@Override
  public void configure(HttpSecurity http) throws Exception {
    // In this OAuth2 scenario with implicit flow we both login the user and obtain the token
    // in the same endpoint (/oauth/authorize). User credentials will be passed as "username" and
    // "password" form.
    // This might be different in other scenarios, for instance if we wanted to implement
    // authorization code flow to support token refresh.
    http.httpBasic()
        .disable()
        // Test filter gives problems because is redirecting to / is not saving the request to
        // redirect properly
        .logout()
        .logoutUrl(apiPath + oauth2LogoutEndpointPath)
        .logoutSuccessHandler(oauth2LogoutHandler());

    if (swagerEnabled) {
      if (!swaggerCloudMode) {
        // If swagger is enabled and we are not in 'cloud mode' (behind a Zuul OAuth2 enabled proxy)
        // we need to permit certain URLs and resources for Swagger UI to work with OAuth2
        http.authorizeRequests()
            .antMatchers(swaggerOauth2AllowedUrlsAntMatchers.split(","))
            .permitAll();
      }
    } else {
      http.authorizeRequests()
          .antMatchers(swaggerOauth2AllowedUrlsAntMatchers.split(","))
          .denyAll();
    }
    http.authorizeRequests().anyRequest().authenticated();
  }
Пример #2
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    HttpSessionCsrfTokenRepository csrfTokenRepository = new HttpSessionCsrfTokenRepository();
    csrfTokenRepository.setHeaderName(CSRF_HEADER_NAME);
    http.csrf().csrfTokenRepository(csrfTokenRepository);

    http.authorizeRequests()
        .antMatchers("/assets/**", "/webjars/**", "/login/**", "/api-docs/**")
        .permitAll()
        .antMatchers("/jsondoc/**", "/jsondoc-ui.html")
        .permitAll()
        .anyRequest()
        .fullyAuthenticated();

    http.formLogin().loginProcessingUrl("/login").loginPage("/login").failureUrl("/login?error");

    http.httpBasic();

    http.logout().logoutUrl("/logout").logoutSuccessUrl("/login?logout");

    http.headers()
        .defaultsDisabled()
        .contentTypeOptions()
        .and()
        .xssProtection()
        .and()
        .httpStrictTransportSecurity()
        .and()
        .addHeaderWriter(
            new StaticHeadersWriter(
                "Access-Control-Allow-Origin", "http://petstore.swagger.wordnik.com"))
        .addHeaderWriter(new CsrfTokenCookieWriter(csrfTokenRepository, CSRF_COOKIE_NAME));
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   // secure endpoints
   RequestMatcher matcher =
       this.management.getSecurity().isEnabled()
           ? LazyEndpointPathRequestMatcher.getRequestMatcher(this.contextResolver)
           : null;
   if (matcher != null) {
     // Always protect them if present
     if (this.security.isRequireSsl()) {
       http.requiresChannel().anyRequest().requiresSecure();
     }
     AuthenticationEntryPoint entryPoint = entryPoint();
     http.exceptionHandling().authenticationEntryPoint(entryPoint);
     // Match all the requests for actuator endpoints ...
     http.requestMatcher(matcher);
     // ... but permitAll() for the non-sensitive ones
     configurePermittedRequests(http.authorizeRequests());
     http.httpBasic().authenticationEntryPoint(entryPoint);
     // No cookies for management endpoints by default
     http.csrf().disable();
     http.sessionManagement().sessionCreationPolicy(this.management.getSecurity().getSessions());
     SpringBootWebSecurityConfiguration.configureHeaders(
         http.headers(), this.security.getHeaders());
   }
 }
Пример #4
0
 @Override
 protected void configure(final HttpSecurity http) throws Exception {
   http.httpBasic()
       .and()
       .authorizeRequests()
       .antMatchers(
           "/",
           "/components" + ANY,
           "/fusioncharts-suite-xt" + ANY,
           CRIPSTIAN_PATH + CSS + ANY,
           CRIPSTIAN_PATH + JS + ANY,
           CRIPSTIAN_PATH + IMG + ANY,
           CRIPSTIAN_PATH + HTML + "/home.html",
           "/user",
           CRIPSTIAN_PATH + HTML + "/login.html",
           CRIPSTIAN_PATH + HTML + "/new-account.html",
           "/account",
           PUBLIC_GRAPHS,
           GRAPHS_IDS,
           EUROSTAT_QUERY_RESULT,
           CRIPSTIAN_PATH + HTML + EUROSTAT_GRAPH)
       .permitAll()
       .anyRequest()
       .authenticated()
       .and()
       .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)
       .csrf()
       .csrfTokenRepository(csrfTokenRepository());
 }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   if (this.security.isRequireSsl()) {
     http.requiresChannel().anyRequest().requiresSecure();
   }
   if (!this.security.isEnableCsrf()) {
     http.csrf().disable();
   }
   // No cookies for application endpoints by default
   http.sessionManagement().sessionCreationPolicy(this.security.getSessions());
   SpringBootWebSecurityConfiguration.configureHeaders(
       http.headers(), this.security.getHeaders());
   String[] paths = getSecureApplicationPaths();
   if (paths.length > 0) {
     AuthenticationEntryPoint entryPoint = entryPoint();
     http.exceptionHandling().authenticationEntryPoint(entryPoint);
     http.httpBasic().authenticationEntryPoint(entryPoint);
     http.requestMatchers().antMatchers(paths);
     String[] roles = this.security.getUser().getRole().toArray(new String[0]);
     SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode();
     if (mode == null || mode == SecurityAuthorizeMode.ROLE) {
       http.authorizeRequests().anyRequest().hasAnyRole(roles);
     } else if (mode == SecurityAuthorizeMode.AUTHENTICATED) {
       http.authorizeRequests().anyRequest().authenticated();
     }
   }
 }
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/api/filters/secured")
        .hasRole(SUPER_USER_ROLE)
        .antMatchers("/admin/**")
        .hasRole(ADMIN)
        .antMatchers("/**")
        .permitAll();

