@Override protected void configure(HttpSecurity http) throws Exception { // secure endpoints RequestMatcher matcher = getRequestMatcher(); if (matcher != null) { // Always protect them if present if (this.security.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } AuthenticationEntryPoint entryPoint = entryPoint(); http.exceptionHandling().authenticationEntryPoint(entryPoint); // Match all the requests for actuator endpoints ... http.requestMatcher(matcher); // ... but permitAll() for the non-sensitive ones configurePermittedRequests(http.authorizeRequests()); http.httpBasic().authenticationEntryPoint(entryPoint); // No cookies for management endpoints by default http.csrf().disable(); http.sessionManagement().sessionCreationPolicy( this.management.getSecurity().getSessions()); SpringBootWebSecurityConfiguration.configureHeaders(http.headers(), this.security.getHeaders()); } }
@Override public void init(WebSecurity builder) throws Exception { IgnoredRequestConfigurer ignoring = builder.ignoring(); // The ignores are not cumulative, so to prevent overwriting the defaults we // add them back. List<String> ignored = SpringBootWebSecurityConfiguration .getIgnored(this.security); if (!this.management.getSecurity().isEnabled()) { ignored.addAll(Arrays .asList(EndpointPaths.ALL.getPaths(this.endpointHandlerMapping))); } if (ignored.contains("none")) { ignored.remove("none"); } if (this.errorController != null) { ignored.add(normalizePath(this.errorController.getErrorPath())); } if (this.server != null) { String[] paths = this.server.getPathsArray(ignored); ignoring.antMatchers(paths); } }
