/** * This is the equivalent to: * <pre> * <http pattern="/resources/**" security="none"/> * <http pattern="/css/**" security="none"/> * <http pattern="/webjars/**" security="none"/> * </pre> * * @param web * @throws Exception */ @Override public void configure(final WebSecurity web) throws Exception { // Ignore static resources and webjars from Spring Security web.ignoring() .antMatchers("/resources/**") .antMatchers("/css/**") .antMatchers("/webjars/**") ; // Thymeleaf needs to use the Thymeleaf configured FilterSecurityInterceptor // and not the default Filter from AutoConfiguration. final HttpSecurity http = getHttp(); web.postBuildAction(() -> { web.securityInterceptor(http.getSharedObject(FilterSecurityInterceptor.class)); }); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers("/", "/assets/**/*", "/js/*", "/images/**/*", "/feedback", "/webhook", "/fbwebhook", "/slackwebhook", "/embed").permitAll() .anyRequest().authenticated() .and() .formLogin() .defaultSuccessUrl("/admin") .loginPage("/login") .permitAll() .and() .logout() .permitAll(); http.headers().frameOptions().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .addFilterBefore(new HeaderSecurityFilter(), SecurityContextHolderAwareRequestFilter.class) .cors() .and() .csrf() .disable() .authorizeRequests() .antMatchers("/health").permitAll() .antMatchers("/websocket").permitAll() .antMatchers(HttpMethod.OPTIONS,"**").permitAll() .antMatchers(HttpMethod.POST, "/api/**").hasAuthority(SecurityAuthoritiesEnum.COLLECTOR.toString()) .antMatchers(HttpMethod.DELETE, "/api/**").hasAuthority(SecurityAuthoritiesEnum.COLLECTOR.toString()) .antMatchers(HttpMethod.POST, "/reviews/**").hasAuthority(SecurityAuthoritiesEnum.REGULAR.toString()) .antMatchers(HttpMethod.GET, "/dashboards/**").hasAnyAuthority(SecurityAuthoritiesEnum.REGULAR.toString(), SecurityAuthoritiesEnum.SCREEN.toString()) .antMatchers(HttpMethod.GET, "/emitter/**").hasAnyAuthority(SecurityAuthoritiesEnum.REGULAR.toString(), SecurityAuthoritiesEnum.SCREEN.toString()) .antMatchers(HttpMethod.POST, "/dashboards/**").hasAuthority(SecurityAuthoritiesEnum.REGULAR.toString()) .antMatchers(HttpMethod.DELETE, "/dashboards/**").hasAuthority(SecurityAuthoritiesEnum.REGULAR.toString()) .antMatchers(HttpMethod.PUT, "/dashboards/**").hasAuthority(SecurityAuthoritiesEnum.REGULAR.toString()); }
/** * This is the equivalent to: * <pre> * <http pattern="/resources/**" security="none"/> * <http pattern="/css/**" security="none"/> * <http pattern="/webjars/**" security="none"/> * </pre> * * @param web WebSecurity * @throws Exception */ @Override public void configure(final WebSecurity web) throws Exception { web.ignoring() .antMatchers("/resources/**") .antMatchers("/css/**") .antMatchers("/webjars/**") ; // Thymeleaf needs to use the Thymeleaf configured FilterSecurityInterceptor // and not the default Filter from AutoConfiguration. final HttpSecurity http = getHttp(); web.postBuildAction(() -> { web.securityInterceptor(http.getSharedObject(FilterSecurityInterceptor.class)); }); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() //任何访问都必须授权 .anyRequest().fullyAuthenticated() //配置那些路径可以不用权限访问 .mvcMatchers("/login", "/login/wechat").permitAll() .and() .formLogin() //登陆成功后的处理,因为是API的形式所以不用跳转页面 .successHandler(new MyAuthenticationSuccessHandler()) //登陆失败后的处理 .failureHandler(new MySimpleUrlAuthenticationFailureHandler()) .and() //登出后的处理 .logout().logoutSuccessHandler(new RestLogoutSuccessHandler()) .and() //认证不通过后的处理 .exceptionHandling() .authenticationEntryPoint(new RestAuthenticationEntryPoint()); http.addFilterAt(myFilterSecurityInterceptor, FilterSecurityInterceptor.class); http.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); //http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); http.csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/login**", "/after**").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login.html") .defaultSuccessUrl("/deptform.html") .failureUrl("/login.html?error=true") .successHandler(customSuccessHandler) .and() .logout().logoutUrl("/logout.html") .logoutSuccessHandler(customLogoutHandler); http.csrf().disable(); }
