Esempio n. 1
2
    @Override
    protected void configure(HttpSecurity http) throws Exception {

      SimpleUrlLogoutSuccessHandler redirectHandler = new SimpleUrlLogoutSuccessHandler();
      redirectHandler.setTargetUrlParameter("redirect_uri");

      // http://stackoverflow.com/questions/22886186/how-to-setup-access-control-allow-origin-filter-problematically-in-spring-securi
      // @formatter:off
      http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class)
          .csrf()
          .ignoringAntMatchers("/logout")
          .and()
          .formLogin()
          .loginPage("/login")
          .permitAll()
          .and()
          .authorizeRequests()
          .anyRequest()
          .authenticated()
          .and()
          .logout()
          .logoutSuccessHandler(redirectHandler)
          .permitAll();
      // @formatter:on
    }
  @Override
  public void configure(HttpSecurity http) throws Exception {
    // In this OAuth2 scenario with implicit flow we both login the user and obtain the token
    // in the same endpoint (/oauth/authorize). User credentials will be passed as "username" and
    // "password" form.
    // This might be different in other scenarios, for instance if we wanted to implement
    // authorization code flow to support token refresh.
    http.httpBasic()
        .disable()
        // Test filter gives problems because is redirecting to / is not saving the request to
        // redirect properly
        .logout()
        .logoutUrl(apiPath + oauth2LogoutEndpointPath)
        .logoutSuccessHandler(oauth2LogoutHandler());

    if (swagerEnabled) {
      if (!swaggerCloudMode) {
        // If swagger is enabled and we are not in 'cloud mode' (behind a Zuul OAuth2 enabled proxy)
        // we need to permit certain URLs and resources for Swagger UI to work with OAuth2
        http.authorizeRequests()
            .antMatchers(swaggerOauth2AllowedUrlsAntMatchers.split(","))
            .permitAll();
      }
    } else {
      http.authorizeRequests()
          .antMatchers(swaggerOauth2AllowedUrlsAntMatchers.split(","))
          .denyAll();
    }
    http.authorizeRequests().anyRequest().authenticated();
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http
       // .httpBasic()
       // .and()
       .formLogin()
       .loginPage("/login")
       .successHandler(successHandler)
       //  .usernameParameter("username")
       //  .passwordParameter("password")
       .and()
       .authorizeRequests()
       .antMatchers("/")
       .permitAll()
       .antMatchers("/resources/**")
       .permitAll()
       .antMatchers("/admin/**")
       .hasRole("ADMIN")
       .antMatchers("/author/**")
       .hasRole("AUTHOR")
       .antMatchers("/login")
       .hasRole("ANONYMOUS")
       .and()
       .csrf()
       .disable();
   http.exceptionHandling().accessDeniedPage("/403");
 }
Esempio n. 4
0
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.exceptionHandling().authenticationEntryPoint(http401UnauthorizedEntryPoint);
   http.formLogin()
       .loginProcessingUrl("/authentication")
       .successHandler(ajaxAuthenticationSuccessHandler)
       .failureHandler(ajaxAuthenticationFailureHandler)
       .usernameParameter("username")
       .passwordParameter("password")
       .permitAll()
       .and()
       .logout()
       .logoutUrl("/logout")
       .logoutSuccessHandler(ajaxLogoutSuccessHandler)
       .deleteCookies("JSESSIONID")
       .permitAll()
       .and()
       .csrf()
       .disable()
       .headers()
       .frameOptions()
       .disable()
       .and()
       .authorizeRequests();
 }
    @Override
    public void configure(HttpSecurity http) throws Exception {
      ContentNegotiationStrategy contentNegotiationStrategy =
          http.getSharedObject(ContentNegotiationStrategy.class);
      if (contentNegotiationStrategy == null) {
        contentNegotiationStrategy = new HeaderContentNegotiationStrategy();
      }
      MediaTypeRequestMatcher preferredMatcher =
          new MediaTypeRequestMatcher(
              contentNegotiationStrategy,
              MediaType.APPLICATION_FORM_URLENCODED,
              MediaType.APPLICATION_JSON,
              MediaType.MULTIPART_FORM_DATA);

