@Override
 protected void configure(HttpSecurity http) throws Exception {
   ResourceServerSecurityConfigurer resources = new ResourceServerSecurityConfigurer();
   ResourceServerTokenServices services = resolveTokenServices();
   if (services != null) {
     resources.tokenServices(services);
   } else {
     if (tokenStore != null) {
       resources.tokenStore(tokenStore);
     } else if (endpoints != null) {
       resources.tokenStore(endpoints.getEndpointsConfigurer().getTokenStore());
     }
   }
   if (eventPublisher != null) {
     resources.eventPublisher(eventPublisher);
   }
   for (ResourceServerConfigurer configurer : configurers) {
     configurer.configure(resources);
   }
   // @formatter:off
   http
       // N.B. exceptionHandling is duplicated in resources.configure() so that
       // it works
       .exceptionHandling()
       .accessDeniedHandler(resources.getAccessDeniedHandler())
       .and()
       .sessionManagement()
       .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
       .and()
       .csrf()
       .disable();
   // @formatter:on
   http.apply(resources);
   RequestMatcherConfigurer requests = http.requestMatchers();
   if (endpoints != null) {
     // Assume we are in an Authorization Server
     requests.requestMatchers(
         new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping()));
   }
   for (ResourceServerConfigurer configurer : configurers) {
     // Delegates can add authorizeRequests() here
     configurer.configure(http);
   }
   if (configurers.isEmpty()) {
     // Add anyRequest() last as a fall back. Spring Security would
     // replace an existing anyRequest() matcher
     // with this one, so to avoid that we only add it if the user hasn't
     // configured anything.
     http.authorizeRequests().anyRequest().authenticated();
   }
 }
Esempio n. 2
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    String[] restEndpointsToSecure = {"api", "manage"};
    for (String endpoint : restEndpointsToSecure) {
      http.httpBasic()
          .and()
          .authorizeRequests()
          .antMatchers("/" + endpoint + "/**")
          .hasRole(CustomUserDetailsService.ROLE_USER);
    }

    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
        new XAuthTokenConfigurer(userDetailsServiceBean());
    http.apply(securityConfigurerAdapter);
  }
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // Sync HTTP Header names to AngularJs name (default Spring: X-CSRF-TOKEN)
    HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();
    tokenRepository.setHeaderName("X-XSRF-TOKEN");
    // ~~
    http.csrf()
        // .csrfTokenRepository(tokenRepository)
        .disable()
        .csrf() // for testing purposes
        .and()
        .authorizeRequests()
        .antMatchers("/admin/**")
        .hasRole("ADMIN")
        .and()
        .authorizeRequests()
        .antMatchers("/**")
        .hasRole("USER");

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // injects filter to read out x-auth-token header and validates it
    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
        new XAuthTokenConfigurer(userDetailsServiceBean());
    http.apply(securityConfigurerAdapter);

    // Since we use the client-side AngularJS login view, we do not have to cover redirection
    /*
    .and()
        .formLogin()
            .loginPage("/login")
            .defaultSuccessUrl("/")
            .usernameParameter("usr")
            .passwordParameter("pwd")
            .permitAll()
    .and()
        .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login")
            .permitAll();
    */
  }
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers(
            "/",
            "/403",
            "/404",
            "/500",
            "/generatedResources/**",
            "/resources/**",
            "/signup/**",
            "/signin/**",
            "/forgotMyPassword/**",
            "/themes/**")
        .permitAll();

    http.authorizeRequests().regexMatchers("/user/.*/.*").permitAll();

    http.authorizeRequests()
        .antMatchers("/challenges/**", "/user")
        .hasAnyRole("USER")
        .antMatchers("/manage/**")
        .hasRole("ADMIN")
        .anyRequest()
        .authenticated();

    http.formLogin().loginPage("/signin").failureUrl("/signin?error").permitAll();

    http.logout()
        .logoutUrl("/signout")
        .logoutSuccessUrl("/signin?signout")
        .deleteCookies("JSESSIONID")
        .permitAll();
    http.rememberMe()
        .tokenRepository(persistentTokenRepository())
        .tokenValiditySeconds(DateUtils.ONE_WEEK);

    http.apply(new SpringSocialConfigurer().signupUrl("/signup/social"));

    http.csrf().disable();
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer();
   FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping();
   http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping);
   configure(configurer);
   http.apply(configurer);
   String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token");
   String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key");
   String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token");
   // @formatter:off
   http.authorizeRequests()
       .antMatchers(tokenEndpointPath)
       .fullyAuthenticated()
       .antMatchers(tokenKeyPath)
       .access(configurer.getTokenKeyAccess())
       .antMatchers(checkTokenPath)
       .access(configurer.getCheckTokenAccess())
       .and()
       .requestMatchers()
       .antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath);
   // @formatter:on
   http.setSharedObject(ClientDetailsService.class, clientDetailsService);
 }