@Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/**") .authorizeRequests() .antMatchers( "/", "/public/**", "/social/**", "/login**", "/webjars/**", "/img/**", "/css/**", "/robots.txt").permitAll() .anyRequest().authenticated() .and().logout().logoutSuccessUrl("/").permitAll() .and().formLogin().loginPage("/") .and().csrf().csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class) .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .requiresChannel() .anyRequest().requiresSecure(); http .httpBasic() .authenticationEntryPoint(samlEntryPoint()); http .csrf() .disable(); http .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class) .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); http .authorizeRequests() .antMatchers("/saml/**").permitAll() .antMatchers("/health").permitAll() .antMatchers("/error").permitAll() .anyRequest().authenticated(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() //任何访问都必须授权 .anyRequest().fullyAuthenticated() //配置那些路径可以不用权限访问 .mvcMatchers("/login", "/login/wechat").permitAll() .and() .formLogin() //登陆成功后的处理,因为是API的形式所以不用跳转页面 .successHandler(new MyAuthenticationSuccessHandler()) //登陆失败后的处理 .failureHandler(new MySimpleUrlAuthenticationFailureHandler()) .and() //登出后的处理 .logout().logoutSuccessHandler(new RestLogoutSuccessHandler()) .and() //认证不通过后的处理 .exceptionHandling() .authenticationEntryPoint(new RestAuthenticationEntryPoint()); http.addFilterAt(myFilterSecurityInterceptor, FilterSecurityInterceptor.class); http.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); //http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); http.csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.addFilterBefore(tokenProcessingFilter(), BasicAuthenticationFilter.class).csrf().disable().httpBasic() .and().authorizeRequests() .antMatchers("/login/**", "/profile/**").hasRole("USER") .and().authorizeRequests().anyRequest().permitAll() /* .and() .apply(new SpringSocialConfigurer() ) */ .and().authorizeRequests().antMatchers( "/user/**", "/users/**", "/contacts**", "/contacts/**", "/contacts", "/game/**", "/games/**" ).hasRole("USER") .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) ; }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/index.html").permitAll() .anyRequest().fullyAuthenticated()// .and() .logout() .logoutSuccessUrl("/") .permitAll() .and() .addFilterAt(filter(), BasicAuthenticationFilter.class) .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); http.authorizeRequests().antMatchers("/CSS/**","/JS/**","/images/**").permitAll().anyRequest().permitAll(); }
@Override protected void configure(final HttpSecurity http) throws Exception { permitUri(http .csrf().disable() // RESTful APIs are immune to CSRF .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() // RESTful APIs should be stateless .exceptionHandling().authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED)).and() .formLogin().disable() // not needed for RESTful APIs .logout().disable() // not needed for RESTful APIs .httpBasic().disable() // not using basic authentication .rememberMe().disable() // JWT do not need to remember me .requestCache().disable() // RESTful APIs should not require caching .x509().disable() // not using x509 .addFilterAt(jwtFilter, BasicAuthenticationFilter.class) // add url that no need be authenticated .authorizeRequests()) .anyRequest().authenticated(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.regexMatcher("/rest/*") .csrf().disable() // never use server side sessions (stateless mode) .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(RestAuthenticationServiceImpl.LOGIN_URL).permitAll() .antMatchers(ApplicationController.WELCOME_URL).hasAnyAuthority(getAllRoles()) .antMatchers("/rest/**").authenticated() .and() .httpBasic().disable() .formLogin().disable() .rememberMe().disable() .requestCache().disable() .x509().disable() .logout().disable() //.anonymous().disable() // add custom authentication filter .addFilterBefore(this.getAuthenticationTokenProcessingFilter(), BasicAuthenticationFilter.class) // register custom authentication exception handler .exceptionHandling().authenticationEntryPoint(this.getEntryPointBean()) .accessDeniedHandler(this.getAccessDeniedHandler()); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.antMatcher("/**") .authorizeRequests() .antMatchers("/", "/login**", "/webjars/**").permitAll() .anyRequest().authenticated() .and().exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")) .and().logout().logoutSuccessUrl("/").permitAll() .and().csrf().csrfTokenRepository(csrfTokenRepository()) .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class) .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/user/**").authenticated() .anyRequest().permitAll() .and().exceptionHandling() .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")) .and() .formLogin().loginPage("/login").loginProcessingUrl("/login.do").defaultSuccessUrl("/user/info") .failureUrl("/login?err=1") .permitAll() .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .logoutSuccessUrl("/") .permitAll() .and().addFilterBefore(githubFilter(), BasicAuthenticationFilter.class) ; }
