@Override protected void configure(HttpSecurity http) throws Exception { SimpleUrlLogoutSuccessHandler redirectHandler = new SimpleUrlLogoutSuccessHandler(); redirectHandler.setTargetUrlParameter("redirect_uri"); // http://stackoverflow.com/questions/22886186/how-to-setup-access-control-allow-origin-filter-problematically-in-spring-securi // @formatter:off http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class) .csrf() .ignoringAntMatchers("/logout") .and() .formLogin() .loginPage("/login") .permitAll() .and() .authorizeRequests() .anyRequest() .authenticated() .and() .logout() .logoutSuccessHandler(redirectHandler) .permitAll(); // @formatter:on }
@Override public void configure(HttpSecurity http) throws Exception { // In this OAuth2 scenario with implicit flow we both login the user and obtain the token // in the same endpoint (/oauth/authorize). User credentials will be passed as "username" and // "password" form. // This might be different in other scenarios, for instance if we wanted to implement // authorization code flow to support token refresh. http.httpBasic() .disable() // Test filter gives problems because is redirecting to / is not saving the request to // redirect properly .logout() .logoutUrl(apiPath + oauth2LogoutEndpointPath) .logoutSuccessHandler(oauth2LogoutHandler()); if (swagerEnabled) { if (!swaggerCloudMode) { // If swagger is enabled and we are not in 'cloud mode' (behind a Zuul OAuth2 enabled proxy) // we need to permit certain URLs and resources for Swagger UI to work with OAuth2 http.authorizeRequests() .antMatchers(swaggerOauth2AllowedUrlsAntMatchers.split(",")) .permitAll(); } } else { http.authorizeRequests() .antMatchers(swaggerOauth2AllowedUrlsAntMatchers.split(",")) .denyAll(); } http.authorizeRequests().anyRequest().authenticated(); }
@Override protected void configure(HttpSecurity http) throws Exception { http // .httpBasic() // .and() .formLogin() .loginPage("/login") .successHandler(successHandler) // .usernameParameter("username") // .passwordParameter("password") .and() .authorizeRequests() .antMatchers("/") .permitAll() .antMatchers("/resources/**") .permitAll() .antMatchers("/admin/**") .hasRole("ADMIN") .antMatchers("/author/**") .hasRole("AUTHOR") .antMatchers("/login") .hasRole("ANONYMOUS") .and() .csrf() .disable(); http.exceptionHandling().accessDeniedPage("/403"); }
@Override protected void configure(HttpSecurity http) throws Exception { http.exceptionHandling().authenticationEntryPoint(http401UnauthorizedEntryPoint); http.formLogin() .loginProcessingUrl("/authentication") .successHandler(ajaxAuthenticationSuccessHandler) .failureHandler(ajaxAuthenticationFailureHandler) .usernameParameter("username") .passwordParameter("password") .permitAll() .and() .logout() .logoutUrl("/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler) .deleteCookies("JSESSIONID") .permitAll() .and() .csrf() .disable() .headers() .frameOptions() .disable() .and() .authorizeRequests(); }
@Override public void configure(HttpSecurity http) throws Exception { ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class); if (contentNegotiationStrategy == null) { contentNegotiationStrategy = new HeaderContentNegotiationStrategy(); } MediaTypeRequestMatcher preferredMatcher = new MediaTypeRequestMatcher( contentNegotiationStrategy, MediaType.APPLICATION_FORM_URLENCODED, MediaType.APPLICATION_JSON, MediaType.MULTIPART_FORM_DATA); http.csrf() .disable() .authorizeRequests() .and() .anonymous() .disable() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .httpBasic() .and() .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint) .defaultAuthenticationEntryPointFor(authenticationEntryPoint, preferredMatcher) .and() .authorizeRequests() .antMatchers("/api/**") .fullyAuthenticated(); }
@Override protected void configure(HttpSecurity http) throws Exception { // ログイン認証の対象外を設定 http.authorizeRequests() .antMatchers( "/", "/no_auth/**", "/csjs/**", "/css/**", "/images/**", "/apidocs/**", "/download/**") .permitAll() .anyRequest() .authenticated(); // ログイン認証の設定 http.formLogin() .loginPage("/login") .defaultSuccessUrl("/login_auth", true) .permitAll() .and() .logout() .permitAll(); // javadocのiframe向けにX-Frame-Optionsヘッダーを無効化 http.headers().frameOptions().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.headers() .addHeaderWriter(new StaticHeadersWriter("Server", "Spontaneous Running Backend")); http.requestMatchers().antMatchers("/spontaneous/**"); http.csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/resources/**", "/**") .permitAll() .antMatchers("/", "/login", "/registration") .permitAll() .antMatchers("/company.*") .hasRole(Role.ROLE_COMPANY_MANAGER.name()) .antMatchers("/unit.*") .hasRole(Role.ROLE_COMPANY_MANAGER.name()) .antMatchers("/employee.*") .hasAnyRole(Role.ROLE_COMPANY_MANAGER.name(), Role.ROLE_UNIT_MANAGER.name()) .antMatchers("/admin/*") .hasRole(Role.ROLE_ADMIN.name()); http.formLogin() .loginPage("/") .loginProcessingUrl("/j_spring_security_check") .failureUrl("/badlogin") .usernameParameter("j_username") .passwordParameter("j_password") .permitAll(); http.logout() .permitAll() .logoutUrl("/logout") .logoutSuccessUrl("/") .invalidateHttpSession(true); }
