@Override protected void configure(HttpSecurity http) throws Exception { HttpSessionCsrfTokenRepository csrfTokenRepository = new HttpSessionCsrfTokenRepository(); csrfTokenRepository.setHeaderName(CSRF_HEADER_NAME); http.csrf().csrfTokenRepository(csrfTokenRepository); http.authorizeRequests() .antMatchers("/assets/**", "/webjars/**", "/login/**", "/api-docs/**") .permitAll() .antMatchers("/jsondoc/**", "/jsondoc-ui.html") .permitAll() .anyRequest() .fullyAuthenticated(); http.formLogin().loginProcessingUrl("/login").loginPage("/login").failureUrl("/login?error"); http.httpBasic(); http.logout().logoutUrl("/logout").logoutSuccessUrl("/login?logout"); http.headers() .defaultsDisabled() .contentTypeOptions() .and() .xssProtection() .and() .httpStrictTransportSecurity() .and() .addHeaderWriter( new StaticHeadersWriter( "Access-Control-Allow-Origin", "http://petstore.swagger.wordnik.com")) .addHeaderWriter(new CsrfTokenCookieWriter(csrfTokenRepository, CSRF_COOKIE_NAME)); }
@Override protected void configure(HttpSecurity http) throws Exception { // Sync HTTP Header names to AngularJs name (default Spring: X-CSRF-TOKEN) HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository(); tokenRepository.setHeaderName("X-XSRF-TOKEN"); // ~~ http.csrf() // .csrfTokenRepository(tokenRepository) .disable() .csrf() // for testing purposes .and() .authorizeRequests() .antMatchers("/admin/**") .hasRole("ADMIN") .and() .authorizeRequests() .antMatchers("/**") .hasRole("USER"); http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // injects filter to read out x-auth-token header and validates it SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter = new XAuthTokenConfigurer(userDetailsServiceBean()); http.apply(securityConfigurerAdapter); // Since we use the client-side AngularJS login view, we do not have to cover redirection /* .and() .formLogin() .loginPage("/login") .defaultSuccessUrl("/") .usernameParameter("usr") .passwordParameter("pwd") .permitAll() .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl("/login") .permitAll(); */ }
private CsrfTokenRepository csrfTokenRepository() { HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); repository.setHeaderName("X-XSRF-TOKEN"); return repository; }