コード例 #1
0
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   // secure endpoints
   RequestMatcher matcher =
       this.management.getSecurity().isEnabled()
           ? LazyEndpointPathRequestMatcher.getRequestMatcher(this.contextResolver)
           : null;
   if (matcher != null) {
     // Always protect them if present
     if (this.security.isRequireSsl()) {
       http.requiresChannel().anyRequest().requiresSecure();
     }
     AuthenticationEntryPoint entryPoint = entryPoint();
     http.exceptionHandling().authenticationEntryPoint(entryPoint);
     // Match all the requests for actuator endpoints ...
     http.requestMatcher(matcher);
     // ... but permitAll() for the non-sensitive ones
     configurePermittedRequests(http.authorizeRequests());
     http.httpBasic().authenticationEntryPoint(entryPoint);
     // No cookies for management endpoints by default
     http.csrf().disable();
     http.sessionManagement().sessionCreationPolicy(this.management.getSecurity().getSessions());
     SpringBootWebSecurityConfiguration.configureHeaders(
         http.headers(), this.security.getHeaders());
   }
 }
コード例 #2
0
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   if (this.security.isRequireSsl()) {
     http.requiresChannel().anyRequest().requiresSecure();
   }
   if (!this.security.isEnableCsrf()) {
     http.csrf().disable();
   }
   // No cookies for application endpoints by default
   http.sessionManagement().sessionCreationPolicy(this.security.getSessions());
   SpringBootWebSecurityConfiguration.configureHeaders(
       http.headers(), this.security.getHeaders());
   String[] paths = getSecureApplicationPaths();
   if (paths.length > 0) {
     AuthenticationEntryPoint entryPoint = entryPoint();
     http.exceptionHandling().authenticationEntryPoint(entryPoint);
     http.httpBasic().authenticationEntryPoint(entryPoint);
     http.requestMatchers().antMatchers(paths);
     String[] roles = this.security.getUser().getRole().toArray(new String[0]);
     SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode();
     if (mode == null || mode == SecurityAuthorizeMode.ROLE) {
       http.authorizeRequests().anyRequest().hasAnyRole(roles);
     } else if (mode == SecurityAuthorizeMode.AUTHENTICATED) {
       http.authorizeRequests().anyRequest().authenticated();
     }
   }
 }
コード例 #3
0
    @Override
    public void configure(HttpSecurity http) throws Exception {

      //            http
      //                    .authorizeRequests()
      //                    .antMatchers("/api**")
      //                    .hasRole("USER")
      //                    .antMatchers("/api/users/register").permitAll()
      //                    .and().csrf().disable();
      // .and()
      // .requestMatchers()
      // .antMatchers("/api");

      http
          //                     Since we want the protected resources to be accessible in the UI as
          // well we need
          //                     session creation to be allowed (it's disabled by default in 2.0.6)
          .sessionManagement()
          .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
          // .and().requestMatchers().antMatchers("/web/**")
          .and()
          .antMatcher("/api/**")
          .authorizeRequests()
          .antMatchers("/api/users/register")
          .permitAll()
          .antMatchers("/api/**")
          .access("#oauth2.hasScope('read') or (!#oauth2.isOAuth() and hasRole('ROLE_USER'))")
      // .antMatchers("/web/**").access("!#oauth2.isOAuth() and hasRole('ROLE_USER')")
      ;

      //        .and().authorizeRequests()
      //        .antMatchers("/api/users/register").permitAll() // Allow anyone to register
      // .antMatchers("/web/register").permitAll() // Allow anyone to register
      // .antMatchers("/web/**").access("(!#oauth2.isOAuth() and hasRole('ROLE_USER'))")
      //        .antMatchers("/api/**").authenticated() // Secure all other URL
      // .antMatchers("/resources/**").permitAll()
      // .antMatchers("/web/**").authenticated().and().httpBasic().and().formLogin().loginPage("/web/login").defaultSuccessUrl("/web/").permitAll()
      //
      // .and().authorizeRequests().anyRequest().authenticated().and().formLogin().loginPage("/web/login").defaultSuccessUrl("/web/").permitAll() // TODO fix this
      //        .and().csrf().disable(); // Turn off CSRF protection for everything
      //            http
      //                    .authorizeRequests()
      //
      // .antMatchers("/web/**").authenticated().and().formLogin().permitAll().and().logout().permitAll();
      // .hasRole("USER"); //.access("#outh2.hasScope('read')");
      // http.authorizeRequests().antMatchers("/web/**").authenticated().and().formLogin().permitAll();
    }
コード例 #4
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    String[] restEndpointsToSecure = {"api", "manage"};
    for (String endpoint : restEndpointsToSecure) {
      http.httpBasic()
          .and()
          .authorizeRequests()
          .antMatchers("/" + endpoint + "/**")
          .hasRole(CustomUserDetailsService.ROLE_USER);
    }

    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
        new XAuthTokenConfigurer(userDetailsServiceBean());
    http.apply(securityConfigurerAdapter);
  }
コード例 #5
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // Sync HTTP Header names to AngularJs name (default Spring: X-CSRF-TOKEN)
    HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();
    tokenRepository.setHeaderName("X-XSRF-TOKEN");
    // ~~
    http.csrf()
        // .csrfTokenRepository(tokenRepository)
        .disable()
        .csrf() // for testing purposes
        .and()
        .authorizeRequests()
        .antMatchers("/admin/**")
        .hasRole("ADMIN")
        .and()
        .authorizeRequests()
        .antMatchers("/**")
        .hasRole("USER");

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // injects filter to read out x-auth-token header and validates it
    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
        new XAuthTokenConfigurer(userDetailsServiceBean());
    http.apply(securityConfigurerAdapter);

    // Since we use the client-side AngularJS login view, we do not have to cover redirection
    /*
    .and()
        .formLogin()
            .loginPage("/login")
            .defaultSuccessUrl("/")
            .usernameParameter("usr")
            .passwordParameter("pwd")
            .permitAll()
    .and()
        .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login")
            .permitAll();
    */
  }
コード例 #6
0
 @Override
 public void configure(final HttpSecurity http) throws Exception {
   // @formatter:off
   http.sessionManagement()
       .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
       .and()
       .authorizeRequests()
       .anyRequest()
       .authenticated();
   //            .requestMatchers().antMatchers("/foos/**","/bars/**")
   //            .and()
   //            .authorizeRequests()
   //                .antMatchers(HttpMethod.GET,"/foos/**").access("#oauth2.hasScope('foo') and
   // #oauth2.hasScope('read')")
   //                .antMatchers(HttpMethod.POST,"/foos/**").access("#oauth2.hasScope('foo') and
   // #oauth2.hasScope('write')")
   //                .antMatchers(HttpMethod.GET,"/bars/**").access("#oauth2.hasScope('bar') and
   // #oauth2.hasScope('read')")
   //                .antMatchers(HttpMethod.POST,"/bars/**").access("#oauth2.hasScope('bar') and
   // #oauth2.hasScope('write') and hasRole('ROLE_ADMIN')")
   ;
   // @formatter:on
 }