@Override protected void configure(HttpSecurity http) throws Exception { // Authorize application specific URLs http.authorizeRequests() .antMatchers("/", "/student/**", "/course/**", "/students", "/courses") .authenticated() .and() // Configure the login rules .formLogin() .loginPage("/login") .defaultSuccessUrl("/", true) .failureUrl("/login?error") .permitAll() .and() // Configure what happens on logout .logout() .logoutUrl("/logout") .logoutSuccessUrl("/login") .permitAll() .and() // Disable Cross Site Request Forgery, nice feature but annoying for this demo .csrf() .disable(); // Disable X-Frame-Options header so the h2-console can work http.headers().frameOptions().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { if (this.security.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } if (!this.security.isEnableCsrf()) { http.csrf().disable(); } // No cookies for application endpoints by default http.sessionManagement().sessionCreationPolicy(this.security.getSessions()); SpringBootWebSecurityConfiguration.configureHeaders( http.headers(), this.security.getHeaders()); String[] paths = getSecureApplicationPaths(); if (paths.length > 0) { AuthenticationEntryPoint entryPoint = entryPoint(); http.exceptionHandling().authenticationEntryPoint(entryPoint); http.httpBasic().authenticationEntryPoint(entryPoint); http.requestMatchers().antMatchers(paths); String[] roles = this.security.getUser().getRole().toArray(new String[0]); SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode(); if (mode == null || mode == SecurityAuthorizeMode.ROLE) { http.authorizeRequests().anyRequest().hasAnyRole(roles); } else if (mode == SecurityAuthorizeMode.AUTHENTICATED) { http.authorizeRequests().anyRequest().authenticated(); } } }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/api/filters/secured") .hasRole(SUPER_USER_ROLE) .antMatchers("/admin/**") .hasRole(ADMIN) .antMatchers("/**") .permitAll(); http.httpBasic().and().csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { ResourceServerSecurityConfigurer resources = new ResourceServerSecurityConfigurer(); ResourceServerTokenServices services = resolveTokenServices(); if (services != null) { resources.tokenServices(services); } else { if (tokenStore != null) { resources.tokenStore(tokenStore); } else if (endpoints != null) { resources.tokenStore(endpoints.getEndpointsConfigurer().getTokenStore()); } } if (eventPublisher != null) { resources.eventPublisher(eventPublisher); } for (ResourceServerConfigurer configurer : configurers) { configurer.configure(resources); } // @formatter:off http // N.B. exceptionHandling is duplicated in resources.configure() so that // it works .exceptionHandling() .accessDeniedHandler(resources.getAccessDeniedHandler()) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .csrf() .disable(); // @formatter:on http.apply(resources); RequestMatcherConfigurer requests = http.requestMatchers(); if (endpoints != null) { // Assume we are in an Authorization Server requests.requestMatchers( new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping())); } for (ResourceServerConfigurer configurer : configurers) { // Delegates can add authorizeRequests() here configurer.configure(http); } if (configurers.isEmpty()) { // Add anyRequest() last as a fall back. Spring Security would // replace an existing anyRequest() matcher // with this one, so to avoid that we only add it if the user hasn't // configured anything. http.authorizeRequests().anyRequest().authenticated(); } }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity .authorizeRequests() .antMatchers("/") .permitAll() .and() .authorizeRequests() .antMatchers("/console/**") .permitAll(); // don't use in a production environment httpSecurity.csrf().disable(); httpSecurity.headers().frameOptions().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { // secure endpoints RequestMatcher matcher = this.management.getSecurity().isEnabled() ? LazyEndpointPathRequestMatcher.getRequestMatcher(this.contextResolver) : null; if (matcher != null) { // Always protect them if present if (this.security.