@Override public void configure(HttpSecurity http) throws Exception { // In this OAuth2 scenario with implicit flow we both login the user and obtain the token // in the same endpoint (/oauth/authorize). User credentials will be passed as "username" and // "password" form. // This might be different in other scenarios, for instance if we wanted to implement // authorization code flow to support token refresh. http.httpBasic() .disable() // Test filter gives problems because is redirecting to / is not saving the request to // redirect properly .logout() .logoutUrl(apiPath + oauth2LogoutEndpointPath) .logoutSuccessHandler(oauth2LogoutHandler()); if (swagerEnabled) { if (!swaggerCloudMode) { // If swagger is enabled and we are not in 'cloud mode' (behind a Zuul OAuth2 enabled proxy) // we need to permit certain URLs and resources for Swagger UI to work with OAuth2 http.authorizeRequests() .antMatchers(swaggerOauth2AllowedUrlsAntMatchers.split(",")) .permitAll(); } } else { http.authorizeRequests() .antMatchers(swaggerOauth2AllowedUrlsAntMatchers.split(",")) .denyAll(); } http.authorizeRequests().anyRequest().authenticated(); }
@Override protected void configure(HttpSecurity http) throws Exception { HttpSessionCsrfTokenRepository csrfTokenRepository = new HttpSessionCsrfTokenRepository(); csrfTokenRepository.setHeaderName(CSRF_HEADER_NAME); http.csrf().csrfTokenRepository(csrfTokenRepository); http.authorizeRequests() .antMatchers("/assets/**", "/webjars/**", "/login/**", "/api-docs/**") .permitAll() .antMatchers("/jsondoc/**", "/jsondoc-ui.html") .permitAll() .anyRequest() .fullyAuthenticated(); http.formLogin().loginProcessingUrl("/login").loginPage("/login").failureUrl("/login?error"); http.httpBasic(); http.logout().logoutUrl("/logout").logoutSuccessUrl("/login?logout"); http.headers() .defaultsDisabled() .contentTypeOptions() .and() .xssProtection() .and() .httpStrictTransportSecurity() .and() .addHeaderWriter( new StaticHeadersWriter( "Access-Control-Allow-Origin", "http://petstore.swagger.wordnik.com")) .addHeaderWriter(new CsrfTokenCookieWriter(csrfTokenRepository, CSRF_COOKIE_NAME)); }
@Override protected void configure(HttpSecurity http) throws Exception { // secure endpoints RequestMatcher matcher = this.management.getSecurity().isEnabled() ? LazyEndpointPathRequestMatcher.getRequestMatcher(this.contextResolver) : null; if (matcher != null) { // Always protect them if present if (this.security.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } AuthenticationEntryPoint entryPoint = entryPoint(); http.exceptionHandling().authenticationEntryPoint(entryPoint); // Match all the requests for actuator endpoints ... http.requestMatcher(matcher); // ... but permitAll() for the non-sensitive ones configurePermittedRequests(http.authorizeRequests()); http.httpBasic().authenticationEntryPoint(entryPoint); // No cookies for management endpoints by default http.csrf().disable(); http.sessionManagement().sessionCreationPolicy(this.management.getSecurity().getSessions()); SpringBootWebSecurityConfiguration.configureHeaders( http.headers(), this.security.getHeaders()); } }
@Override protected void configure(final HttpSecurity http) throws Exception { http.httpBasic() .and() .authorizeRequests() .antMatchers( "/", "/components" + ANY, "/fusioncharts-suite-xt" + ANY, CRIPSTIAN_PATH + CSS + ANY, CRIPSTIAN_PATH + JS + ANY, CRIPSTIAN_PATH + IMG + ANY, CRIPSTIAN_PATH + HTML + "/home.html", "/user", CRIPSTIAN_PATH + HTML + "/login.html", CRIPSTIAN_PATH + HTML + "/new-account.html", "/account", PUBLIC_GRAPHS, GRAPHS_IDS, EUROSTAT_QUERY_RESULT, CRIPSTIAN_PATH + HTML + EUROSTAT_GRAPH) .permitAll() .anyRequest() .authenticated() .and() .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class) .csrf() .csrfTokenRepository(csrfTokenRepository()); }
