@Override protected void configure(HttpSecurity http) throws Exception { final Filter corsFilter = context.getBean(ICorsFilterConfig.class).corsFilter(); final AuthenticationEntryPoint basicAuthenticationEntryPoint = context.getBean( BASIC_AUTH_BEAN_NAME, AuthenticationEntryPoint.class); http .antMatcher(JwtRestServiceConfig.REST_API_URL_PREFIX + "/**") // As of Spring Security 4.0, CSRF protection is enabled by default. .csrf().disable() // Configure CORS .addFilterBefore(corsFilter, SecurityContextPersistenceFilter.class) .authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .antMatchers("/**").hasAnyAuthority(ROLE_USER) .and() .httpBasic().authenticationEntryPoint(basicAuthenticationEntryPoint); }
@Override protected void configure(HttpSecurity http) throws Exception { AuthenticationEntryPoint authenticationEntryPoint = lookup("authenticationEntryPoint"); http.csrf().disable() .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint) .and() .sessionManagement().sessionCreationPolicy(STATELESS); customizeRequestAuthorization(http.authorizeRequests() .antMatchers("/").permitAll() .antMatchers(POST, LOGIN_ENDPOINT).permitAll() .and()); http.authorizeRequests().anyRequest().authenticated(); JwtTokenService jwtTokenService = lookup("jwtTokenService"); // JwtAuthenticationFilter must precede LogoutFilter, otherwise LogoutHandler wouldn't know who // logs out. customizeFilters( http.addFilterBefore(new JwtAuthenticationFilter(jwtTokenService), LogoutFilter.class)); customizeRememberMe(http); }
@Override protected void configure(HttpSecurity http) throws Exception { // secure endpoints RequestMatcher matcher = getRequestMatcher(); if (matcher != null) { // Always protect them if present if (this.security.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } AuthenticationEntryPoint entryPoint = entryPoint(); http.exceptionHandling().authenticationEntryPoint(entryPoint); // Match all the requests for actuator endpoints ... http.requestMatcher(matcher); // ... but permitAll() for the non-sensitive ones configurePermittedRequests(http.authorizeRequests()); http.httpBasic().authenticationEntryPoint(entryPoint); // No cookies for management endpoints by default http.csrf().disable(); http.sessionManagement().sessionCreationPolicy( this.management.getSecurity().getSessions()); SpringBootWebSecurityConfiguration.configureHeaders(http.headers(), this.security.getHeaders()); } }
@SuppressWarnings("ProhibitedExceptionDeclared") @Override protected void configure(final HttpSecurity http) throws Exception { final AuthenticationEntryPoint ssoEntryPoint = new SsoAuthenticationEntryPoint(SsoController.SSO_PAGE); final SsoAuthenticationFilter<?> ssoAuthenticationFilter = new SsoAuthenticationFilter<>(SsoController.SSO_AUTHENTICATION_URI, EntityType.CombinedSso.INSTANCE); ssoAuthenticationFilter.setAuthenticationManager(authenticationManager()); final LogoutSuccessHandler logoutSuccessHandler = new HodTokenLogoutSuccessHandler(SsoController.SSO_LOGOUT_PAGE, tokenRepository); http.regexMatcher("/public(/.*)?|/sso|/authenticate-sso|/api/authentication/.*|/logout") .csrf() .disable() .exceptionHandling() .authenticationEntryPoint(ssoEntryPoint) .accessDeniedPage(DispatcherServletConfiguration.AUTHENTICATION_ERROR_PATH) .and() .authorizeRequests() .antMatchers(FindController.APP_PATH + "/**").hasRole(FindRole.USER.name()) .and() .logout() .logoutSuccessHandler(logoutSuccessHandler) .and() .addFilterAfter(ssoAuthenticationFilter, AbstractPreAuthenticatedProcessingFilter.class); }
protected AuthenticationEntryPoint authenticationEntryPoint() { return new AuthenticationEntryPoint() { @Override public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException { httpServletResponse.getWriter().append("Not authenticated"); httpServletResponse.setStatus(401); } }; }
private AuthenticationEntryPoint http401AuthenticationEntryPoint() { // This gets used for both secured and unsecured configurations. It will be called by Spring Security if a request makes it through the filter chain without being authenticated. // For unsecured, this should never be reached because the custom AnonymousAuthenticationFilter should always populate a fully-authenticated anonymous user // For secured, this will cause attempt to access any API endpoint (except those explicitly ignored) without providing credentials to return a 401 Unauthorized challenge return new AuthenticationEntryPoint() { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException { logger.info("AuthenticationEntryPoint invoked as no user identity credentials were found in the request."); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); } }; }
@Bean public AuthenticationEntryPoint restAuthenticationEntryPoint() { return new AuthenticationEntryPoint() { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { response.sendError(HttpServletResponse.SC_UNAUTHORIZED, ApplicationContext.language("error.msgUnauthorized")); } }; }
