@Override protected void configure(HttpSecurity http) throws Exception { http .anonymous().authorities("ROLE_ANONYMOUS") .and() .authorizeRequests() .antMatchers("/login**", "/after**").permitAll() .antMatchers("/deptanon.html").anonymous() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login.html") .defaultSuccessUrl("/deptform.html") .failureHandler(customFailureHandler) .successHandler(customSuccessHandler) .and() .addFilterBefore(appAnonAuthFilter(), UsernamePasswordAuthenticationFilter.class) .addFilter(appAuthenticationFilter(authenticationManager())) .logout().logoutUrl("/logout.html") .logoutSuccessHandler(customLogoutHandler) .and().exceptionHandling().authenticationEntryPoint(setAuthPoint()); http.csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .disable() .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/api/auth", "/api/users/me", "/api/greetings/public").permitAll() .anyRequest().authenticated() .and() .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http = http.addFilter(new WebAsyncManagerIntegrationFilter()); http = http.addFilterBefore(jwtAuthFilter(), UsernamePasswordAuthenticationFilter.class); http .antMatcher("/ext/**") .csrf().requireCsrfProtectionMatcher(csrfSecurityRequestMatcher).and() .headers().frameOptions().sameOrigin().and() .authorizeRequests() .antMatchers("/ext/stream/**", "/ext/coverArt*", "/ext/share/**", "/ext/hls/**") .hasAnyRole("TEMP", "USER").and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .exceptionHandling().and() .securityContext().and() .requestCache().and() .anonymous().and() .servletApi(); }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity // we don't need CSRF because our token is invulnerable .csrf().disable() .authorizeRequests() // All urls must be authenticated (filter for token always fires (/**) .antMatchers(HttpMethod.OPTIONS, "/login").permitAll() .requestMatchers(CorsUtils::isPreFlightRequest).permitAll() .anyRequest().authenticated() .and() // Call our errorHandler if authentication/authorisation fails .exceptionHandling() .authenticationEntryPoint((httpServletRequest, httpServletResponse, e) -> httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized")) .and() // don't create session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) // 添加一个过滤器 所有访问 /login 的请求交给 JWTLoginFilter 来处理 这个类处理所有的JWT相关内容 .and().addFilterBefore(new JwtAuthenticationTokenFilter("/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class) // 添加一个过滤器验证其他请求的Token是否合法 .addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); // disable page caching httpSecurity.headers().cacheControl(); }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity .csrf() .disable() .exceptionHandling() .authenticationEntryPoint(this.unauthorizedHandler) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .antMatchers("/auth/**").permitAll() .antMatchers("/anonymous/**").permitAll() .anyRequest().authenticated(); // Custom JWT based authentication httpSecurity .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .exceptionHandling().authenticationEntryPoint(unauthorizedHandler) .and() .authorizeRequests() .antMatchers(HttpMethod.POST,"/**").authenticated() .antMatchers(HttpMethod.POST, "/login").permitAll() .and() .formLogin() .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .logout() .and() .addFilterBefore(new JwtLoginFilter(urlLogin, authenticationManager(), tokenAuthenticationService), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(new JwtAuthenticationFilter(tokenAuthenticationService), UsernamePasswordAuthenticationFilter.class) .headers().cacheControl(); }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity .cors() .and() // we don't need CSRF because our token is invulnerable .csrf().disable() // All urls must be authenticated (filter for token always fires (/**) .authorizeRequests() .antMatchers(HttpMethod.OPTIONS).permitAll() .antMatchers("/auth/**").authenticated() .and() // don't create session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); //.and() // Custom JWT based security filter httpSecurity .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); // disable page caching // httpSecurity.headers().cacheControl(); }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity // we don't need CSRF because our token is invulnerable .csrf().disable() .exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and() // no need to create session as JWT auth is stateless and per request .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .authorizeRequests() .antMatchers("/auth").permitAll() // allow anyone to try and authenticate .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() // allow CORS pre-flighting .anyRequest().authenticated(); // lock down everything else // Add our custom JWT security filter before Spring Security's Username/Password filter httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); // Disable page caching in the browser httpSecurity.headers().cacheControl().