    http.httpBasic().and().csrf().disable();
  }
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http.csrf()
        .disable()
        .authorizeRequests()
        .antMatchers("/")
        .permitAll()
        .anyRequest()
        .authenticated();

    http.httpBasic();
    // @formatter:on
  }
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.httpBasic()
       .and()
       .authorizeRequests()
       .antMatchers(PERMIT_URLS)
       .permitAll()
       .anyRequest()
       .authenticated()
       .and()
       .csrf()
       .csrfTokenRepository(csrfTokenRepository())
       .and()
       .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
 }
Пример #9
0
 @Override
 protected void configure(final HttpSecurity http) throws Exception {
   http.httpBasic()
       .and()
       .authorizeRequests()
       .antMatchers("/**")
       .permitAll()
       .and()
       .sessionManagement()
       .sessionCreationPolicy(SessionCreationPolicy.NEVER)
       .enableSessionUrlRewriting(false)
       .and()
       .csrf()
       .disable();
 }
 /**
  * Defines the web based security configuration.
  *
  * @param http It allows configuring web based security for specific http requests.
  * @throws Exception
  */
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.httpBasic().authenticationEntryPoint(samlEntryPoint());
   http.csrf().disable();
   http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
       .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
   http.authorizeRequests()
       .antMatchers("/")
       .permitAll()
       .antMatchers("/error")
       .permitAll()
       .antMatchers("/saml/**")
       .permitAll()
       .anyRequest()
       .authenticated();
   http.logout().logoutSuccessUrl("/");
 }
Пример #11
0
 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.httpBasic()
       .and()
       .authorizeRequests()
       .antMatchers("/app/**", "/logout", "/login")
       .permitAll()
       .anyRequest()
       .authenticated()
       .and()
       .logout()
       .logoutSuccessUrl("/")
       .and()
       .csrf()
       .csrfTokenRepository(csrfTokenRepository())
       .and()
       .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
 }
Пример #12
0
  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    String[] restEndpointsToSecure = {"api", "manage"};
    for (String endpoint : restEndpointsToSecure) {
      http.httpBasic()
          .and()
          .authorizeRequests()
          .antMatchers("/" + endpoint + "/**")
          .hasRole(CustomUserDetailsService.ROLE_USER);
    }

    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter =
        new XAuthTokenConfigurer(userDetailsServiceBean());
    http.apply(securityConfigurerAdapter);
  }
 @Override
 public void configure(HttpSecurity http) throws Exception {
   http.httpBasic()
       .and()
       .authorizeRequests()
       .antMatchers(
           "/*.html",
           "/client",
           "/*/regist",
           "/*/register",
           "/oauth/authorize",
           "/oauth/confirm_access",
           "/",
           "/mail/*")
       .permitAll()
       .and()
       .authorizeRequests()
       .anyRequest()
       .authenticated();
 }
Пример #14
0
 @Override
 protected void configure(final HttpSecurity http) throws Exception {
   http.httpBasic()
       .and()
       .authorizeRequests()
       .antMatchers("/api/system/env/java.(runtime|vm).*", "/api/system/metrics/**")
       .permitAll()
       .antMatchers("/api/system/env/**")
       .denyAll()
       .antMatchers("/**")
       .permitAll()
       .and()
       .sessionManagement()
       .sessionCreationPolicy(STATELESS)
       .and()
       .csrf()
       .disable()
       .headers()
       .frameOptions() // OEmbedController#embedTrack uses an iframe
       .disable();
 }