      http.csrf()
          .disable()
          .authorizeRequests()
          .and()
          .anonymous()
          .disable()
          .sessionManagement()
          .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
          .and()
          .httpBasic()
          .and()
          .exceptionHandling()
          .authenticationEntryPoint(authenticationEntryPoint)
          .defaultAuthenticationEntryPointFor(authenticationEntryPoint, preferredMatcher)
          .and()
          .authorizeRequests()
          .antMatchers("/api/**")
          .fullyAuthenticated();
    }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   // ログイン認証の対象外を設定
   http.authorizeRequests()
       .antMatchers(
           "/",
           "/no_auth/**",
           "/csjs/**",
           "/css/**",
           "/images/**",
           "/apidocs/**",
           "/download/**")
       .permitAll()
       .anyRequest()
       .authenticated();
   // ログイン認証の設定
   http.formLogin()
       .loginPage("/login")
       .defaultSuccessUrl("/login_auth", true)
       .permitAll()
       .and()
       .logout()
       .permitAll();
   // javadocのiframe向けにX-Frame-Optionsヘッダーを無効化
   http.headers().frameOptions().disable();
 }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.headers()
       .addHeaderWriter(new StaticHeadersWriter("Server", "Spontaneous Running Backend"));
   http.requestMatchers().antMatchers("/spontaneous/**");
   http.csrf().disable();
 }
Esempio n. 8
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/resources/**", "/**")
        .permitAll()
        .antMatchers("/", "/login", "/registration")
        .permitAll()
        .antMatchers("/company.*")
        .hasRole(Role.ROLE_COMPANY_MANAGER.name())
        .antMatchers("/unit.*")
        .hasRole(Role.ROLE_COMPANY_MANAGER.name())
        .antMatchers("/employee.*")
        .hasAnyRole(Role.ROLE_COMPANY_MANAGER.name(), Role.ROLE_UNIT_MANAGER.name())
        .antMatchers("/admin/*")
        .hasRole(Role.ROLE_ADMIN.name());

    http.formLogin()
        .loginPage("/")
        .loginProcessingUrl("/j_spring_security_check")
        .failureUrl("/badlogin")
        .usernameParameter("j_username")
        .passwordParameter("j_password")
        .permitAll();

    http.logout()
        .permitAll()
        .logoutUrl("/logout")
        .logoutSuccessUrl("/")
        .invalidateHttpSession(true);
  }
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    // Authorize application specific URLs
    http.authorizeRequests()
        .antMatchers("/", "/student/**", "/course/**", "/students", "/courses")
        .authenticated()
        .and()

        // Configure the login rules
        .formLogin()
        .loginPage("/login")
        .defaultSuccessUrl("/", true)
        .failureUrl("/login?error")
        .permitAll()
        .and()

        // Configure what happens on logout
        .logout()
        .logoutUrl("/logout")
        .logoutSuccessUrl("/login")
        .permitAll()
        .and()

        // Disable Cross Site Request Forgery, nice feature but annoying for this demo
        .csrf()
        .disable();

    // Disable X-Frame-Options header so the h2-console can work
    http.headers().frameOptions().disable();
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   if (this.security.isRequireSsl()) {
     http.requiresChannel().anyRequest().requiresSecure();
   }
   if (!this.security.isEnableCsrf()) {
     http.csrf().disable();
   }
   // No cookies for application endpoints by default
   http.sessionManagement().sessionCreationPolicy(this.security.getSessions());
   SpringBootWebSecurityConfiguration.configureHeaders(
       http.headers(), this.security.getHeaders());
   String[] paths = getSecureApplicationPaths();
   if (paths.length > 0) {
     AuthenticationEntryPoint entryPoint = entryPoint();
     http.exceptionHandling().authenticationEntryPoint(entryPoint);
     http.httpBasic().authenticationEntryPoint(entryPoint);
     http.requestMatchers().antMatchers(paths);
     String[] roles = this.security.getUser().getRole().toArray(new String[0]);
     SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode();
     if (mode == null || mode == SecurityAuthorizeMode.ROLE) {
       http.authorizeRequests().anyRequest().hasAnyRole(roles);
     } else if (mode == SecurityAuthorizeMode.AUTHENTICATED) {
       http.authorizeRequests().anyRequest().authenticated();
     }
   }
 }
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/api/filters/secured")
        .hasRole(SUPER_USER_ROLE)
        .antMatchers("/admin/**")
        .hasRole(ADMIN)
        .antMatchers("/**")
        .permitAll();

