@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers()
.addHeaderWriter(new StaticHeadersWriter("Server", "Spontaneous Running Backend"));
http.requestMatchers().antMatchers("/spontaneous/**");
http.csrf().disable();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
if (this.security.isRequireSsl()) {
http.requiresChannel().anyRequest().requiresSecure();
}
if (!this.security.isEnableCsrf()) {
http.csrf().disable();
}
// No cookies for application endpoints by default
http.sessionManagement().sessionCreationPolicy(this.security.getSessions());
SpringBootWebSecurityConfiguration.configureHeaders(
http.headers(), this.security.getHeaders());
String[] paths = getSecureApplicationPaths();
if (paths.length > 0) {
AuthenticationEntryPoint entryPoint = entryPoint();
http.exceptionHandling().authenticationEntryPoint(entryPoint);
http.httpBasic().authenticationEntryPoint(entryPoint);
http.requestMatchers().antMatchers(paths);
String[] roles = this.security.getUser().getRole().toArray(new String[0]);
SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode();
if (mode == null || mode == SecurityAuthorizeMode.ROLE) {
http.authorizeRequests().anyRequest().hasAnyRole(roles);
} else if (mode == SecurityAuthorizeMode.AUTHENTICATED) {
http.authorizeRequests().anyRequest().authenticated();
}
}
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers("/foobar")
.and()
.authorizeRequests()
.anyRequest()
.access("#oauth2.hasScope('foobar_scope')");
}
@Override
public void configure(HttpSecurity http) throws Exception {
// without this block the unit tests fails, why??
// @formatter:off
http.requestMatchers()
.antMatchers("/**")
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
// @formatter:on
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers("/oauth2/v1/poll/**")
.and()
.authorizeRequests()
.antMatchers("/oauth2/v1/poll/**")
.authenticated();
// .access("#oauth2.hasScope('read') or (!#oauth2.isOAuth() and hasRole('ROLE_USER'))");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
ResourceServerSecurityConfigurer resources = new ResourceServerSecurityConfigurer();
ResourceServerTokenServices services = resolveTokenServices();
if (services != null) {
resources.tokenServices(services);
} else {
if (tokenStore != null) {
resources.tokenStore(tokenStore);
} else if (endpoints != null) {
resources.tokenStore(endpoints.getEndpointsConfigurer().getTokenStore());
}
}
if (eventPublisher != null) {
resources.eventPublisher(eventPublisher);
}
for (ResourceServerConfigurer configurer : configurers) {
configurer.configure(resources);
}
// @formatter:off
http
// N.B. exceptionHandling is duplicated in resources.configure() so that
// it works
.exceptionHandling()
.accessDeniedHandler(resources.getAccessDeniedHandler())
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf()
.disable();
// @formatter:on
http.apply(resources);
RequestMatcherConfigurer requests = http.requestMatchers();
if (endpoints != null) {
// Assume we are in an Authorization Server
requests.requestMatchers(
new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping()));
}
for (ResourceServerConfigurer configurer : configurers) {
// Delegates can add authorizeRequests() here
configurer.configure(http);
}
if (configurers.isEmpty()) {
// Add anyRequest() last as a fall back. Spring Security would
// replace an existing anyRequest() matcher
// with this one, so to avoid that we only add it if the user hasn't
// configured anything.
http.authorizeRequests().anyRequest().authenticated();
}
}
/** Provide security so that endpoints are only served if the request is already authenticated. */
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers("/**")
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
// .antMatchers(HttpMethod.GET, "/**").access("#oauth2.hasScope('read')")
// .antMatchers(HttpMethod.OPTIONS, "/**").access("#oauth2.hasScope('read')")
// .antMatchers(HttpMethod.POST, "/**").access("#oauth2.hasScope('write')")
// .antMatchers(HttpMethod.PUT, "/**").access("#oauth2.hasScope('write')")
// .antMatchers(HttpMethod.PATCH, "/**").access("#oauth2.hasScope('write')")
// .antMatchers(HttpMethod.DELETE, "/**").access("#oauth2.hasScope('write')");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers(HttpMethod.OPTIONS, "/**", "/oauth/token", "/psh/token")
.and()
.csrf()
.disable()
.authorizeRequests()
.anyRequest()
.permitAll()
.and()
.formLogin()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}