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() // We don't need CSRF for JWT based authentication .exceptionHandling() .authenticationEntryPoint(this.authenticationEntryPoint) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll() .antMatchers(API_DOCS_ENTRY_POINT).permitAll() .antMatchers(HttpMethod.GET, TOKEN_BASED_AUTH_ENTRY_POINT).permitAll() .antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() .anyRequest().permitAll() .and() .addFilterBefore(buildDeviceLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .exceptionHandling() .authenticationEntryPoint(this.authenticationEntryPoint) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(HttpMethod.POST, formBasedAuthEntry).permitAll() .antMatchers(HttpMethod.GET, apiAuthEntry).permitAll() .antMatchers(apiAuthEntry).authenticated() .antMatchers(dbStatusAuthEntry).access("hasIpAddress('127.0.0.1')") .anyRequest().permitAll() .and() .addFilterBefore(corsFilter(), SessionManagementFilter.class) .addFilterBefore(buildDeviceLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(buildJwtTokenAuthenticationProcessingFilterDbStatus(), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { // allow loading our single page application by everyone. not required if the page is hosted somewhere else. http.authorizeRequests().antMatchers("/").permitAll(); // allow logout http.logout().logoutSuccessUrl("/").permitAll(); // all other services are protected. http.authorizeRequests().anyRequest().authenticated(); // we are using token based authentication. csrf is not required. http.csrf().disable(); // need a filter to validate the Jwt token from AzureAD and assign roles. // without this, the token will not be validated and the role is always ROLE_USER. http.addFilterBefore(azureAdJwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { //解决Refused to display 'http://......' in a frame because it set 'X-Frame-Options' to 'DENY'. "错误 http.headers().frameOptions().disable(); http.authorizeRequests().antMatchers("/").permitAll() .antMatchers("/**/session/**").authenticated()//登录即可获取session信息 // 其他地址的访问均需验证权限(需要登录,且有指定的权限) .anyRequest().access("@permissionService.hasPermission(request,authentication)").and() .addFilterBefore(corsFilter,UsernamePasswordAuthenticationFilter.class) .addFilterAt(codeUsernamePasswordAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class).exceptionHandling() .authenticationEntryPoint((request, response, authException) -> { String result = JSON.toJSONString(JsonUtil.getResultJson(ResultCodeEnum.NOLOGIN)); HttpHelper.setResponseJsonData(response,result); }).and() .addFilterBefore(corsFilter,LogoutFilter.class) .formLogin().loginProcessingUrl("/login").permitAll().and() .logout().logoutSuccessHandler(logoutSuccessHandler()).permitAll(); http.csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() // We don't need CSRF for JWT based authentication .exceptionHandling() .authenticationEntryPoint(this.authenticationEntryPoint) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(ADMIN_LOGIN_ENTRY_POINT).permitAll() .antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll() // Login end-point .antMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll() // Token refresh end-point .and() .authorizeRequests() .antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() // Protected API End-points .and() .addFilterBefore(buildAjaxLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http// disable CSRF, http basic, form login .csrf().disable() // .httpBasic().disable() // .formLogin().disable() // ReST is stateless, no sessions .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) // .and() // return 403 when not authenticated .exceptionHandling().authenticationEntryPoint(new NoAuthenticationEntryPoint()); // Let child classes set up authorization paths setupAuthorization(http); http.addFilterBefore(jsonWebTokenFilter, UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity // we don't need CSRF because our token is invulnerable .csrf().disable() .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and() // don't create session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .authorizeRequests() // allow auth url .antMatchers("/auth").permitAll() .anyRequest().authenticated(); // custom JWT based security filter httpSecurity.addFilterBefore(authenticationFilterBean(), UsernamePasswordAuthenticationFilter.class); // disable page caching httpSecurity.headers().cacheControl(); }