    http.httpBasic().and().csrf().disable();
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   ResourceServerSecurityConfigurer resources = new ResourceServerSecurityConfigurer();
   ResourceServerTokenServices services = resolveTokenServices();
   if (services != null) {
     resources.tokenServices(services);
   } else {
     if (tokenStore != null) {
       resources.tokenStore(tokenStore);
     } else if (endpoints != null) {
       resources.tokenStore(endpoints.getEndpointsConfigurer().getTokenStore());
     }
   }
   if (eventPublisher != null) {
     resources.eventPublisher(eventPublisher);
   }
   for (ResourceServerConfigurer configurer : configurers) {
     configurer.configure(resources);
   }
   // @formatter:off
   http
       // N.B. exceptionHandling is duplicated in resources.configure() so that
       // it works
       .exceptionHandling()
       .accessDeniedHandler(resources.getAccessDeniedHandler())
       .and()
       .sessionManagement()
       .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
       .and()
       .csrf()
       .disable();
   // @formatter:on
   http.apply(resources);
   RequestMatcherConfigurer requests = http.requestMatchers();
   if (endpoints != null) {
     // Assume we are in an Authorization Server
     requests.requestMatchers(
         new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping()));
   }
   for (ResourceServerConfigurer configurer : configurers) {
     // Delegates can add authorizeRequests() here
     configurer.configure(http);
   }
   if (configurers.isEmpty()) {
     // Add anyRequest() last as a fall back. Spring Security would
     // replace an existing anyRequest() matcher
     // with this one, so to avoid that we only add it if the user hasn't
     // configured anything.
     http.authorizeRequests().anyRequest().authenticated();
   }
 }
 @Override
 protected void configure(HttpSecurity httpSecurity) throws Exception {
   httpSecurity
       .authorizeRequests()
       .antMatchers("/")
       .permitAll()
       .and()
       .authorizeRequests()
       .antMatchers("/console/**")
       .permitAll();
   // don't use in a production environment
   httpSecurity.csrf().disable();
   httpSecurity.headers().frameOptions().disable();
 }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   // secure endpoints
   RequestMatcher matcher =
       this.management.getSecurity().isEnabled()
           ? LazyEndpointPathRequestMatcher.getRequestMatcher(this.contextResolver)
           : null;
   if (matcher != null) {
     // Always protect them if present
     if (this.security.isRequireSsl()) {
       http.requiresChannel().anyRequest().requiresSecure();
     }
     AuthenticationEntryPoint entryPoint = entryPoint();
     http.exceptionHandling().authenticationEntryPoint(entryPoint);
     // Match all the requests for actuator endpoints ...
     http.requestMatcher(matcher);
     // ... but permitAll() for the non-sensitive ones
     configurePermittedRequests(http.authorizeRequests());
     http.httpBasic().authenticationEntryPoint(entryPoint);
     // No cookies for management endpoints by default
     http.csrf().disable();
     http.sessionManagement().sessionCreationPolicy(this.management.getSecurity().getSessions());
     SpringBootWebSecurityConfiguration.configureHeaders(
         http.headers(), this.security.getHeaders());
   }
 }
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http.csrf()
        .disable()
        .authorizeRequests()
        .antMatchers("/")
        .permitAll()
        .anyRequest()
        .authenticated();

    http.httpBasic();
    // @formatter:on
  }
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    if (this.security.isRequireSsl()) {
      http.requiresChannel().anyRequest().requiresSecure();
    }
    if (!this.security.isEnableCsrf()) {
      http.csrf().disable();
    }
    SpringBootWebSecurityConfiguration.configureHeaders(http.headers(), this.security.getHeaders());

    http.headers()
        .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy", "script-src 'self'"));
  }
Esempio n. 17
0
 @Override
 protected void configure(final HttpSecurity http) throws Exception {
   // @formatter:off
   http.csrf()
       .disable()
       .authorizeRequests()
       .antMatchers("/admin/**")
       .hasRole("ADMIN")
       .antMatchers("/anonymous*")
       .anonymous()
       .antMatchers("/login*")
       .permitAll()
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .loginPage("/login.html")
       .loginProcessingUrl("/perform_login")
       .defaultSuccessUrl("/homepage.html", true)
       .failureUrl("/login.html?error=true")
       .and()
       .logout()
       .logoutUrl("/perform_logout")
       .deleteCookies("JSESSIONID")
       .logoutSuccessHandler(logoutSuccessHandler());
   // @formatter:on
 }
Esempio n. 18
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests()
        .antMatchers("/maga")
        .anonymous()
        .antMatchers("/#!main")
        .access("hasRole('user')")
        .antMatchers("/#!admin")
        .access("hasRole('admin')")
        .and()
        .formLogin()
        .loginPage("/")
        .loginProcessingUrl("/login")
        .defaultSuccessUrl("/#!main")
        .failureUrl("/error")
        .usernameParameter("username")
        .passwordParameter("password")
        .and()
        .logout()
        .logoutSuccessUrl("/logout")
        .and()
        .exceptionHandling()
        .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/main"))
        .and()
        .csrf()
        .disable();
  }
Esempio n. 19
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    // @formatter:off
    http.authorizeRequests()
        .antMatchers("/login**")
        .permitAll()
        .antMatchers("/admin**")
        .hasRole("ADMIN")
        .antMatchers("/console/**")
        .permitAll()
        .anyRequest()
        .permitAll()
        .and()
        .formLogin()
        .loginPage("/login")
        .defaultSuccessUrl("/")
        .loginProcessingUrl("/j_spring_security_check")
        .failureUrl("/login?error")
        .usernameParameter("username")
        .passwordParameter("password")
        .and()
        .logout()
        .logoutUrl("/j_spring_security_logout")
        .logoutSuccessUrl("/login?logout")

