@Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/**") .authorizeRequests() .antMatchers( "/", "/public/**", "/social/**", "/login**", "/webjars/**", "/img/**", "/css/**", "/robots.txt").permitAll() .anyRequest().authenticated() .and().logout().logoutSuccessUrl("/").permitAll() .and().formLogin().loginPage("/") .and().csrf().csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class) .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http// .csrf().disable() .headers().cacheControl().disable().and().exceptionHandling() .authenticationEntryPoint(new RestAuthenticationEntryPoint("/")).and() /* old: "/bootstrap/**", "/libraries/**", "/scripts/**", "/styles/**" */ .authorizeRequests().antMatchers("/", "/login", "/wro/**", "/images/**", "/views/**").permitAll().and() .authorizeRequests().anyRequest().authenticated().and() .formLogin().loginProcessingUrl("/login").successHandler(authenticationSuccessHandler()) .failureHandler(authenticationFailureHandler()).and() .logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler()) .deleteCookies("JSESSIONID", "XSRF-TOKEN").invalidateHttpSession(true).and() .csrf().csrfTokenRepository(csrfTokenRepository()).and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); }
@Override public void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class) // .csrf().disable() .exceptionHandling() .authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED)) .and() .authorizeRequests().antMatchers("/", "/home", "/oauth/authorize", "/oauth/token").permitAll() .anyRequest().authenticated() .and() .formLogin() // .loginPage("/login") // .failureForwardUrl("/login?error") .permitAll() .and() .logout() // .logoutUrl("/logout") // .logoutSuccessUrl("/login?logout") .permitAll() .and() .httpBasic(); }
@Override protected void configure(HttpSecurity http) throws Exception{ http.addFilterBefore(characterEncodingFilter(), CsrfFilter.class); http.authorizeRequests() .antMatchers("/","/category/**","/article/add","/user/update").access("hasRole('ROLE_USER') or hasRole('ROLE_ADMIN') or hasRole('ROLE_MODERATOR')") .antMatchers("/admin","/admin/**").access("hasRole('ROLE_ADMIN')") .and() .formLogin() .loginPage("/login") .usernameParameter("ssoId") .passwordParameter("password") .failureHandler(new CustomAuthenticationFailureHandler()) .defaultSuccessUrl("/") .and() .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .logoutSuccessUrl("/login?logout").deleteCookies("JSESSIONID") .invalidateHttpSession(true) .and() .rememberMe().tokenRepository(persistentTokenRepository()).tokenValiditySeconds(86400) .and() .csrf() .and() .exceptionHandling().accessDeniedPage("/error"); http.sessionManagement().maximumSessions(1).sessionRegistry(sessionRegistry()); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/h2-console", "/rest/isAdmin").hasRole("ADMIN")// not working for h2 console // role should not start with 'ROLE_' since it is automatically inserted .anyRequest().authenticated() .and() .formLogin().loginPage("/login").failureUrl("/login?error").permitAll() .and() .logout().logoutSuccessUrl("/login?logout").permitAll() .and() .httpBasic() .and() .csrf().csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); }
@Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/hojeehdiaderua/**") .permitAll() .antMatchers("/admin/**") .access("hasRole('ROLE_ADMIN')") .and() .httpBasic() .and() .formLogin() .and() .logout() .logoutUrl("/admin/logout") .deleteCookies("JSESSIONID") .invalidateHttpSession(true) .logoutSuccessUrl("/index.jsp") .and() .csrf() .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); }
@Override public void configure(HttpSecurity http) throws Exception { //@formatter:off http .logout() .and() .antMatcher("/**").authorizeRequests() .antMatchers( "/index.html", "/home.html", "/", "/login", "/**/*.html", "/**/*.less", "/**/*.css", "/**/*.js").permitAll() .anyRequest().authenticated() .and() .csrf().csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); //@formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.antMatcher("/**") .authorizeRequests() .antMatchers("/", "/login**", "/webjars/**").permitAll() .anyRequest().authenticated() .and().exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")) .and().logout().logoutSuccessUrl("/").permitAll() .and().csrf().csrfTokenRepository(csrfTokenRepository()) .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class) .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/restricted/**").authenticated() .antMatchers("/web/**").authenticated() .and() .formLogin() .usernameParameter("j_username") // default is username .passwordParameter("j_password") // default is password .loginPage("/views/login.html").successHandler(new CustomSuccessHandler()).failureUrl("/views/login.html?failure") .and() .logout().logoutSuccessUrl("/") .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .and() .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class) .csrf().csrfTokenRepository(csrfTokenRepository()); }
