        // .csrfTokenRepository(tokenRepository)
        .disable()
        .csrf() // for testing purposes
        .and()
        .authorizeRequests()
        .antMatchers("/admin/**")
        .hasRole("ADMIN")
        .and()
        .authorizeRequests()
        .antMatchers("/**")
        .hasRole("USER");

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // injects filter to read out x-auth-token header and validates it
    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
        new XAuthTokenConfigurer(userDetailsServiceBean());
    http.apply(securityConfigurerAdapter);

    // Since we use the client-side AngularJS login view, we do not have to cover redirection
    /*
    .and()
        .formLogin()
            .loginPage("/login")
            .defaultSuccessUrl("/")
            .usernameParameter("usr")
            .passwordParameter("pwd")
            .permitAll()
    .and()
        .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login")
            .permitAll();
    */
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.csrf()
       .disable()
       .authorizeRequests()
       .antMatchers("/", "/**", "/index")
       .permitAll()
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .loginPage("/login")
       .permitAll()
       .failureUrl("/login-error.html")
       .permitAll()
       .and()
       .logout()
       .logoutSuccessUrl("/index")
       .permitAll();
 }
    // This method configures the OAuth scopes required by clients to access
    // all of the paths in the video service.
    @Override
    public void configure(HttpSecurity http) throws Exception {

      // TODO: Update scope of client requests here

      http.csrf().disable();

      http.authorizeRequests().antMatchers("/oauth/token").anonymous();

      // If you were going to reuse this class in another
      // application, this is one of the key sections that you
      // would want to change

      // Require all GET requests to have client "read" scope
      http.authorizeRequests()
          .antMatchers(HttpMethod.GET, "/**")
          .access("#oauth2.hasScope('read')");

      http.authorizeRequests().antMatchers("/**").access("#oauth2.hasScope('write')");
    }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.csrf()
       .disable()
       .headers()
       .cacheControl()
       .contentTypeOptions()
       .httpStrictTransportSecurity()
       .and()
       .authorizeRequests()
       .antMatchers("/static/**", "/connect/facebook/")
       .permitAll()
       .and()
       .formLogin()
       .loginPage("/login")
       .permitAll()
       .and()
       .logout()
       .permitAll();
 }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.csrf().disable();
   http.authorizeRequests()
       .antMatchers(
           "/",
           "/home",
           "/css/**",
           "/scss/**",
           "/images/**",
           "/js/**",
           "/webjars/**",
           "/fonts/**",
           "/register",
           "/rest/**",
           "/rest/register",
           "/send-mail",
           "/index.html",
           "/about-us.html",
           "/contact-us.html",
           "/services.html",
           "/blog.html",
           "/send-mail",
           "/register&login.html",
           "/register&login")
       .permitAll()
       .antMatchers("/doctor")
       .hasRole("DOCTOR")
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .loginPage("/login")
       .permitAll()
       .and()
       .logout()
       .permitAll()
       .and()
       .sessionManagement()
       .maximumSessions(1);
 }
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers(
            "/",
            "/403",
            "/404",
            "/500",
            "/generatedResources/**",
            "/resources/**",
            "/signup/**",
            "/signin/**",
            "/forgotMyPassword/**",
            "/themes/**")
        .permitAll();

    http.authorizeRequests().regexMatchers("/user/.*/.*").permitAll();

    http.authorizeRequests()
        .antMatchers("/challenges/**", "/user")
        .hasAnyRole("USER")
        .antMatchers("/manage/**")
        .hasRole("ADMIN")
        .anyRequest()
        .authenticated();

    http.formLogin().loginPage("/signin").failureUrl("/signin?error").permitAll();

    http.logout()
        .logoutUrl("/signout")
        .logoutSuccessUrl("/signin?signout")
        .deleteCookies("JSESSIONID")
        .permitAll();
    http.rememberMe()
        .tokenRepository(persistentTokenRepository())
        .tokenValiditySeconds(DateUtils.ONE_WEEK);

    http.apply(new SpringSocialConfigurer().signupUrl("/signup/social"));

    http.csrf().disable();
  }
  // @Override
  protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable();

    http.authorizeRequests()
        .antMatchers("/", "/home")
        .permitAll()
        .antMatchers("/css/**", "/js/**", "/images/**", "**/favicon.ico")
        .permitAll()
        .anyRequest()
        .authenticated()
        .and()
        .formLogin()
        .failureUrl("/login?error")
        .loginPage("/login")
        .defaultSuccessUrl("/login.do")
        .permitAll()
        .and()
        .logout()
        .permitAll();
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.csrf()
       .disable() // don't use in prod
       .authorizeRequests()
       .antMatchers("/")
       .permitAll()
       .antMatchers("/console/**")
       .permitAll()
       .antMatchers("/users/**")
       .permitAll()
       .anyRequest()
       .authenticated()
       .and()
       .logout()
       .logoutSuccessUrl("/")
       .permitAll()
       .and()
       .formLogin()
       .successHandler(customAuthenticationSuccessHandler);
 }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   //        super.configure(http);
   http.csrf()
       .disable()
       .authorizeRequests()
       .antMatchers("/register", "/resources/**")
       .permitAll()
       .antMatchers("/**")
       .authenticated()
       .and()
       .logout()
       .logoutUrl("/logout")
       .permitAll()
       .and()
       .formLogin()
       .loginPage("/login")
       //                .defaultSuccessUrl("/", true)
       .failureUrl("/login?error")
       .permitAll();
 }