    // .and()
    //	.csrf()
    ;
    // @formatter:on

    // http.csrf().disable();
    // http.headers().frameOptions().disable();

  }
Esempio n. 20
0
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.authorizeRequests()
       .accessDecisionManager(accessDecisionManager())
       .antMatchers("/ping")
       .permitAll()
       .antMatchers("/authn")
       .fullyAuthenticated()
       .antMatchers("/profiles")
       .permitAll()
       .antMatchers("/profiles/**")
       .hasAuthority("MYPROFILE")
       .anyRequest()
       .denyAll()
       .and()
       .addFilterAfter(authFilterBean(), BasicAuthenticationFilter.class)
       .sessionManagement()
       .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
       .and()
       .exceptionHandling()
       .authenticationEntryPoint(entryPointBean())
       .and()
       .csrf()
       .disable();
 }
Esempio n. 21
0
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.authorizeUrls()
       .antMatchers(
           "/define.kitty",
           "/next_step.kitty",
           "/finale.kitty",
           "/error.kitty",
           "/step/first.kitty")
       .permitAll()
       .antMatchers("/step/finale.kitty")
       .authenticated()
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .loginUrl("/define.kitty")
       .permitAll()
       .loginProcessingUrl("/define.kitty")
       .failureUrl("/error.kitty")
       .usernameParameter("email")
       .passwordParameter("password")
       .successHandler(authenticationSuccessHandler())
       .and()
       .logout()
       .logoutUrl("/undefine.kitty")
       .logoutSuccessUrl("/define.kitty")
       .and()
       .sessionManagement()
       .maximumSessions(1)
       .expiredUrl("/define.kitty");
 }
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests()
        .antMatchers("/", "/home", "/admin/**")
        .permitAll()
        .antMatchers("/account/**")
        .access("hasRole('ACCOUNTANT') or hasRole('DIRECTOR')")
        .antMatchers("/admin/**")
        .access("hasRole('ADMIN')")
        .antMatchers("/db/**")
        .access("hasRole('DIRECTOR')")
        .and()
        .formLogin()
        .loginPage("/login")
        .successHandler(customSuccessHandler)
        .usernameParameter("ssoId")
        .passwordParameter("password")
        .and()
        .rememberMe()
        .rememberMeParameter("remember-me")
        .tokenRepository(persistentTokenRepository())
        .and()
        .exceptionHandling()
        .accessDeniedPage("/Access_Denied")
        .and()
        .csrf()
        .disable();
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.authorizeRequests()
       .antMatchers(
           "/",
           "/css/**",
           "/js/**",
           "/contact.html",
           "/motdepasse.html",
           "/informations.html",
           "/formulaireCode.html",
           "/rinitPWD.html",
           "/inscription.html",
           "/test.html")
       .permitAll()
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .loginPage("/index")
       .permitAll()
       .and()
       .logout()
       .logoutUrl("/logout")
       .logoutSuccessUrl("/logout")
       .permitAll();
 }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.authorizeRequests()
       .antMatchers("/messageList*")
       .hasAnyRole("USER", "GUEST")
       .antMatchers("/messagePost*")
       .hasRole("USER")
       .antMatchers("/messageDelete*")
       .hasRole("ADMIM")
       .and()
       .formLogin()
       .loginPage("/login.jsp")
       .loginProcessingUrl("/j_spring_security_check")
       .defaultSuccessUrl("/messageList")
       .failureUrl("/login.jsp?error=true")
       .and()
       .logout()
       .logoutSuccessUrl("/login.jsp")
       .and()
       .anonymous()
       .principal("guest")
       .authorities("ROLE_GUEST")
       .and()
       .rememberMe()
       .and()
       .csrf()
       .disable();
 }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   // @formatter:off
   http.authorizeRequests()
       .antMatchers("/", "/register", "/encounters", "/search", "/error")
       .permitAll()
       .antMatchers("/admin/**")
       .hasRole("ADMIN")
       .anyRequest()
       .hasAnyRole("USER", "ADMIN")
       .and()
       .formLogin()
       .loginPage("/login")
       .defaultSuccessUrl("/account")
       .permitAll()
       .and()
       .logout()
       .logoutUrl("/logout")
       .logoutSuccessUrl("/")
       .permitAll()
       .and()
       .securityContext()
       .securityContextRepository(securityContextRepository);
   // @formatter:on
 }
    @Override
    protected void configure(HttpSecurity http) throws Exception {