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } AuthenticationEntryPoint entryPoint = entryPoint(); http.exceptionHandling().authenticationEntryPoint(entryPoint); // Match all the requests for actuator endpoints ... http.requestMatcher(matcher); // ... but permitAll() for the non-sensitive ones configurePermittedRequests(http.authorizeRequests()); http.httpBasic().authenticationEntryPoint(entryPoint); // No cookies for management endpoints by default http.csrf().disable(); http.sessionManagement().sessionCreationPolicy(this.management.getSecurity().getSessions()); SpringBootWebSecurityConfiguration.configureHeaders( http.headers(), this.security.getHeaders()); } }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.csrf() .disable() .authorizeRequests() .antMatchers("/") .permitAll() .anyRequest() .authenticated(); http.httpBasic(); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { if (this.security.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } if (!this.security.isEnableCsrf()) { http.csrf().disable(); } SpringBootWebSecurityConfiguration.configureHeaders(http.headers(), this.security.getHeaders()); http.headers() .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy", "script-src 'self'")); }
@Override protected void configure(final HttpSecurity http) throws Exception { // @formatter:off http.csrf() .disable() .authorizeRequests() .antMatchers("/admin/**") .hasRole("ADMIN") .antMatchers("/anonymous*") .anonymous() .antMatchers("/login*") .permitAll() .anyRequest() .authenticated() .and() .formLogin() .loginPage("/login.html") .loginProcessingUrl("/perform_login") .defaultSuccessUrl("/homepage.html", true) .failureUrl("/login.html?error=true") .and() .logout() .logoutUrl("/perform_logout") .deleteCookies("JSESSIONID") .logoutSuccessHandler(logoutSuccessHandler()); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/maga") .anonymous() .antMatchers("/#!main") .access("hasRole('user')") .antMatchers("/#!admin") .access("hasRole('admin')") .and() .formLogin() .loginPage("/") .loginProcessingUrl("/login") .defaultSuccessUrl("/#!main") .failureUrl("/error") .usernameParameter("username") .passwordParameter("password") .and() .logout() .logoutSuccessUrl("/logout") .and() .exceptionHandling() .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/main")) .and() .csrf() .disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.authorizeRequests() .antMatchers("/login**") .permitAll() .antMatchers("/admin**") .hasRole("ADMIN") .antMatchers("/console/**") .permitAll() .anyRequest() .permitAll() .and() .formLogin() .loginPage("/login") .defaultSuccessUrl("/") .loginProcessingUrl("/j_spring_security_check") .failureUrl("/login?error") .usernameParameter("username") .passwordParameter("password") .and() .logout() .logoutUrl("/j_spring_security_logout") .logoutSuccessUrl("/login?logout") // .and() // .csrf() ; // @formatter:on // http.csrf().disable(); // http.headers().frameOptions().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .accessDecisionManager(accessDecisionManager()) .antMatchers("/ping") .permitAll() .antMatchers("/authn") .fullyAuthenticated() .antMatchers("/profiles") .permitAll() .antMatchers("/profiles/**") .hasAuthority("MYPROFILE") .anyRequest() .denyAll() .and() .addFilterAfter(authFilterBean(), BasicAuthenticationFilter.class) .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .exceptionHandling() .authenticationEntryPoint(entryPointBean()) .and() .csrf() .disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeUrls() .antMatchers( "/define.kitty", "/next_step.kitty", "/finale.kitty", "/error.kitty", "/step/first.kitty") .permitAll() .antMatchers("/step/finale.kitty") .authenticated() .anyRequest() .authenticated() .and() .formLogin() .loginUrl("/define.kitty") .permitAll() .loginProcessingUrl("/define.kitty") .failureUrl("/error.kitty") .usernameParameter("email") .passwordParameter("password") .successHandler(authenticationSuccessHandler()) .and() .logout() .logoutUrl("/undefine.kitty") .logoutSuccessUrl("/define.kitty") .and() .sessionManagement() .maximumSessions(1) .expiredUrl("/define.kitty"); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/", "/home", "/admin/**") .permitAll() .antMatchers("/account/**") .access("hasRole('ACCOUNTANT') or hasRole('DIRECTOR')") .antMatchers("/admin/**") .access("hasRole('ADMIN')") .antMatchers("/db/**") .access("hasRole('DIRECTOR')") .and() .formLogin() .loginPage("/login") .successHandler(customSuccessHandler) .usernameParameter("ssoId") .passwordParameter("password") .and() .rememberMe() .rememberMeParameter("remember-me") .tokenRepository(persistentTokenRepository()) .and() .exceptionHandling() .accessDeniedPage("/Access_Denied") .and() .csrf() .disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers( "/", "/css/**", "/js/**", "/contact.html", "/motdepasse.html", "/informations.html", "/formulaireCode.html", "/rinitPWD.html", "/inscription.html", "/test.html") .permitAll() .anyRequest() .authenticated() .and() .formLogin() .loginPage("/index") .permitAll() .