/** * Fluent API that pre-configures HttpSecurity with SAML specific configuration. * * @param http HttpSecurity instance * @return Same HttpSecurity instance * @throws Exception Exception */ // CSRF must be disabled when processing /saml/** to prevent "Expected CSRF token not found" exception. // See: http://stackoverflow.com/questions/26508835/spring-saml-extension-and-spring-security-csrf-protection-conflict/26560447 protected final HttpSecurity samlizedConfig(final HttpSecurity http) throws Exception { http.httpBasic().authenticationEntryPoint(samlEntryPoint()) .and() .csrf().ignoringAntMatchers("/saml/**") .and() .authorizeRequests().antMatchers("/saml/**").permitAll() .and() .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class) .addFilterAfter(filterChainProxy(), BasicAuthenticationFilter.class); // store CSRF token in cookie if (samlConfigBean().getStoreCsrfTokenInCookie()) { http.csrf() .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class); } return http; }
@Override protected void configure(HttpSecurity http) throws Exception { for (String p : mccySecuritySettings.getAllowAnonymous().getGet()) { http .authorizeRequests() .antMatchers(HttpMethod.GET, p).permitAll(); } http .authorizeRequests() .antMatchers("/**").hasRole("USER") .and().formLogin() .loginPage("/login") .defaultSuccessUrl("/") .permitAll() .and().logout().logoutSuccessUrl("/") .and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class) .csrf().csrfTokenRepository(csrfTokenRepository()); if (env.acceptsProfiles(MccyConstants.PROFILE_BASIC_AUTH, MccyConstants.PROFILE_DEV)) { http .httpBasic() .and().csrf().ignoringAntMatchers("/**"); } }
@Override public void configure(HttpSecurity http) throws Exception { http.requestMatchers().anyRequest().and() .authorizeRequests().anyRequest() .authenticated().and().csrf() .csrfTokenRepository(csrfTokenRepository()).and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); OAuth2SsoProperties sso = this.beanFactory.getBean(OAuth2SsoProperties.class); // Delay the processing of the filter until we know the // SessionAuthenticationStrategy is available: http.apply( (SecurityConfigurerAdapter) new OAuth2ClientAuthenticationConfigurer(oauth2SsoFilter(sso)) ); addAuthenticationEntryPoint(http, sso); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .antMatchers("/index.html", "/home.html", "/") .permitAll() .anyRequest() .authenticated() .and() .csrf() .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); // @formatter:on }
@Override protected void configure(final HttpSecurity http) throws Exception { http.csrf().ignoringAntMatchers("/websocket/**").and().addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class).exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint).and().rememberMe().rememberMeServices(rememberMeServices).rememberMeParameter("remember-me") .key(env.getProperty("jhipster.security.rememberme.key")).and().formLogin().loginProcessingUrl("/api/authentication") .successHandler(ajaxAuthenticationSuccessHandler).failureHandler(ajaxAuthenticationFailureHandler).usernameParameter("j_username").passwordParameter("j_password") .permitAll().and().logout().logoutUrl("/api/logout").logoutSuccessHandler(ajaxLogoutSuccessHandler).deleteCookies("JSESSIONID").permitAll().and().headers() .frameOptions().disable().and().authorizeRequests().antMatchers("/api/register").permitAll().antMatchers("/api/activate").permitAll() .antMatchers("/api/authenticate").permitAll().antMatchers("/api/account/reset_password/init").permitAll().antMatchers("/api/account/reset_password/finish") .permitAll().antMatchers("/api/logs/**").hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/api/audits/**").hasAuthority(AuthoritiesConstants.ADMIN) .antMatchers("/api/**").authenticated().antMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/websocket/**").permitAll() .antMatchers("/metrics/**").hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/health/**").hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/trace/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/dump/**").hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/shutdown/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/beans/**").hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/configprops/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/info/**").hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/autoconfig/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/env/**").hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/trace/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/mappings/**").hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/v2/api-docs/**").permitAll() .antMatchers("/configuration/security").permitAll().antMatchers("/configuration/ui").permitAll().antMatchers("/swagger-ui/index.html") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/protected/**").authenticated(); }
@Override protected void configure(HttpSecurity http) throws Exception { // // http://stackoverflow.com/questions/31724994/spring-data-rest-and-cors http .addFilterBefore(newCorsFilter(), ChannelProcessingFilter.class) .httpBasic() .and() .authorizeRequests() // .antMatchers("/index.html", "/home.html", "/login.html", "/", "turbine/**", "/user").permitAll() /* * when running a local spring simple stomp broker, this is needed because * the credentials do not work when given to AngularStompDK in atacama * so we are forced to unsecure the simple stomp broker for now... */ .antMatchers("/ticks/**").permitAll() .anyRequest() .hasAnyRole("USER") // .authenticated() .and() .csrf().csrfTokenRepository(newCsrfTokenRepository()) .and() .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class); }
/** * Define the security that applies to the proxy */ @Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() //Allow access to all static resources without authentication .antMatchers("/","/**/*.html").permitAll() .anyRequest().authenticated() .antMatchers(HttpMethod.GET, "/api/user/**","/api/task/**").access("#oauth2.hasScope('read')") .antMatchers(HttpMethod.OPTIONS, "/api/user/**","/api/task/**").access("#oauth2.hasScope('read')") .antMatchers(HttpMethod.POST, "/api/user/**","/api/task/**").access("#oauth2.hasScope('write')") .antMatchers(HttpMethod.PUT, "/api/user/**","/api/task/**").access("#oauth2.hasScope('write')") .antMatchers(HttpMethod.PATCH, "/api/user/**","/api/task/**").access("#oauth2.hasScope('write')") .antMatchers(HttpMethod.DELETE, "/api/user/**","/api/task/**").access("#oauth2.hasScope('write')") .and().csrf().csrfTokenRepository(this.getCSRFTokenRepository()) .and().addFilterAfter(this.createCSRFHeaderFilter(), CsrfFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/internal/**") .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() .csrf() .requireCsrfProtectionMatcher(new CsrfProtectionMatcher()).and() .addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class) .addFilterAfter( new ShibbolethPreAuthenticatedProcessingFilter(authenticationManagerBean(), serviceRegistry), AbstractPreAuthenticatedProcessingFilter.class ) .authorizeRequests() .antMatchers("/internal/**").hasAnyRole("PEP", "ADMIN"); if (environment.acceptsProfiles("no-csrf")) { http.csrf().disable(); } if (environment.acceptsProfiles("dev", "perf")) { //we can't use @Profile, because we need to add it before the real filter http.addFilterBefore(new MockShibbolethFilter(), ShibbolethPreAuthenticatedProcessingFilter.class); } }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() // This permits access to all client-side code. This isn't an issue though because all sensitive data // is provided by the REST API, which IS secured. .antMatchers("/").permitAll() // Require authentication for all API calls. .antMatchers("/api/**").authenticated() .and() .formLogin() .loginPage("/#/login") .permitAll() .and() /* The bits here about CSRF I got from this reference about using spring-security with Angular. https://spring.io/guides/tutorials/spring-security-and-angular-js/ */ .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class) .csrf().csrfTokenRepository(csrfTokenRepository()); }