      http.csrf()
          .disable()
          .authorizeRequests()
          .and()
          .formLogin()
          .loginProcessingUrl("/api/authentication")
          .successHandler(ajaxAuthenticationSuccessHandler)
          .failureHandler(ajaxAuthenticationFailureHandler)
          .usernameParameter("j_username")
          .passwordParameter("j_password")
          .permitAll()
          .and()
          .rememberMe()
          .rememberMeServices(rememberMeServices)
          .key(env.getProperty("jhipster.security.rememberme.key"))
          .and()
          .logout()
          .logoutUrl("/api/logout")
          .logoutSuccessHandler(ajaxLogoutSuccessHandler)
          .deleteCookies("JSESSIONID")
          .permitAll()
          .and()
          .exceptionHandling();
    }
Esempio n. 27
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http.csrf()
        .disable()
        .authorizeRequests()
        .antMatchers("/admin/**")
        .hasRole("ADMIN")
        .and()
        .formLogin()
        .loginProcessingUrl("/j_spring_security_check")
        .loginPage("/login")
        .defaultSuccessUrl("/protected/home/")
        .failureUrl("/login")
        .permitAll()
        .and()
        .logout()
        .logoutSuccessUrl("/?logout");

    //
    //	http.authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')").antMatchers("/dba/**")
    //				.access("hasRole('ROLE_ADMIN') or
    // hasRole('ROLE_DBA')").and().formLogin().loginPage("/login");

  }
Esempio n. 28
0
 @Override
 public void configure(HttpSecurity http) throws Exception {
   http.authorizeRequests()
       .antMatchers(HttpMethod.GET, "/api/**")
       .access("#oauth2.hasScope('read')")
       .antMatchers(HttpMethod.POST, "/api/**")
       .access("#oauth2.hasScope('write')")
       .antMatchers(HttpMethod.PATCH, "/api/**")
       .access("#oauth2.hasScope('write')")
       .antMatchers(HttpMethod.PUT, "/api/**")
       .access("#oauth2.hasScope('write')")
       .antMatchers(HttpMethod.DELETE, "/api/**")
       .access("#oauth2.hasScope('write')")
       .and()
       .headers()
       .addHeaderWriter(
           (request, response) -> {
             response.addHeader("Access-Control-Allow-Origin", "*");
             if (request.getMethod().equals("OPTIONS")) {
               response.setHeader(
                   "Access-Control-Allow-Methods",
                   request.getHeader("Access-Control-Request-Method"));
               response.setHeader(
                   "Access-Control-Allow-Headers",
                   request.getHeader("Access-Control-Request-Headers"));
             }
           });
 }
 @Override
 public void configure(HttpSecurity http) throws Exception {
   http
       // Logout
       .logout()
       .logoutUrl("/oauth/logout")
       .logoutSuccessHandler(customLogoutSuccessHandler)
       .and()
       // Session management
       .sessionManagement()
       .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
       .and()
       // URI's to verify
       .authorizeRequests()
       .antMatchers("/oauth/logout")
       .permitAll()
       .antMatchers("/")
       .permitAll()
       .antMatchers("/**")
       .authenticated()
       //                    .antMatchers("/usuarios/**").hasRole("ADMIN")
       .and()
       .csrf()
       .disable();
 }
Esempio n. 30
0
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.csrf()
       .requireCsrfProtectionMatcher(new CSRFRequestMatcher())
       .and()
       .authorizeRequests()
       .antMatchers("/entrar", "/registrar/**", "/jobs/**", "/css/**", "/fonts/**", "/js/**")
       .permitAll()
       .antMatchers("/admin/**")
       .hasRole("Administrator")
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .loginPage("/entrar")
       .loginProcessingUrl("/entrar")
       .failureUrl("/entrar?error=true")
       .defaultSuccessUrl("/")
       .usernameParameter("nomeDeUsuario")
       .passwordParameter("senha")
       .and()
       .logout()
       .logoutUrl("/sair")
       .logoutSuccessUrl("/entrar?logout=true")
       .invalidateHttpSession(true);
 }