public OneTimePasswordFilterConfigurer(final String loginProcessingUrl, AuthenticationSuccessHandler successHandler, AuthenticationFailureHandler failureHandler, AuthenticationEntryPoint entryPoint) { this.authFilter = new OneTimePasswordAuthenticationFilter(loginProcessingUrl); this.authFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher(loginProcessingUrl, "POST")); this.authFilter.setAuthenticationSuccessHandler(successHandler); this.authFilter.setAuthenticationFailureHandler(failureHandler); this.authFilter.setAllowSessionCreation(true); this.authenticationEntryPoint = entryPoint; }
private static AuthenticationEntryPoint getAuthEntryPoint() { return new AuthenticationEntryPoint() { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Access Denied"); } }; }
@Override protected void configure(HttpSecurity http) throws Exception { if (this.security.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } if (!this.security.isEnableCsrf()) { http.csrf().disable(); } // No cookies for application endpoints by default http.sessionManagement().sessionCreationPolicy(this.security.getSessions()); SpringBootWebSecurityConfiguration.configureHeaders(http.headers(), this.security.getHeaders()); String[] paths = getSecureApplicationPaths(); if (paths.length > 0) { AuthenticationEntryPoint entryPoint = entryPoint(); http.exceptionHandling().authenticationEntryPoint(entryPoint); http.httpBasic().authenticationEntryPoint(entryPoint); http.requestMatchers().antMatchers(paths); String[] roles = this.security.getUser().getRole().toArray(new String[0]); SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode(); if (mode == null || mode == SecurityAuthorizeMode.ROLE) { http.authorizeRequests().anyRequest().hasAnyRole(roles); } else if (mode == SecurityAuthorizeMode.AUTHENTICATED) { http.authorizeRequests().anyRequest().authenticated(); } } }
/** * For a REST backend there's no login page, so security must return a 401 * code * * @return */ @Bean public AuthenticationEntryPoint authenticationEntryPoint() { return (HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) -> { LOG.info("ENTRY >>> rejecting entry: " + authException.getMessage()); response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage()); }; }
@Override protected void configure(HttpSecurity http) throws Exception { AuthenticationEntryPoint entryPoint = entryPoint(); AdminRequestedAccessDeniedHandler accessDeniedHandler = new AdminRequestedAccessDeniedHandler(entryPoint); http .requiresChannel() .requestMatchers(request -> request.getHeader("x-forwarded-port") != null).requiresSecure() .and() .exceptionHandling() .authenticationEntryPoint(entryPoint) .accessDeniedHandler(accessDeniedHandler) .and() .csrf() .ignoringAntMatchers("/github/hooks/**").and() .authorizeRequests() .requestMatchers(CorsUtils::isPreFlightRequest).permitAll() .mvcMatchers("/login/**", "/", "/about", "/faq").permitAll() .mvcMatchers("/view/**").permitAll() .mvcMatchers("/webjars/**", "/assets/**").permitAll() .mvcMatchers("/github/hooks/**").permitAll() .mvcMatchers("/admin","/admin/cla/link/**","/admin/help/**").hasRole("ADMIN") .mvcMatchers("/admin/**","/manage/**").hasRole("CLA_AUTHOR") .anyRequest().authenticated() .and() .logout() .logoutSuccessUrl("/?logout"); }
public DelegatingAuthenticationEntryPoint getDelegatingAuthenticationEntryPoint() { LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPointMap = new LinkedHashMap<>(); entryPointMap.put(new RequestHeaderRequestMatcher("User-Agent", "Mozilla"), atlasAuthenticationEntryPoint); DelegatingAuthenticationEntryPoint entryPoint = new DelegatingAuthenticationEntryPoint(entryPointMap); entryPoint.setDefaultEntryPoint(getAuthenticationEntryPoint()); return entryPoint; }
@Bean @Autowired public DelegatingAuthenticationEntryPoint delegatingAuthenticationEntryPoint(BasicAuthenticationEntryPoint basic, LoginUrlAuthenticationEntryPoint login) { LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPoints = new LinkedHashMap<>(); entryPoints.put(new RequestHeaderRequestMatcher("Content-Type", "application/json"), basic); entryPoints.put(new NegatedRequestMatcher(new RequestContainingAcceptTextHeaderRequestMatcher()), basic); DelegatingAuthenticationEntryPoint delegate = new DelegatingAuthenticationEntryPoint(entryPoints); delegate.setDefaultEntryPoint(login); return delegate; }