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl("/logout") .permitAll(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/messageList*") .hasAnyRole("USER", "GUEST") .antMatchers("/messagePost*") .hasRole("USER") .antMatchers("/messageDelete*") .hasRole("ADMIM") .and() .formLogin() .loginPage("/login.jsp") .loginProcessingUrl("/j_spring_security_check") .defaultSuccessUrl("/messageList") .failureUrl("/login.jsp?error=true") .and() .logout() .logoutSuccessUrl("/login.jsp") .and() .anonymous() .principal("guest") .authorities("ROLE_GUEST") .and() .rememberMe() .and() .csrf() .disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.authorizeRequests() .antMatchers("/", "/register", "/encounters", "/search", "/error") .permitAll() .antMatchers("/admin/**") .hasRole("ADMIN") .anyRequest() .hasAnyRole("USER", "ADMIN") .and() .formLogin() .loginPage("/login") .defaultSuccessUrl("/account") .permitAll() .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl("/") .permitAll() .and() .securityContext() .securityContextRepository(securityContextRepository); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf() .disable() .authorizeRequests() .and() .formLogin() .loginProcessingUrl("/api/authentication") .successHandler(ajaxAuthenticationSuccessHandler) .failureHandler(ajaxAuthenticationFailureHandler) .usernameParameter("j_username") .passwordParameter("j_password") .permitAll() .and() .rememberMe() .rememberMeServices(rememberMeServices) .key(env.getProperty("jhipster.security.rememberme.key")) .and() .logout() .logoutUrl("/api/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler) .deleteCookies("JSESSIONID") .permitAll() .and() .exceptionHandling(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf() .disable() .authorizeRequests() .antMatchers("/admin/**") .hasRole("ADMIN") .and() .formLogin() .loginProcessingUrl("/j_spring_security_check") .loginPage("/login") .defaultSuccessUrl("/protected/home/") .failureUrl("/login") .permitAll() .and() .logout() .logoutSuccessUrl("/?logout"); // // http.authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')").antMatchers("/dba/**") // .access("hasRole('ROLE_ADMIN') or // hasRole('ROLE_DBA')").and().formLogin().loginPage("/login"); }
@Override public void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers(HttpMethod.GET, "/api/**") .access("#oauth2.hasScope('read')") .antMatchers(HttpMethod.POST, "/api/**") .access("#oauth2.hasScope('write')") .antMatchers(HttpMethod.PATCH, "/api/**") .access("#oauth2.hasScope('write')") .antMatchers(HttpMethod.PUT, "/api/**") .access("#oauth2.hasScope('write')") .antMatchers(HttpMethod.DELETE, "/api/**") .access("#oauth2.hasScope('write')") .and() .headers() .addHeaderWriter( (request, response) -> { response.addHeader("Access-Control-Allow-Origin", "*"); if (request.getMethod().equals("OPTIONS")) { response.setHeader( "Access-Control-Allow-Methods", request.getHeader("Access-Control-Request-Method")); response.setHeader( "Access-Control-Allow-Headers", request.getHeader("Access-Control-Request-Headers")); } }); }
@Override public void configure(HttpSecurity http) throws Exception { http // Logout .logout() .logoutUrl("/oauth/logout") .logoutSuccessHandler(customLogoutSuccessHandler) .and() // Session management .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() // URI's to verify .authorizeRequests() .antMatchers("/oauth/logout") .permitAll() .antMatchers("/") .permitAll() .antMatchers("/**") .authenticated() // .antMatchers("/usuarios/**").hasRole("ADMIN") .and() .csrf() .disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf() .requireCsrfProtectionMatcher(new CSRFRequestMatcher()) .and() .authorizeRequests() .antMatchers("/entrar", "/registrar/**", "/jobs/**", "/css/**", "/fonts/**", "/js/**") .permitAll() .antMatchers("/admin/**") .hasRole("Administrator") .anyRequest() .authenticated() .and() .formLogin() .loginPage("/entrar") .loginProcessingUrl("/entrar") .failureUrl("/entrar?error=true") .defaultSuccessUrl("/") .usernameParameter("nomeDeUsuario") .passwordParameter("senha") .and() .logout() .logoutUrl("/sair") .logoutSuccessUrl("/entrar?logout=true") .invalidateHttpSession(true); }