@Override protected void configure(HttpSecurity http) throws Exception { http // 使用JWT不需要csrf .csrf().disable() // 基于token不需要session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(HttpMethod.GET, "/info").permitAll() // login route is only publicly available for POST requests .antMatchers(HttpMethod.POST, "/register").permitAll() .antMatchers(HttpMethod.GET, "/login").permitAll() .antMatchers(HttpMethod.GET, "/refresh").permitAll() .anyRequest().authenticated() .and() // And filter other requests to check the presence of JWT in header // 集成JWT和Spring Security // 如果客户端请求体中包含token,在检查token之后才放行 .addFilterBefore(authenticationFilterBean(), UsernamePasswordAuthenticationFilter.class); // 禁用缓存 http.headers().cacheControl(); }
@Override protected void configure(final HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/auth/login").permitAll() .antMatchers("/image/**").permitAll() .antMatchers(HttpMethod.GET, "/store/**").permitAll() .antMatchers(HttpMethod.POST, "/user/").permitAll() .antMatchers(HttpMethod.POST, "/product/**").hasAuthority(ROLE_ADMIN.name()) .antMatchers(HttpMethod.PUT, "/product/**").hasAuthority(ROLE_ADMIN.name()) .antMatchers(HttpMethod.DELETE, "/product/**").hasAuthority(ROLE_ADMIN.name()) .antMatchers(HttpMethod.POST, "/stock/**").hasAnyAuthority(ROLE_ADMIN.name(), ROLE_STOCK_MANAGER.name()) .antMatchers(HttpMethod.PUT, "/stock/**").hasAnyAuthority(ROLE_ADMIN.name(), ROLE_STOCK_MANAGER.name()) .antMatchers(HttpMethod.DELETE, "/stock/**").hasAnyAuthority(ROLE_ADMIN.name(), ROLE_STOCK_MANAGER.name()) .antMatchers(HttpMethod.POST, "/store/").hasAnyAuthority(ROLE_ADMIN.name(), ROLE_STORE_MANAGER.name()) .antMatchers(HttpMethod.PUT, "/store/").hasAnyAuthority(ROLE_ADMIN.name(), ROLE_STORE_MANAGER.name()) .antMatchers(HttpMethod.DELETE, "/store/**").hasAnyAuthority(ROLE_ADMIN.name(), ROLE_STORE_MANAGER.name()) .anyRequest().authenticated() .and() .addFilterBefore(filter(), UsernamePasswordAuthenticationFilter.class) .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() // We don't need CSRF for JWT based authentication .exceptionHandling() .authenticationEntryPoint(this.authenticationEntryPoint) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll() // Login end-point .antMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll() // Token refresh end-point .and() .authorizeRequests() .antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() // Protected API End-points .and() .addFilterBefore(new XSSFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(new CustomCorsFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(buildAjaxLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity // we don't need CSRF because our token is invulnerable .csrf().disable() .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and() // don't create session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .authorizeRequests() .antMatchers("/auth/**").permitAll() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .anyRequest().authenticated(); // Custom JWT based security filter httpSecurity .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); // disable page caching httpSecurity.headers().cacheControl(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.exceptionHandling().and() .anonymous().and() .servletApi().and() .headers().cacheControl(); http.authorizeRequests() .antMatchers(HttpMethod.GET, "/api/users/**").hasRole("USER"); http.addFilterBefore( new StatelessLoginFilter( "/api/login", tokenAuthenticationService, userService, authenticationManager()), UsernamePasswordAuthenticationFilter.class); http.addFilterBefore( new StatelessAuthenticationFilter(tokenAuthenticationService), UsernamePasswordAuthenticationFilter.class); }
@Override public void init(HttpSecurity http) throws Exception { // autowire this bean ApplicationContext context = http.getSharedObject(ApplicationContext.class); context.getAutowireCapableBeanFactory().autowireBean(this); boolean springSecurityEnabled = forwardedHeaderConfig.getJwt() instanceof SpringSecurityJwtConfig; if (springSecurityEnabled) { String headerName = forwardedHeaderConfig.getName(); HeaderAuthenticationFilter filter = new HeaderAuthenticationFilter(headerName, authenticationManager); http.addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class); } //else juiser.security.enabled is false or spring security is disabled via a property }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .disable() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .exceptionHandling() .authenticationEntryPoint(http401UnauthorizedEntryPoint) .and() .authorizeRequests() .antMatchers("/login/**").permitAll() .anyRequest().authenticated() .and() .addFilterBefore(crossOriginResourceSharingFilter, ChannelProcessingFilter.class) .addFilterBefore(statelessAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/unsecured/**") .permitAll() .and() .antMatcher("/api/v1/**") .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .csrf().disable() .authorizeRequests().anyRequest().authenticated() .and() .addFilterBefore(oAuthSignatureCheckingFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(requestIdFilter(), ProtectedResourceProcessingFilter.class); }