/** * This is the equivalent to: * <pre> * <http pattern="/resources/**" security="none"/> * <http pattern="/css/**" security="none"/> * <http pattern="/webjars/**" security="none"/> * </pre> * * @param web * @throws Exception */ @Override public void configure(final WebSecurity web) throws Exception { // Ignore static resources and webjars from Spring Security web.ignoring() .antMatchers("/resources/**") .antMatchers("/css/**") .antMatchers("/webjars/**") ; // Thymeleaf needs to use the Thymeleaf configured FilterSecurityInterceptor // and not the default Filter from AutoConfiguration. final HttpSecurity http = getHttp(); web.postBuildAction(() -> { // web.securityInterceptor(http.getSharedObject(FilterSecurityInterceptor.class)); FilterSecurityInterceptor fsi = http.getSharedObject(FilterSecurityInterceptor.class); fsi.setSecurityMetadataSource(metadataSource); web.securityInterceptor(fsi); }); }
@Override public void configure(final HttpSecurity http) throws Exception { http .requestMatchers().antMatchers("/doctor/**", "/rx/**", "/account/**") .and() .authorizeRequests() .antMatchers(HttpMethod.GET,"/doctor/**").access("#oauth2.hasScope('doctor') and #oauth2.hasScope('read')") .antMatchers(HttpMethod.POST,"/doctor/**").access("#oauth2.hasScope('doctor') and #oauth2.hasScope('write')") .antMatchers(HttpMethod.GET,"/rx/**").access("#oauth2.hasScope('doctor') and #oauth2.hasScope('read')") .antMatchers(HttpMethod.POST,"/rx/**").access("#oauth2.hasScope('doctor') and #oauth2.hasScope('write')") .antMatchers("/account/**").permitAll() .and() .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()) .and() .csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception{ http.addFilterBefore(characterEncodingFilter(), CsrfFilter.class); http.authorizeRequests() .antMatchers("/","/category/**","/article/add","/user/update").access("hasRole('ROLE_USER') or hasRole('ROLE_ADMIN') or hasRole('ROLE_MODERATOR')") .antMatchers("/admin","/admin/**").access("hasRole('ROLE_ADMIN')") .and() .formLogin() .loginPage("/login") .usernameParameter("ssoId") .passwordParameter("password") .failureHandler(new CustomAuthenticationFailureHandler()) .defaultSuccessUrl("/") .and() .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .logoutSuccessUrl("/login?logout").deleteCookies("JSESSIONID") .invalidateHttpSession(true) .and() .rememberMe().tokenRepository(persistentTokenRepository()).tokenValiditySeconds(86400) .and() .csrf() .and() .exceptionHandling().accessDeniedPage("/error"); http.sessionManagement().maximumSessions(1).sessionRegistry(sessionRegistry()); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .disable() .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/api/auth", "/api/users/me", "/api/greetings/public").permitAll() .anyRequest().authenticated() .and() .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .disable() .headers() .frameOptions() .disable() .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/api/**").authenticated() .antMatchers("/management/health").permitAll() .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN) .antMatchers("/swagger-resources/configuration/ui").permitAll() .and() .apply(securityConfigurerAdapter()); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests() .antMatchers("/","/public/**", "/resources/**", "/resources/public/**", "/css/**", "/js/**", "/webjars/**").permitAll() .antMatchers("/", "/home", "/about").permitAll() // .antMatchers("admin/**", "api/**", "project/**").hasRole("ADMIN") // .antMatchers("/user/**", "project/**", "api/projects/**").hasRole("USER") .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .defaultSuccessUrl("/", true) .failureUrl("/login?error") .failureHandler(customAuthenticationHandler) .permitAll() .and() .logout() .permitAll() .and() .exceptionHandling().accessDeniedHandler(accessDeniedHandler); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .headers() .frameOptions() .disable(); if (properties.isSecurityEnabled()) { http .authorizeRequests() .anyRequest() .fullyAuthenticated() .and() .httpBasic(); } }
@Override public void configure(HttpSecurity http) throws Exception { http.formLogin() .loginProcessingUrl("/api/authentication/form") //认证URL .loginPage("/api/authentication/require") //登录页 .successHandler(tzAuthenticationSuccessHandler) //登录成功处理器 .failureHandler(tzAuthenticationFailureHandler) .and() .authorizeRequests() .antMatchers( "/api/authentication/form", "/api/authentication/require", "/api/imgs/**", "/templates/**", "/api/resources/menus" ) .permitAll() .anyRequest() .access("@rbacService.havePermission(request,authentication)"); }