@Override protected void configure(HttpSecurity http) throws Exception { if (this.security.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } if (!this.security.isEnableCsrf()) { http.csrf().disable(); } // No cookies for application endpoints by default http.sessionManagement().sessionCreationPolicy(this.security.getSessions()); SpringBootWebSecurityConfiguration.configureHeaders( http.headers(), this.security.getHeaders()); String[] paths = getSecureApplicationPaths(); if (paths.length > 0) { AuthenticationEntryPoint entryPoint = entryPoint(); http.exceptionHandling().authenticationEntryPoint(entryPoint); http.httpBasic().authenticationEntryPoint(entryPoint); http.requestMatchers().antMatchers(paths); String[] roles = this.security.getUser().getRole().toArray(new String[0]); SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode(); if (mode == null || mode == SecurityAuthorizeMode.ROLE) { http.authorizeRequests().anyRequest().hasAnyRole(roles); } else if (mode == SecurityAuthorizeMode.AUTHENTICATED) { http.authorizeRequests().anyRequest().authenticated(); } } }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/api/filters/secured") .hasRole(SUPER_USER_ROLE) .antMatchers("/admin/**") .hasRole(ADMIN) .antMatchers("/**") .permitAll(); http.httpBasic().and().csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.csrf() .disable() .authorizeRequests() .antMatchers("/") .permitAll() .anyRequest() .authenticated(); http.httpBasic(); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic() .and() .authorizeRequests() .antMatchers(PERMIT_URLS) .permitAll() .anyRequest() .authenticated() .and() .csrf() .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); }
@Override protected void configure(final HttpSecurity http) throws Exception { http.httpBasic() .and() .authorizeRequests() .antMatchers("/**") .permitAll() .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.NEVER) .enableSessionUrlRewriting(false) .and() .csrf() .disable(); }
/** * Defines the web based security configuration. * * @param http It allows configuring web based security for specific http requests. * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().authenticationEntryPoint(samlEntryPoint()); http.csrf().disable(); http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class) .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); http.authorizeRequests() .antMatchers("/") .permitAll() .antMatchers("/error") .permitAll() .antMatchers("/saml/**") .permitAll() .anyRequest() .authenticated(); http.logout().logoutSuccessUrl("/"); }
@Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic() .and() .authorizeRequests() .antMatchers("/app/**", "/logout", "/login") .permitAll() .anyRequest() .authenticated() .and() .logout() .logoutSuccessUrl("/") .and() .csrf() .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); String[] restEndpointsToSecure = {"api", "manage"}; for (String endpoint : restEndpointsToSecure) { http.httpBasic() .and() .authorizeRequests() .antMatchers("/" + endpoint + "/**") .hasRole(CustomUserDetailsService.ROLE_USER); } SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter = new XAuthTokenConfigurer(userDetailsServiceBean()); http.apply(securityConfigurerAdapter); }
@Override public void configure(HttpSecurity http) throws Exception { http.httpBasic() .and() .authorizeRequests() .antMatchers( "/*.html", "/client", "/*/regist", "/*/register", "/oauth/authorize", "/oauth/confirm_access", "/", "/mail/*") .permitAll() .and() .authorizeRequests() .anyRequest() .authenticated(); }
@Override protected void configure(final HttpSecurity http) throws Exception { http.httpBasic() .and() .authorizeRequests() .antMatchers("/api/system/env/java.(runtime|vm).*", "/api/system/metrics/**") .permitAll() .antMatchers("/api/system/env/**") .denyAll() .antMatchers("/**") .permitAll() .and() .sessionManagement() .sessionCreationPolicy(STATELESS) .and() .csrf() .disable() .headers() .frameOptions() // OEmbedController#embedTrack uses an iframe .disable(); }