@Override protected void configure(HttpSecurity http) throws Exception { http.addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class).exceptionHandling() .authenticationEntryPoint(casAuthenticationEntryPoint()).and().addFilter(casAuthenticationFilter()) .addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class) .addFilterBefore(requestCasGlobalLogoutFilter(), LogoutFilter.class); http.headers().frameOptions().disable().authorizeRequests().antMatchers("/").permitAll() .antMatchers("/login", "/logout", "/secure").authenticated().antMatchers("/filtered") .hasAuthority(AuthoritiesConstants.ADMIN).anyRequest().authenticated(); /** * <logout invalidate-session="true" delete-cookies="JSESSIONID" /> */ http.logout().logoutUrl("/logout").logoutSuccessUrl("/").invalidateHttpSession(true) .deleteCookies("JSESSIONID"); // http.csrf(); }
@Override protected void configure(HttpSecurity http) throws Exception { // NOSONAR the authorizeRequests() throws it and // can't be omitted CharacterEncodingFilter filter = new CharacterEncodingFilter(); filter.setEncoding("UTF-8"); filter.setForceEncoding(true); http.addFilterBefore(filter, CsrfFilter.class); http.authorizeRequests() .accessDecisionManager(decisionManager) .antMatchers(AdminController.CONTROLLER_PATH + "/**") .authenticated() .and() .exceptionHandling() .authenticationEntryPoint(getAuthenticationEntryPoint()) .accessDeniedHandler(exceptionHandler); }
@Override protected void configure(HttpSecurity http) throws Exception { http .addFilterAfter(new CsrfTokenFilter(), CsrfFilter.class) .formLogin() .loginPage("/login") .permitAll() .and() .logout() .deleteCookies("remove") .invalidateHttpSession(true) .logoutUrl("/logout") .logoutSuccessUrl("/logout_success") //http://stackoverflow.com/questions/24108585/spring-security-java-config-not-generating-logout-url .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .and() .authorizeRequests() .antMatchers("/favicon.ico").permitAll() .antMatchers("/logout_success").permitAll() .antMatchers("/**").hasRole("USER"); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .disable() .addFilterBefore(corsFilter, CsrfFilter.class) .headers() .frameOptions() .disable() .and() .logout() .logoutUrl("/api/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler()) .and() .requestMatcher(new NegatedRequestMatcher(authorizationHeaderRequestMatcher)) .authorizeRequests() .antMatchers("/api/profile-info").permitAll() .antMatchers("/api/**").authenticated() .antMatchers("/management/health").permitAll() .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN) .anyRequest().permitAll(); }
/** * Protection CSRF is critical for production env only * * @param http * @throws Exception */ @Profile({ "production" }) private void activateProtectionCRSF(HttpSecurity http) throws Exception { // CSRF protection http.csrf().csrfTokenRepository(csrfTokenRepository()).and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); }
protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/api/users/**").hasRole("ADMIN") .antMatchers("/api/session").permitAll() .antMatchers(HttpMethod.GET).permitAll() .antMatchers("/api/**").hasRole("BASIC"); http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class); Logger logger = LoggerFactory.getLogger(getClass()); if (logger.isInfoEnabled()) { logger.info("设置安全策略"); } }
@Override public void configure(HttpSecurity http) throws Exception { // @formatter:off http.authorizeRequests() .antMatchers(HttpMethod.POST, "/api/applications").permitAll()// .antMatchers("/management/health").permitAll()// .anyRequest().authenticated()// .and().csrf().ignoringAntMatchers("/api/**", "/management/**").csrfTokenRepository(csrfTokenRepository()) .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); // @formatter:on }
/** * Configure spring security to enable a simple webform-login + a simple rest login. */ @Override public void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().permitAll().and().csrf().disable(); if (this.corsEnabled) { http.addFilterBefore(getCorsFilter(), CsrfFilter.class); } }
@Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic() .and().authorizeRequests() .antMatchers(HttpMethod.POST, "/").authenticated() .antMatchers(HttpMethod.PATCH, "/").authenticated() .antMatchers(HttpMethod.DELETE, "/").authenticated() .and().addFilterAfter(new CORSFilter(), CsrfFilter.class) .csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.formLogin().and().logout().and().authorizeRequests().antMatchers("/index.html", "/home.html", "/login.html", "/").permitAll() .anyRequest().authenticated().and().csrf().csrfTokenRepository(csrfTokenRepository()).and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/**").authorizeRequests() .antMatchers("/", "/login**", "/webjars/**").permitAll() .anyRequest().authenticated() .and().exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")) .and().logout().logoutSuccessUrl("/").permitAll() .and().csrf().csrfTokenRepository(csrfTokenRepository()) .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class) .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); }
