@Override protected void configure(HttpSecurity http) throws Exception { LOG.debug("configuring HttpSecurity"); String canvasUrl = configService.getConfigValue("canvas_url"); if (StringUtils.isBlank(canvasUrl)) { throw new RuntimeException("Missing canvas_url config value"); } http.requestMatchers() .antMatchers("/launch").and() .addFilterBefore(configureProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .authorizeRequests().anyRequest().authenticated().and().csrf().disable() .headers().addHeaderWriter(new XFrameOptionsHeaderWriter(new StaticAllowFromStrategy(new URI(canvasUrl)))) .addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy", "default-src 'self' https://s.ksucloud.net https://*.instructure.com; " + "font-src 'self' https://s.ksucloud.net https://*.instructure.com; " + "script-src 'self' 'unsafe-inline' https://ajax.googleapis.com; " + "style-src 'self' 'unsafe-inline' https://*.instructure.com https://www.k-state.edu" )) .addHeaderWriter(new StaticHeadersWriter("P3P", "CP=\"This is just to make IE happy with cookies in this iframe\"")); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() // Refactor login form // See https://jira.springsource.org/browse/SPR-11496 .headers().addHeaderWriter( new XFrameOptionsHeaderWriter( XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN)).and() .formLogin() .defaultSuccessUrl("/index.html") .loginPage("/login.html") .failureUrl("/login.html?error") .permitAll() .and() .logout() .logoutSuccessUrl("/login.html?logout") .logoutUrl("/logout.html") .permitAll() .and() .authorizeRequests() .antMatchers("/assets/**").permitAll() .anyRequest().authenticated() .and(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .headers() .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN)) .and() .csrf().disable() .authorizeRequests() .antMatchers("/*").permitAll() .antMatchers("/net.canang.cfi.web.Finance/**").permitAll() .antMatchers("/secure/**").hasRole("USER") .anyRequest().authenticated() .and() .formLogin() .loginProcessingUrl("/login") .defaultSuccessUrl("/application.html?gwt.codesvr=127.0.0.1:9997") .failureUrl("/index.html?login_error=1") .loginPage("/index.html") .permitAll() .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl("/index.html") .invalidateHttpSession(true); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.csrf().disable() .headers() .addHeaderWriter( new XFrameOptionsHeaderWriter( XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN)) .and() .formLogin().defaultSuccessUrl("/portfolio/index.html") .loginPage("/portfolio/login.html") .failureUrl("/portfolio/login.html?error").permitAll() .and() .logout() .logoutSuccessUrl("/portfolio/login.html?logout") .logoutUrl("/portfolio/logout.html").permitAll() .and() .authorizeRequests() .antMatchers("/portfolio/login.css").permitAll() .antMatchers("/portfolio/**").authenticated(); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { //DefaultFilterInvocationSecurityMetadataSource // AjaxAuthenticationHandler authHandler = new AjaxAuthenticationHandler("/login", "/plugins/permission/admin"); casFilter.setAuthenticationManager(authenticationManager()); http .headers() .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)) .and() .exceptionHandling() .authenticationEntryPoint(casEntryPoint) .and() // .authenticationProvider(casAuthenticationProvider) .addFilter(casFilter) .authorizeRequests() .anyRequest().authenticated()//去掉会启动失败,原因未知 .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() { @Override public <O extends FilterSecurityInterceptor> O postProcess(O object) { if(securityMetadataSourceBuilder!