@Override public void configure(HttpSecurity http) throws Exception { http .requestMatcher(new OAuthRequestedMatcher()) .csrf().disable() .anonymous().disable() .authorizeRequests() .antMatchers(HttpMethod.OPTIONS).permitAll() // when restricting access to 'Roles' you must remove the "ROLE_" part role // for "ROLE_USER" use only "USER" .antMatchers("/api/hello").access("hasAnyRole('USER')") .antMatchers("/api/me").hasAnyRole("USER", "ADMIN") .antMatchers("/api/admin").hasRole("ADMIN") // use the full name when specifying authority access .antMatchers("/api/registerUser").hasAuthority("ROLE_REGISTER") // restricting all access to /api/** to authenticated users .antMatchers("/api/**").authenticated(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/xxx/**") .access("hasRole('ROLE_USER')") .anyRequest() .authenticated() .and() .formLogin() .loginPage("/login") .failureUrl("/login?error") .permitAll() .and() .rememberMe() .tokenValiditySeconds(60 * 60 * 24 * 7) .useSecureCookie(true) .key("remember-me") .rememberMeCookieName("remember-me") .and() .logout() .deleteCookies("remember-me") .permitAll(); }
@Override public void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http .authorizeRequests() .antMatchers("/oauth/token").anonymous(); http .authorizeRequests() .antMatchers(HttpMethod.GET, "/**") .access("#oauth2.hasScope('read')"); http .authorizeRequests() .antMatchers("/**") .access("#oauth2.hasScope('write')"); }
@Override protected void configure(HttpSecurity http) throws Exception { filter.setAuthenticationManager(authenticationManager()); http.headers().cacheControl().disable(); http .addFilter(filter) .sessionManagement().sessionCreationPolicy(STATELESS).and() .csrf().disable() .formLogin().disable() .logout().disable() .authorizeRequests() .antMatchers("/swagger-ui.html", "/webjars/springfox-swagger-ui/**", "/swagger-resources/**", "/v2/**", "/health", "/info" ).permitAll() .anyRequest().authenticated(); }
@Override protected void customizeRememberMe(HttpSecurity http) throws Exception { UserDetailsService userDetailsService = lookup("userDetailsService"); PersistentTokenRepository persistentTokenRepository = lookup("persistentTokenRepository"); AbstractRememberMeServices rememberMeServices = lookup("rememberMeServices"); RememberMeAuthenticationFilter rememberMeAuthenticationFilter = lookup("rememberMeAuthenticationFilter"); http.rememberMe() .userDetailsService(userDetailsService) .tokenRepository(persistentTokenRepository) .rememberMeServices(rememberMeServices) .key(rememberMeServices.getKey()) .and() .logout() .logoutUrl(LOGOUT_ENDPOINT) .and() .addFilterAt(rememberMeAuthenticationFilter, RememberMeAuthenticationFilter.class); }
/** * HTTP Security configuration * * <pre><http auto-config="true"></pre> is equivalent to: * <pre> * <http> * <form-login /> * <http-basic /> * <logout /> * </http> * </pre> * * Which is equivalent to the following JavaConfig: * * <pre> * http.formLogin() * .and().httpBasic() * .and().logout(); * </pre> * * @param http HttpSecurity configuration. * @throws Exception Authentication configuration exception * * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html"> * Spring Security 3 to 4 migration</a> */ @Override protected void configure(final HttpSecurity http) throws Exception { http.authorizeRequests() // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! ) .antMatchers("/admin/h2/**").permitAll() .antMatchers("/").permitAll() .antMatchers("/login/*").permitAll() .antMatchers("/logout").permitAll() .antMatchers("/signup/*").permitAll() .antMatchers("/errors/**").permitAll() .antMatchers("/admin/*").hasRole("ADMIN") .antMatchers("/events/").hasRole("ADMIN") .antMatchers("/**").hasRole("USER") .and().exceptionHandling().accessDeniedPage("/errors/403") .and().formLogin() .loginPage("/login/form") .loginProcessingUrl("/login") .failureUrl("/login/form?error") .usernameParameter("username") .passwordParameter("password") .defaultSuccessUrl("/default", true) .permitAll() .and().logout() .logoutUrl("/logout") .logoutSuccessUrl("/login/form?logout") .permitAll() .and().anonymous() // CSRF is enabled by default, with Java Config .and().csrf().disable(); // Enable <frameset> in order to use H2 web console http.headers().frameOptions().disable(); }