@SuppressWarnings("ProhibitedExceptionDeclared") @Override protected void configure(final HttpSecurity http) throws Exception { final LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPoints = new LinkedHashMap<>(); entryPoints.put(new AntPathRequestMatcher("/api/**"), new Http403ForbiddenEntryPoint()); entryPoints.put(AnyRequestMatcher.INSTANCE, new LoginUrlAuthenticationEntryPoint(FindController.DEFAULT_LOGIN_PAGE)); final AuthenticationEntryPoint authenticationEntryPoint = new DelegatingAuthenticationEntryPoint(entryPoints); http .csrf() .disable() .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint) .accessDeniedPage("/authentication-error") .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl(FindController.DEFAULT_LOGIN_PAGE) .and() .authorizeRequests() .antMatchers(FindController.APP_PATH + "/**").hasAnyRole(FindRole.USER.name()) .antMatchers(FindController.CONFIG_PATH).hasRole(FindRole.CONFIG.name()) .antMatchers("/api/public/**").hasRole(FindRole.USER.name()) .antMatchers("/api/bi/**").hasRole(FindRole.BI.name()) .antMatchers("/api/config/**").hasRole(FindRole.CONFIG.name()) .antMatchers("/api/admin/**").hasRole(FindRole.ADMIN.name()) .antMatchers(FindController.DEFAULT_LOGIN_PAGE).permitAll() .antMatchers(FindController.LOGIN_PATH).permitAll() .antMatchers("/").permitAll() .anyRequest().denyAll() .and() .headers() .defaultsDisabled() .frameOptions() .sameOrigin(); idolSecurityCustomizer.customize(http, authenticationManager()); }
@Test public void testGetBeansOfType() throws IOException, ServletException { AuthenticationEntryPoint entryPoint = new WebAuthenticationEntryPoint(); HttpServletResponse response = new MockHttpServletResponse(); entryPoint.commence(new MockHttpServletRequest(), response, new AuthenticationCredentialsNotFoundException("unknown user or password.")); assertEquals("Unauthorized", ((MockHttpServletResponse) response).getErrorMessage()); assertEquals(401, response.getStatus()); }
/** {@inheritDoc} */ @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { AuthenticationEntryPoint entryPoint = getAppropriateEntryPoint(request); entryPoint.commence(request, response, authException); }
private AuthenticationEntryPoint getAppropriateEntryPoint(HttpServletRequest request) { for (String pattern : m_patterns) { RequestMatcher matcher = new AntPathRequestMatcher(pattern); if (matcher.matches(request)) { return m_matchingEntryPoint; } } return m_nonMatchingEntryPoint; }
@Bean public AuthenticationEntryPoint unauthorizedEntryPoint() { return (request, response, authException) -> { response.setContentType(MediaType.APPLICATION_JSON_VALUE); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.getOutputStream().println( gson.toJson(new ErrorResponse(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage()))); }; }
public SecurityConfig(AuthenticationEntryPoint authenticationEntryPoint, JwtAuthenticationProvider jwtAuthenticationProvider) { this.authenticationEntryPoint = requireNonNull(authenticationEntryPoint); this.jwtAuthenticationProvider = requireNonNull(jwtAuthenticationProvider); }
@Bean public AuthenticationEntryPoint setAuthPoint(){ return new AppAuthPoint("/login.html"); }
public JwtAuthenticationTokenFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint) { this.authenticationManager = authenticationManager; this.authenticationEntryPoint = authenticationEntryPoint; }
@Bean public AuthenticationEntryPoint authenticationEntryPointImpl() { return new AuthenticationEntryPointRestImpl(); }
@Bean public AuthenticationEntryPoint authenticationEntryPoint(ObjectMapper objectMapper) { return new JwtAuthenticationEntryPoint(objectMapper); }
@Bean public AuthenticationEntryPoint authenticationEntryPoint() { return (request, response, authException) -> request.getRequestDispatcher("/unauthorized").forward(request, response); }
public JwtAuthenticationFilter(final AuthenticationManager authenticationManager, final AuthenticationEntryPoint entryPoint) { this.authenticationManager = authenticationManager; this.entryPoint = entryPoint; }
@Bean public AuthenticationEntryPoint authenticationEntryPoint() { return new RaptorAuthenticationEntryPoint(); }
protected AuthenticationEntryPoint authenticationEntryPoint() throws Exception { return new KeycloakAuthenticationEntryPoint(adapterDeploymentContext()); }
private AdminRequestedAccessDeniedHandler(AuthenticationEntryPoint entryPoint) { AccessDeniedHandlerImpl deniedHandler = new AccessDeniedHandlerImpl(); deniedHandler.setErrorPage("/error/403"); this.deniedHandler = deniedHandler; this.entryPoint = entryPoint; }
private AuthenticationEntryPoint getAuthenticationEntryPoint() throws IOException { return (request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage()); }
@Bean public AuthenticationEntryPoint unauthorizedEntryPoint() { return (request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED); }
protected AuthenticationEntryPoint getAuthenticationEntryPoint() { return authenticationEntryPoint; }
/** * @deprecated Use constructor injection */ @Deprecated public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) { this.authenticationEntryPoint = authenticationEntryPoint; }