@Test public void Can_wrap_a_success_handler() { final UsernamePasswordAuthenticationFilter filter = mock(UsernamePasswordAuthenticationFilter.class); final AuthenticationSuccessHandler oldSuccessHandler = mock(AuthenticationSuccessHandler.class); final JwtAuthenticationSuccessHandler newSuccessHandler = mock(JwtAuthenticationSuccessHandler.class); // Given given(mutator.retrieve(filter, "successHandler", AuthenticationSuccessHandler.class)) .willReturn(oldSuccessHandler); given(successHandler.withDelegate(oldSuccessHandler)).willReturn(newSuccessHandler); // When successHandlerWrapper.modify(filter); // Then verify(filter).setAuthenticationSuccessHandler(newSuccessHandler); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .exceptionHandling().authenticationEntryPoint(this.authenticationEntryPoint).and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/api/**").permitAll() .antMatchers(HttpMethod.GET, "/", "/favicon.ico", "/**/*.css", "/**/*.js", "/**/*.woff", "/**/*.woff2", "/**/*.ttf").permitAll() .antMatchers("/api/auth").permitAll() .anyRequest().authenticated(); http.addFilterBefore(this.jwtAuthTokenFilter, UsernamePasswordAuthenticationFilter.class); http.headers().cacheControl().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() // allow anonymous access access to Swagger docs .antMatchers("/v2/api-docs", "/**/swagger-ui.html", "/webjars/**", "/swagger-resources/**", "/configuration/**").permitAll() // anonymous users need to be able to log in .antMatchers("/authenticate", "/users").permitAll() // home page .antMatchers("/", "/app/**", "/bower_components/**", "/partials/**").permitAll() // all other request paths are protected .anyRequest().authenticated() .and() .logout() .permitAll(); http.addFilterBefore(new JwtLoginFilter("/authenticate", jwtUtil, userDetailsService, authenticationManager()), UsernamePasswordAuthenticationFilter.class); http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { // disable caching http.headers().cacheControl(); http.csrf().disable() // disable csrf for our requests. .authorizeRequests() .antMatchers("/").permitAll() .antMatchers(HttpMethod.POST,"/login").permitAll() .anyRequest().authenticated() .and() // We filter the api/login requests .addFilterBefore(new JWTLoginFilter("/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class) // And filter other requests to check the presence of JWT in header .addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { LOGGER.info("[StatelessAuthenticationEntryPoint]- " + unauthorizedHandler); httpSecurity // we don't need CSRF because our token is invulnerable .csrf().disable() .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and() // don't create session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .authorizeRequests().antMatchers("/").permitAll() .antMatchers("/browser/**/*").permitAll() .antMatchers("/docs/**/*").permitAll() .anyRequest().authenticated(); httpSecurity.addFilterBefore(statelessAuthenticationFilterBean(), UsernamePasswordAuthenticationFilter.class); // disable page caching httpSecurity.headers().cacheControl(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().ignoringAntMatchers("/login"); http.authorizeRequests() .antMatchers("/login") .permitAll() .antMatchers("/oauth/token") .authenticated() .antMatchers("/oauth/authorize") .hasAuthority("ROLE_USER") .and() .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class) .exceptionHandling() .authenticationEntryPoint(jwtAuthEndPoint); }
@Override protected void configure(HttpSecurity http) throws Exception { http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .addFilterBefore(flowableCookieFilter, UsernamePasswordAuthenticationFilter.class) .logout() .logoutUrl("/app/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler) .addLogoutHandler(new ClearFlowableCookieLogoutHandler()) .and() .csrf() .disable() // Disabled, cause enabling it will cause sessions .headers() .frameOptions() .sameOrigin() .addHeaderWriter(new XXssProtectionHeaderWriter()) .and() .authorizeRequests() .antMatchers(REST_ENDPOINTS_PREFIX + "/**").hasAuthority(DefaultPrivileges.ACCESS_MODELER); }
@Override protected void configure(HttpSecurity http) throws Exception { http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .addFilterBefore(flowableCookieFilter, UsernamePasswordAuthenticationFilter.class) .logout() .logoutUrl("/app/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler) .addLogoutHandler(new ClearFlowableCookieLogoutHandler()) .and() .csrf() .disable() // Disabled, cause enabling it will cause sessions .headers() .frameOptions() .sameOrigin() .addHeaderWriter(new XXssProtectionHeaderWriter()) .and() .authorizeRequests() .antMatchers("/app/rest/**").hasAuthority(DefaultPrivileges.ACCESS_TASK); }
@Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().disable() .exceptionHandling().authenticationEntryPoint(internalConfig.authenticationEntryPoint()) .and().authenticationProvider(internalConfig.authenticationProvider()) .formLogin().loginProcessingUrl(SECURITY_BASE + METHOD_LOGIN).successHandler(internalConfig.successHandler()).failureHandler(internalConfig.failureHandler()) .and().logout().logoutUrl(SECURITY_BASE + METHOD_LOGOUT).logoutSuccessHandler(internalConfig.logoutSuccessHandler()).invalidateHttpSession(true) .and().authorizeRequests() .antMatchers(API_HELLO + METHOD_HELLO_ADMIN).hasAuthority("ADMIN") .antMatchers(API_HELLO + METHOD_HELLO_AUTHENTICATED).authenticated() .antMatchers("*").permitAll() .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and().csrf().disable(); http.addFilterBefore(internalConfig.authenticationTokenFilterBean(authenticationManager()), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(final HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers("/admin/login").permitAll() .anyRequest().authenticated() .and() .exceptionHandling().authenticationEntryPoint(entryPoint) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); http .headers().cacheControl(); }
@Override protected void configure(HttpSecurity http) throws Exception { LOG.debug("configuring HttpSecurity"); String canvasUrl = configService.getConfigValue("canvas_url"); if (StringUtils.isBlank(canvasUrl)) { throw new RuntimeException("Missing canvas_url config value"); } http.requestMatchers() .antMatchers("/launch").and() .addFilterBefore(configureProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .authorizeRequests().anyRequest().authenticated().and().csrf().disable() .headers().addHeaderWriter(new XFrameOptionsHeaderWriter(new StaticAllowFromStrategy(new URI(canvasUrl)))) .addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy", "default-src 'self' https://s.ksucloud.net https://*.instructure.com; " + "font-src 'self' https://s.ksucloud.net https://*.instructure.com; " + "script-src 'self' 'unsafe-inline' https://ajax.googleapis.com; " + "style-src 'self' 'unsafe-inline' https://*.instructure.com https://www.k-state.edu" )) .addHeaderWriter(new StaticHeadersWriter("P3P", "CP=\"This is just to make IE happy with cookies in this iframe\"")); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/login") .permitAll() .antMatchers("/oauth/**") .authenticated() .and() // TODO: This is a bad idea! We need CSRF at least for the `/oauth/authorize` endpoint .csrf().disable() .exceptionHandling() .authenticationEntryPoint(loginUrlAuthenticationEntryPoint()) .accessDeniedPage("/login/error") .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.ALWAYS) .and() .addFilterBefore(loginDecisionFilter(), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity .csrf() .disable() .exceptionHandling() .authenticationEntryPoint(this.unauthorizedHandler) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .antMatchers("/auth/**").permitAll() .anyRequest().authenticated(); // Custom JWT based authentication httpSecurity .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .exceptionHandling().and() .anonymous().and() .servletApi().and() .headers().cacheControl().and() .authorizeRequests() // Allow anonymous resource requests .antMatchers("/").permitAll() .antMatchers("/favicon.ico").permitAll() .antMatchers("/**/*.html").permitAll() .antMatchers("/**/*.css").permitAll() .antMatchers("/**/*.js").permitAll() // Allow anonymous logins .antMatchers("/auth/**").permitAll() // All other request need to be authenticated .anyRequest().authenticated().and() // Custom Token based authentication based on the header previously given to the client .addFilterBefore(new StatelessAuthenticationFilter(tokenAuthenticationService), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .disable() .addFilterAfter(restAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class) //커스텀 인증 필터 .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .exceptionHandling() .authenticationEntryPoint(unauthorizedEntryPoint()) //예외 발생시 핸들러 등록 .and() .authorizeRequests() //use-expressions = true 를 포함함 //위쪽부터 일치하는지 검사하므로 로그인 없이 허가 허용하고 싶을 경우 위쪽으로 배치 .regexMatchers("/").permitAll() //URL 허가 .regexMatchers("/hello").permitAll() //URL 허가 .regexMatchers(HttpMethod.POST,"/v1/member").permitAll() //회원 가입 .regexMatchers("/v1/.*").fullyAuthenticated(); //Rest api를 위한 완전한 인증 }
@Override protected void configure(HttpSecurity http) throws Exception { http // disable CSRF, http basic, form login .csrf().disable() // .httpBasic().disable() // .formLogin().disable() // ReST is stateless, no sessions .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) // .and() // return 403 when not authenticated .exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()); // Let child classes set up authorization paths setupAuthorization(http); http.addFilterBefore(jsonWebTokenFilter, UsernamePasswordAuthenticationFilter.class); }