@Override public void configure(HttpSecurity http) throws Exception { http.anonymous()// .disable()// .requestMatchers()// .antMatchers("/api/**")// .and().authorizeRequests()// .antMatchers("/api/**")// .fullyAuthenticated()// .and().exceptionHandling()// .accessDeniedHandler(new OAuth2AccessDeniedHandler()); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .and() .logout().permitAll() .and() // Security Headers http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html .headers() // Cache-Control: no-cache set by default spring boot security //.cacheControl() //.and() // X-Frame-Options: DENY set by default spring boot security .frameOptions().sameOrigin() // X-Content-Type-Options: nosniff set by default spring boot security //.contentTypeOptions() //.and() // Content-Security-Policy .contentSecurityPolicy("default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /csp") // HSTS (you may consider setting this header in the ssl handling part of your app e.g. apache, nginix) .and() // be careful when deploying this 2 years policy because it will prevent your customers browsers from visiting your page without ssl .httpStrictTransportSecurity() .maxAgeInSeconds(63072000) // HPKP (you may consider setting this header in the ssl handling part of your app e.g. apache, nginix) .and() .httpPublicKeyPinning() .addSha256Pins("pGO1ErsUFSrId1hozlZOfyYOsE8mdiDgLyR89CtHK8E=") .maxAgeInSeconds(63072000) // remove reportOnly when certificates (including backup certificates!) including thoughtfully made deployment strategy worked out .reportOnly(true) .reportUri("/pkp"); }
@Override protected void configure(HttpSecurity http) throws Exception { http.headers().frameOptions().disable(); http .csrf() .ignoringAntMatchers("/rest/**") //disable csrf for rest .ignoringAntMatchers("/console/**") //disable the database .ignoringAntMatchers("/logout"); // allow double logout http .authorizeRequests() .antMatchers("/").permitAll() .antMatchers("/rest/**").permitAll() //do not require passwords for rest .antMatchers("/public/**").permitAll() .antMatchers("/min/**").permitAll() .antMatchers("/webjars/**").permitAll() .antMatchers("/node_modules/**").permitAll() .antMatchers("/console/**").permitAll() .antMatchers("/account_activation/**").permitAll() .antMatchers("/admin/**").hasRole(Role.ADMIN.name()) .antMatchers("/lecturer/**").hasRole(Role.LECTURER.name()) .antMatchers("/student/**").hasRole(Role.STUDENT.name()) .anyRequest().authenticated(); http .formLogin() .loginPage("/login") .loginPage("/login?notLoggedIn") .failureUrl("/login?error") .defaultSuccessUrl("/") .permitAll(); http .logout() .logoutSuccessUrl("/login?loggedOut") .permitAll(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers(POST, "/email/keys").hasAuthority(CREATE_API_KEYS_PRIVILEGE.name()) .antMatchers(POST, "/email/templates").hasAuthority(CREATE_TEMPLATES_PRIVILEGE.name()) .antMatchers(GET, "/email/templates/**").hasAuthority(READ_TEMPLATES_PRIVILEGE.name()) .anyRequest().fullyAuthenticated() .and().httpBasic() .and().csrf().disable(); }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity // we don't need CSRF because our token is invulnerable .csrf().disable() .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and() // don't create session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .authorizeRequests() //.antMatchers(HttpMethod.OPTIONS, "/**").permitAll() // allow anonymous resource requests .antMatchers( HttpMethod.GET, "/", "/v2/api-docs", // swagger "/webjars/**", // swagger-ui webjars "/swagger-resources/**", // swagger-ui resources "/configuration/**", // swagger configuration "/*.html", "/favicon.ico", "/**/*.html", "/**/*.css", "/**/*.js" ).permitAll() .antMatchers("/api/auth/**").permitAll() .anyRequest().authenticated(); // Custom JWT based security filter httpSecurity .