@Override
protected void configure(HttpSecurity http) throws Exception {
// secure endpoints
RequestMatcher matcher =
this.management.getSecurity().isEnabled()
? LazyEndpointPathRequestMatcher.getRequestMatcher(this.contextResolver)
: null;
if (matcher != null) {
// Always protect them if present
if (this.security.isRequireSsl()) {
http.requiresChannel().anyRequest().requiresSecure();
}
AuthenticationEntryPoint entryPoint = entryPoint();
http.exceptionHandling().authenticationEntryPoint(entryPoint);
// Match all the requests for actuator endpoints ...
http.requestMatcher(matcher);
// ... but permitAll() for the non-sensitive ones
configurePermittedRequests(http.authorizeRequests());
http.httpBasic().authenticationEntryPoint(entryPoint);
// No cookies for management endpoints by default
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(this.management.getSecurity().getSessions());
SpringBootWebSecurityConfiguration.configureHeaders(
http.headers(), this.security.getHeaders());
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
if (this.security.isRequireSsl()) {
http.requiresChannel().anyRequest().requiresSecure();
}
if (!this.security.isEnableCsrf()) {
http.csrf().disable();
}
// No cookies for application endpoints by default
http.sessionManagement().sessionCreationPolicy(this.security.getSessions());
SpringBootWebSecurityConfiguration.configureHeaders(
http.headers(), this.security.getHeaders());
String[] paths = getSecureApplicationPaths();
if (paths.length > 0) {
AuthenticationEntryPoint entryPoint = entryPoint();
http.exceptionHandling().authenticationEntryPoint(entryPoint);
http.httpBasic().authenticationEntryPoint(entryPoint);
http.requestMatchers().antMatchers(paths);
String[] roles = this.security.getUser().getRole().toArray(new String[0]);
SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode();
if (mode == null || mode == SecurityAuthorizeMode.ROLE) {
http.authorizeRequests().anyRequest().hasAnyRole(roles);
} else if (mode == SecurityAuthorizeMode.AUTHENTICATED) {
http.authorizeRequests().anyRequest().authenticated();
}
}
}
@Override
public void configure(HttpSecurity http) throws Exception {
// http
// .authorizeRequests()
// .antMatchers("/api**")
// .hasRole("USER")
// .antMatchers("/api/users/register").permitAll()
// .and().csrf().disable();
// .and()
// .requestMatchers()
// .antMatchers("/api");
http
// Since we want the protected resources to be accessible in the UI as
// well we need
// session creation to be allowed (it's disabled by default in 2.0.6)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
// .and().requestMatchers().antMatchers("/web/**")
.and()
.antMatcher("/api/**")
.authorizeRequests()
.antMatchers("/api/users/register")
.permitAll()
.antMatchers("/api/**")
.access("#oauth2.hasScope('read') or (!#oauth2.isOAuth() and hasRole('ROLE_USER'))")
// .antMatchers("/web/**").access("!#oauth2.isOAuth() and hasRole('ROLE_USER')")
;
// .and().authorizeRequests()
// .antMatchers("/api/users/register").permitAll() // Allow anyone to register
// .antMatchers("/web/register").permitAll() // Allow anyone to register
// .antMatchers("/web/**").access("(!#oauth2.isOAuth() and hasRole('ROLE_USER'))")
// .antMatchers("/api/**").authenticated() // Secure all other URL
// .antMatchers("/resources/**").permitAll()
// .antMatchers("/web/**").authenticated().and().httpBasic().and().formLogin().loginPage("/web/login").defaultSuccessUrl("/web/").permitAll()
//
// .and().authorizeRequests().anyRequest().authenticated().and().formLogin().loginPage("/web/login").defaultSuccessUrl("/web/").permitAll() // TODO fix this
// .and().csrf().disable(); // Turn off CSRF protection for everything
// http
// .authorizeRequests()
//
// .antMatchers("/web/**").authenticated().and().formLogin().permitAll().and().logout().permitAll();
// .hasRole("USER"); //.access("#outh2.hasScope('read')");
// http.authorizeRequests().antMatchers("/web/**").authenticated().and().formLogin().permitAll();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
String[] restEndpointsToSecure = {"api", "manage"};
for (String endpoint : restEndpointsToSecure) {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/" + endpoint + "/**")
.hasRole(CustomUserDetailsService.ROLE_USER);
}
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
new XAuthTokenConfigurer(userDetailsServiceBean());
http.apply(securityConfigurerAdapter);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// Sync HTTP Header names to AngularJs name (default Spring: X-CSRF-TOKEN)
HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();
tokenRepository.setHeaderName("X-XSRF-TOKEN");
// ~~
http.csrf()
// .csrfTokenRepository(tokenRepository)
.disable()
.csrf() // for testing purposes
.and()
.authorizeRequests()
.antMatchers("/admin/**")
.hasRole("ADMIN")
.and()
.authorizeRequests()
.antMatchers("/**")
.hasRole("USER");
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// injects filter to read out x-auth-token header and validates it
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
new XAuthTokenConfigurer(userDetailsServiceBean());
http.apply(securityConfigurerAdapter);
// Since we use the client-side AngularJS login view, we do not have to cover redirection
/*
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/")
.usernameParameter("usr")
.passwordParameter("pwd")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login")
.permitAll();
*/
}
@Override
public void configure(final HttpSecurity http) throws Exception {
// @formatter:off
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
// .requestMatchers().antMatchers("/foos/**","/bars/**")
// .and()
// .authorizeRequests()
// .antMatchers(HttpMethod.GET,"/foos/**").access("#oauth2.hasScope('foo') and
// #oauth2.hasScope('read')")
// .antMatchers(HttpMethod.POST,"/foos/**").access("#oauth2.hasScope('foo') and
// #oauth2.hasScope('write')")
// .antMatchers(HttpMethod.GET,"/bars/**").access("#oauth2.hasScope('bar') and
// #oauth2.hasScope('read')")
// .antMatchers(HttpMethod.POST,"/bars/**").access("#oauth2.hasScope('bar') and
// #oauth2.hasScope('write') and hasRole('ROLE_ADMIN')")
;
// @formatter:on
}