Example #1
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    HttpSessionCsrfTokenRepository csrfTokenRepository = new HttpSessionCsrfTokenRepository();
    csrfTokenRepository.setHeaderName(CSRF_HEADER_NAME);
    http.csrf().csrfTokenRepository(csrfTokenRepository);

    http.authorizeRequests()
        .antMatchers("/assets/**", "/webjars/**", "/login/**", "/api-docs/**")
        .permitAll()
        .antMatchers("/jsondoc/**", "/jsondoc-ui.html")
        .permitAll()
        .anyRequest()
        .fullyAuthenticated();

    http.formLogin().loginProcessingUrl("/login").loginPage("/login").failureUrl("/login?error");

    http.httpBasic();

    http.logout().logoutUrl("/logout").logoutSuccessUrl("/login?logout");

    http.headers()
        .defaultsDisabled()
        .contentTypeOptions()
        .and()
        .xssProtection()
        .and()
        .httpStrictTransportSecurity()
        .and()
        .addHeaderWriter(
            new StaticHeadersWriter(
                "Access-Control-Allow-Origin", "http://petstore.swagger.wordnik.com"))
        .addHeaderWriter(new CsrfTokenCookieWriter(csrfTokenRepository, CSRF_COOKIE_NAME));
  }
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // Sync HTTP Header names to AngularJs name (default Spring: X-CSRF-TOKEN)
    HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();
    tokenRepository.setHeaderName("X-XSRF-TOKEN");
    // ~~
    http.csrf()
        // .csrfTokenRepository(tokenRepository)
        .disable()
        .csrf() // for testing purposes
        .and()
        .authorizeRequests()
        .antMatchers("/admin/**")
        .hasRole("ADMIN")
        .and()
        .authorizeRequests()
        .antMatchers("/**")
        .hasRole("USER");

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // injects filter to read out x-auth-token header and validates it
    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
        new XAuthTokenConfigurer(userDetailsServiceBean());
    http.apply(securityConfigurerAdapter);

    // Since we use the client-side AngularJS login view, we do not have to cover redirection
    /*
    .and()
        .formLogin()
            .loginPage("/login")
            .defaultSuccessUrl("/")
            .usernameParameter("usr")
            .passwordParameter("pwd")
            .permitAll()
    .and()
        .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login")
            .permitAll();
    */
  }
 private CsrfTokenRepository csrfTokenRepository() {
   HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
   repository.setHeaderName("X-XSRF-TOKEN");
   return repository;
 }