@Override public void configure(HttpSecurity http) throws Exception { http.logout().and().antMatcher("/**") .authorizeRequests() .antMatchers("/index.html", "/home.html", "/", "/login").permitAll() .anyRequest().authenticated() .and().csrf() .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest() .authenticated() .and() .csrf() .csrfTokenRepository(csrfTokenRepository()).and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); if (useSsl) { http.requiresChannel().anyRequest().requiresSecure(); } }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().csrfTokenRepository(csrfTokenRepository()).and() .httpBasic() .and() .authorizeRequests() .antMatchers("/index.html", "/").permitAll() .anyRequest().authenticated().and() .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class); }
/** * Define the security that applies to the proxy */ public void configure(HttpSecurity http) throws Exception { http.logout().and() .antMatcher("/**").authorizeRequests() .antMatchers("/index.html", "/home.html", "/web/**", "/uaa/oauth/**").permitAll() .anyRequest().authenticated().and() .csrf().csrfTokenRepository(getCSRFTokenRepository()).ignoringAntMatchers("/uaa/oauth/token").and() .addFilterAfter(createCSRFHeaderFilter(), CsrfFilter.class); }
@Override public void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/index.html", "/home.html", "/", "/bower_components/**", "/elements/*") .permitAll().anyRequest().authenticated().and().csrf() .csrfTokenRepository(csrfTokenRepository()).and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); }
@Override public void configure(HttpSecurity http) throws Exception { http.logout() .and() .exceptionHandling() .authenticationEntryPoint( new Http401AuthenticationEntryPoint( "Session realm=\"JSESSIONID\"")).and() .antMatcher("/**").authorizeRequests() .antMatchers("/index.html", "/home.html", "/", "/login") .permitAll().anyRequest().authenticated().and().csrf() .csrfTokenRepository(csrfTokenRepository()).and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class) .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint) .and() .rememberMe() .rememberMeServices(rememberMeServices) .key(env.getProperty("jhipster.security.rememberme.key")) .and() .formLogin() .loginProcessingUrl("/api/authentication") .successHandler(ajaxAuthenticationSuccessHandler) .failureHandler(ajaxAuthenticationFailureHandler) .usernameParameter("j_username") .passwordParameter("j_password") .permitAll() .and() .logout() .logoutUrl("/api/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler) .deleteCookies("JSESSIONID") .permitAll() .and() .headers() .frameOptions() .disable() .authorizeRequests() .antMatchers("/api/register").permitAll() .antMatchers("/api/authenticate").permitAll() .antMatchers("/api/**").authenticated() .antMatchers("/rest/**").authenticated() .antMatchers("/protected/**").authenticated(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/ws/user/**").permitAll() .anyRequest().authenticated() .and().exceptionHandling().authenticationEntryPoint(this) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS) .and() .csrf().disable() .addFilterBefore(statelessCSRFFilter, CsrfFilter.class) .addFilterBefore(exceptionFilter, StatelessCSRFFilter.class) .addFilterAfter(loginFilter,StatelessCSRFFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .and() .csrf() .ignoringAntMatchers("/websocket/**") .and() .addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class) .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint) .and() .formLogin() .loginProcessingUrl("/api/authentication") .successHandler(ajaxAuthenticationSuccessHandler) .failureHandler(ajaxAuthenticationFailureHandler) .usernameParameter("j_username") .passwordParameter("j_password") .permitAll() .and() .logout() .logoutUrl("/api/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler) .deleteCookies("JSESSIONID") .permitAll() .and() .headers() .frameOptions() .disable() .and() .authorizeRequests() .antMatchers(permitAll).permitAll() .antMatchers("/api/**").authenticated() .antMatchers(permitAdmin).hasAuthority(AuthoritiesConstants.ADMIN) .and().apply(springSocialConfigurer); }
