@Override
public void configure(HttpSecurity http) throws Exception {
// In this OAuth2 scenario with implicit flow we both login the user and obtain the token
// in the same endpoint (/oauth/authorize). User credentials will be passed as "username" and
// "password" form.
// This might be different in other scenarios, for instance if we wanted to implement
// authorization code flow to support token refresh.
http.httpBasic()
.disable()
// Test filter gives problems because is redirecting to / is not saving the request to
// redirect properly
.logout()
.logoutUrl(apiPath + oauth2LogoutEndpointPath)
.logoutSuccessHandler(oauth2LogoutHandler());
if (swagerEnabled) {
if (!swaggerCloudMode) {
// If swagger is enabled and we are not in 'cloud mode' (behind a Zuul OAuth2 enabled proxy)
// we need to permit certain URLs and resources for Swagger UI to work with OAuth2
http.authorizeRequests()
.antMatchers(swaggerOauth2AllowedUrlsAntMatchers.split(","))
.permitAll();
}
} else {
http.authorizeRequests()
.antMatchers(swaggerOauth2AllowedUrlsAntMatchers.split(","))
.denyAll();
}
http.authorizeRequests().anyRequest().authenticated();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
HttpSessionCsrfTokenRepository csrfTokenRepository = new HttpSessionCsrfTokenRepository();
csrfTokenRepository.setHeaderName(CSRF_HEADER_NAME);
http.csrf().csrfTokenRepository(csrfTokenRepository);
http.authorizeRequests()
.antMatchers("/assets/**", "/webjars/**", "/login/**", "/api-docs/**")
.permitAll()
.antMatchers("/jsondoc/**", "/jsondoc-ui.html")
.permitAll()
.anyRequest()
.fullyAuthenticated();
http.formLogin().loginProcessingUrl("/login").loginPage("/login").failureUrl("/login?error");
http.httpBasic();
http.logout().logoutUrl("/logout").logoutSuccessUrl("/login?logout");
http.headers()
.defaultsDisabled()
.contentTypeOptions()
.and()
.xssProtection()
.and()
.httpStrictTransportSecurity()
.and()
.addHeaderWriter(
new StaticHeadersWriter(
"Access-Control-Allow-Origin", "http://petstore.swagger.wordnik.com"))
.addHeaderWriter(new CsrfTokenCookieWriter(csrfTokenRepository, CSRF_COOKIE_NAME));
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// secure endpoints
RequestMatcher matcher =
this.management.getSecurity().isEnabled()
? LazyEndpointPathRequestMatcher.getRequestMatcher(this.contextResolver)
: null;
if (matcher != null) {
// Always protect them if present
if (this.security.isRequireSsl()) {
http.requiresChannel().anyRequest().requiresSecure();
}
AuthenticationEntryPoint entryPoint = entryPoint();
http.exceptionHandling().authenticationEntryPoint(entryPoint);
// Match all the requests for actuator endpoints ...
http.requestMatcher(matcher);
// ... but permitAll() for the non-sensitive ones
configurePermittedRequests(http.authorizeRequests());
http.httpBasic().authenticationEntryPoint(entryPoint);
// No cookies for management endpoints by default
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(this.management.getSecurity().getSessions());
SpringBootWebSecurityConfiguration.configureHeaders(
http.headers(), this.security.getHeaders());
}
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers(
"/",
"/components" + ANY,
"/fusioncharts-suite-xt" + ANY,
CRIPSTIAN_PATH + CSS + ANY,
CRIPSTIAN_PATH + JS + ANY,
CRIPSTIAN_PATH + IMG + ANY,
CRIPSTIAN_PATH + HTML + "/home.html",
"/user",
CRIPSTIAN_PATH + HTML + "/login.html",
CRIPSTIAN_PATH + HTML + "/new-account.html",
"/account",
PUBLIC_GRAPHS,
GRAPHS_IDS,
EUROSTAT_QUERY_RESULT,
CRIPSTIAN_PATH + HTML + EUROSTAT_GRAPH)
.permitAll()
.anyRequest()
.authenticated()
.and()
.addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)
.csrf()
.csrfTokenRepository(csrfTokenRepository());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
if (this.security.isRequireSsl()) {
http.requiresChannel().anyRequest().requiresSecure();
}
if (!this.security.isEnableCsrf()) {
http.csrf().disable();
}
// No cookies for application endpoints by default
http.sessionManagement().sessionCreationPolicy(this.security.getSessions());
SpringBootWebSecurityConfiguration.configureHeaders(
http.headers(), this.security.getHeaders());
String[] paths = getSecureApplicationPaths();
if (paths.length > 0) {
AuthenticationEntryPoint entryPoint = entryPoint();
http.exceptionHandling().authenticationEntryPoint(entryPoint);
http.httpBasic().authenticationEntryPoint(entryPoint);
http.requestMatchers().antMatchers(paths);
String[] roles = this.security.getUser().getRole().toArray(new String[0]);
SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode();
if (mode == null || mode == SecurityAuthorizeMode.ROLE) {
http.authorizeRequests().anyRequest().hasAnyRole(roles);
} else if (mode == SecurityAuthorizeMode.AUTHENTICATED) {
http.authorizeRequests().anyRequest().authenticated();
}
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/filters/secured")
.hasRole(SUPER_USER_ROLE)
.antMatchers("/admin/**")
.hasRole(ADMIN)
.antMatchers("/**")
.permitAll();
http.httpBasic().and().csrf().disable();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/")
.permitAll()
.anyRequest()
.authenticated();
http.httpBasic();
// @formatter:on
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers(PERMIT_URLS)
.permitAll()
.anyRequest()
.authenticated()
.and()
.csrf()
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/**")
.permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.enableSessionUrlRewriting(false)
.and()
.csrf()
.disable();
}
/**
* Defines the web based security configuration.
*
* @param http It allows configuring web based security for specific http requests.
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().authenticationEntryPoint(samlEntryPoint());
http.csrf().disable();
http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
http.authorizeRequests()
.antMatchers("/")
.permitAll()
.antMatchers("/error")
.permitAll()
.antMatchers("/saml/**")
.permitAll()
.anyRequest()
.authenticated();
http.logout().logoutSuccessUrl("/");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/app/**", "/logout", "/login")
.permitAll()
.anyRequest()
.authenticated()
.and()
.logout()
.logoutSuccessUrl("/")
.and()
.csrf()
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
String[] restEndpointsToSecure = {"api", "manage"};
for (String endpoint : restEndpointsToSecure) {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/" + endpoint + "/**")
.hasRole(CustomUserDetailsService.ROLE_USER);
}
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
new XAuthTokenConfigurer(userDetailsServiceBean());
http.apply(securityConfigurerAdapter);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers(
"/*.html",
"/client",
"/*/regist",
"/*/register",
"/oauth/authorize",
"/oauth/confirm_access",
"/",
"/mail/*")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/api/system/env/java.(runtime|vm).*", "/api/system/metrics/**")
.permitAll()
.antMatchers("/api/system/env/**")
.denyAll()
.antMatchers("/**")
.permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(STATELESS)
.and()
.csrf()
.disable()
.headers()
.frameOptions() // OEmbedController#embedTrack uses an iframe
.disable();
}