=null){ securityMetadataSourceBuilder.setFilterSecurityInterceptor(object); securityMetadataSourceBuilder.buildSecurityMetadataSource(); } return object; } }) .and() .sessionManagement() .maximumSessions(1) .maxSessionsPreventsLogin(true); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/createSimpleUser","/createUser").permitAll(); http.authorizeRequests().antMatchers("/user/*").hasAnyRole("USER","ADMIN"); http.authorizeRequests().antMatchers("/admin/*").hasRole("ADMIN"); http.authorizeRequests() .antMatchers("/css/**","/jquery/**","/bootstrap/**","/jquery/images/**","/webjars/**").permitAll(); http.formLogin().loginPage("/loginPage").defaultSuccessUrl("/user/homePage").failureUrl("/login-Error") .permitAll().and().logout() .addLogoutHandler(new CustomLogoutHandler()) .logoutRequestMatcher(new LogoutRequestMatcher()).invalidateHttpSession(true); http.headers() .contentTypeOptions() .and().xssProtection() .and().cacheControl() .and().httpStrictTransportSecurity() .and().frameOptions() .and().addHeaderWriter(new StaticHeadersWriter( "X-Content-Security-Policy","script-src 'self'")) .addHeaderWriter(new XXssProtectionHeaderWriter()) .addHeaderWriter(new XFrameOptionsHeaderWriter( XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN)) .addHeaderWriter(new XContentTypeOptionsHeaderWriter()) .addHeaderWriter(new CacheControlHeadersWriter()) .addHeaderWriter(new HstsHeaderWriter()); }
/** {@inheritDoc} */ @Override protected void configure(HttpSecurity httpSecurity) throws Exception { RequestMatcher matcher = new AntPathRequestMatcher("/login"); DelegatingRequestMatcherHeaderWriter headerWriter = new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter()); //to disable loading application back button after logout httpSecurity .headers() .defaultsDisabled() .cacheControl().and() .contentTypeOptions().and().addHeaderWriter(headerWriter) .httpStrictTransportSecurity() .includeSubDomains(true) .maxAgeInSeconds(31536000).and() .frameOptions().sameOrigin().xssProtection().block(false); // httpSecurity.requestCache().requestCache(new NullRequestCache()); httpSecurity /*.csrf() .disable()*/ .authorizeRequests() .expressionHandler(webExpressionHandler()) .antMatchers("/forgotPwd", "/resetPwd*", "/successRegister*", "/invalidSession.html", "/registrationConfirm*", "/registration.html", "/user/registration", "/login*") .permitAll() // .antMatchers(HttpMethod.POST,"/api","/api/**").hasRole("ROLE_ADMIN") .anyRequest().fullyAuthenticated() .and() .formLogin() .loginPage("/login.html") .defaultSuccessUrl("/home.html") .usernameParameter("username") .passwordParameter("password") .failureUrl("/login.html?error=true") // .successHandler(myAuthenticationSuccessHandler) // .failureHandler(authenticationFailureHandler) .permitAll() .and() .sessionManagement() .invalidSessionUrl("/invalidSession.html") .sessionFixation().none() .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl("/login.html") .invalidateHttpSession(true) .deleteCookies("remember-me", "SESSION") .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .permitAll() .and() .rememberMe() .rememberMeServices(rememberMeServices()) .tokenValiditySeconds(86400) .rememberMeCookieName("remember-me") .and() .exceptionHandling().accessDeniedPage("/403"); }
@Override protected void configure(HttpSecurity http) throws Exception { //DefaultFilterInvocationSecurityMetadataSource AjaxAuthenticationHandler authHandler = new AjaxAuthenticationHandler("/login", "/plugins/permission/admin"); http .headers() .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)) .and() .authorizeRequests() .anyRequest().authenticated() .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() { @Override public <O extends FilterSecurityInterceptor> O postProcess(O object) { // object.setRejectPublicInvocations(true); /*if(securityMetadataSource!=null){ object.setSecurityMetadataSource(securityMetadataSource); }*/ if(securityMetadataSourceBuilder!=null){ // object.setSecurityMetadataSource(databaseSecurityMetadataSource.convertTo(object.getSecurityMetadataSource())); securityMetadataSourceBuilder.setFilterSecurityInterceptor(object); securityMetadataSourceBuilder.buildSecurityMetadataSource(); } return object; } }) .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/dologin") .successHandler(authHandler) .failureHandler(authHandler) .and() .logout() .deleteCookies("JSESSIONID") .invalidateHttpSession(true) .and() .sessionManagement() .maximumSessions(1) .maxSessionsPreventsLogin(true); // .failureUrl("/login?loginError=1") ; }
@Override protected void configure(final HttpSecurity http) throws Exception { http.headers().xssProtection(); http.csrf().disable().authorizeRequests().anyRequest().authenticated(); http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN)).and(); }