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); // disable page caching httpSecurity.headers().cacheControl(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .antMatcher("/api/**") .authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/api/**").permitAll() .antMatchers(HttpMethod.GET, "/api").permitAll() .antMatchers(HttpMethod.POST, "/api/users").permitAll() .anyRequest().authenticated() .and().httpBasic().and().cors(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/").permitAll() .antMatchers("/bank/**").hasRole(BANK_ROLE) .antMatchers("/client/**").hasRole(CLIENT_ROLE) .anyRequest().authenticated() .and().httpBasic() //Authenticate with username and password. //For REST services disable CSRF protection. //See https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#when-to-use-csrf-protection .and().csrf().disable() ; }
@Override protected void configure(HttpSecurity http) throws Exception { http .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class) .exceptionHandling() .authenticationEntryPoint(http401UnauthorizedEntryPoint()) .and() .csrf() .disable() .headers() .frameOptions() .disable() .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/api/register").permitAll() .antMatchers("/api/activate").permitAll() .antMatchers("/api/authenticate").permitAll() .antMatchers("/api/account/reset_password/init").permitAll() .antMatchers("/api/account/reset_password/finish").permitAll() .antMatchers("/api/profile-info").permitAll() .antMatchers("/api/**").authenticated() .antMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN) .antMatchers("/websocket/**").permitAll() .antMatchers("/management/health").permitAll() .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN) .antMatchers("/v2/api-docs/**").permitAll() .antMatchers("/swagger-resources/configuration/ui").permitAll() .antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN) .and() .apply(securityConfigurerAdapter()); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .requestMatcher(EndpointRequest.toAnyEndpoint()) .authorizeRequests() .anyRequest().authenticated() .and() .httpBasic(); // @formatter:on }
@Override public void configure(HttpSecurity http) throws Exception { http .antMatcher("/flights/**") .authorizeRequests() .anyRequest().authenticated(); }
@Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated().and() .requestMatchers().antMatchers("/api/**"); }
@Override public void configure(HttpSecurity http) throws Exception { //@formatter:off http.authorizeRequests() .anyRequest() .authenticated() .and() .requestMatchers() .antMatchers("/api/**"); //@formatter:on }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity.headers().defaultsDisabled().cacheControl();//加入Cache相关HTTP头,禁用浏览器缓存 httpSecurity.formLogin().disable();//禁用org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter httpSecurity.httpBasic().disable();//禁用org.springframework.security.web.authentication.www.BasicAuthenticationFilter httpSecurity.csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizedHandler) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // don't create session httpSecurity.authorizeRequests() // allow anonymous resource requests .antMatchers( // HttpMethod.GET, "/favicon.ico", "/**/*.html", "/**/*.css", "/**/*.js" ).permitAll() .antMatchers(HttpMethod.GET, "/v1/**").permitAll() .antMatchers("/",//一个系统,正常情况下首页都是可以访问的 "/" + authPath, "/sys/auth/init").permitAll() .anyRequest().authenticated(); /** * 每次请求过来时, 我们将获取请求的Authorization头部存有的jwt, 并提取相应的信息, * 如果当前security的上下文还没有认证对应的用户信息并且token是有效的, * 那么就将认证成功所返回的信息设置在security的上下文中, * 最后再将请求传递给下一个过滤器 */ httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); // custom JSON based authentication by POST of {"username":"<name>","password":"<password>"} which sets the token header upon authentication // httpSecurity.addFilterBefore(loginFilter(), UsernamePasswordAuthenticationFilter.class); // custom Token based authentication based on the header previously given to the client // httpSecurity.addFilterBefore(new StatelessTokenAuthenticationFilter(tokenAuthenticationService), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .httpBasic() .and().authorizeRequests() .antMatchers("/login/**", "/profile/**").hasRole("USER") .and().authorizeRequests().anyRequest().permitAll() /* .and() .apply(new SpringSocialConfigurer() ) */.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); }