/** * Fluent API that pre-configures HttpSecurity with SAML specific configuration. * * @param http HttpSecurity instance * @return Same HttpSecurity instance * @throws Exception Exception */ // CSRF must be disabled when processing /saml/** to prevent "Expected CSRF token not found" exception. // See: http://stackoverflow.com/questions/26508835/spring-saml-extension-and-spring-security-csrf-protection-conflict/26560447 protected final HttpSecurity samlizedConfig(final HttpSecurity http) throws Exception { http.httpBasic().authenticationEntryPoint(samlEntryPoint()) .and() .csrf().ignoringAntMatchers("/saml/**") .and() .authorizeRequests().antMatchers("/saml/**").permitAll() .and() .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class) .addFilterAfter(filterChainProxy(), BasicAuthenticationFilter.class); // store CSRF token in cookie if (samlConfigBean().getStoreCsrfTokenInCookie()) { http.csrf() .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class); } return http; }
/** * Security Config, to allow following requests without authorization. * <ul> * <li>show index.html Landing page</li> * <li>allow loading of compiled JS and CSS</li> * <li>allow loading of files in assets folder, e.g. BootsTrap CSS and BootsTrap or jQuery JS</li> * <li>API requests</li> * </ul> * * @param http {@link HttpSecurity} * @throws Exception {@link Exception} if something goes wrong * @since 1.1.1-SNAPSHOT */ @Override protected void configure(final HttpSecurity http) throws Exception { http .antMatcher("/**") .authorizeRequests() .antMatchers( "/", // allow request to root "/login**", // allow login request "/app/get/**", // allow default "get" requests "/app/update/product/**/download", // allow updates to product, if it gets downloaded "/app/download/product/**", // allow product downloads "/index.html", "/**.js", "/**.css", "/**.woff", "/**.woff2", "/**.ttf", "/assets/**", // static resources "/api**").permitAll() .anyRequest().authenticated() .and().logout().logoutSuccessUrl("/").permitAll() .and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringAntMatchers("/nocsrf", "/console/**") .and().exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")) .and().headers().frameOptions().disable() /** * limit access to amazonaws domain */ // .addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "ALLOW-FROM amazonaws.com")) .and().addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); }
@Override public void configure(H http) throws Exception { AuthenticationTokenFilter af = getAuthenticationFilter(); if(authenticationDetailsSource != null) { af.setAuthenticationDetailsSource(authenticationDetailsSource); } af.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class)); af.setAuthenticationSuccessHandler(new AuthenticationStubSuccessHandler()); SessionAuthenticationStrategy sessionAuthenticationStrategy = http.getSharedObject(SessionAuthenticationStrategy.class); if(sessionAuthenticationStrategy != null) { af.setSessionAuthenticationStrategy(sessionAuthenticationStrategy); } AuthenticationTokenFilter filter = postProcess(af); filter.setContinueChainAfterSuccessfulAuthentication(true); http.addFilterBefore(filter, BasicAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { List<RequestMatcher> csrfMethods = new ArrayList<>(); Arrays.asList( "POST", "PUT", "PATCH", "DELETE" ) .forEach( method -> csrfMethods.add( new AntPathRequestMatcher( "/**", method ) ) ); http .sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS ).and() .exceptionHandling().authenticationEntryPoint( restAuthenticationEntryPoint ).and() .authorizeRequests() .antMatchers( HttpMethod.GET, "/", "/webjars/**", "/*.html", "/favicon.ico", "/**/*.html", "/**/*.css", "/**/*.js" ).permitAll() .antMatchers("/auth/**").permitAll() .anyRequest().authenticated().and() .addFilterBefore(new TokenAuthenticationFilter(tokenHelper, jwtUserDetailsService), BasicAuthenticationFilter.class); http.csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .authenticationEntryPoint(samlEntryPoint()); http .csrf() .disable(); http .authorizeRequests() .antMatchers("/", "/saml/**").permitAll() .anyRequest().authenticated(); http .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class) .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); http .logout() .logoutSuccessUrl("/"); }
@Override protected void configure(HttpSecurity http) throws Exception { http.requestMatchers() .antMatchers("/oauth/token", "/fb/oauth/access_token") .and() .authorizeRequests() .anyRequest() .authenticated() .and() .addFilterAfter(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class) .addFilterAfter(fbClientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class) .httpBasic() .authenticationEntryPoint(clientAuthenticationEntryPoint()) .and() .exceptionHandling() .accessDeniedHandler(new OAuth2AccessDeniedHandler()); }
@Override protected void configure(HttpSecurity http) throws Exception { JwtAuthenticationFilter jwtAuthFilter = new JwtAuthenticationFilter(jwtEncoder, super.authenticationManager()); http .addFilterBefore(jwtAuthFilter, BasicAuthenticationFilter.class) .csrf().disable() .authorizeRequests() .antMatchers("/resources/public/**").permitAll() .antMatchers("/health/**").permitAll() .antMatchers("/admin/**").hasAnyRole("ADMIN") .antMatchers("/login**").permitAll() .antMatchers("/**").hasAnyRole("ADMIN", "HOUSE") .and() .formLogin() .loginPage("/login").failureUrl("/login?error") .successHandler(successHandler) .permitAll() .and() .logout().logoutSuccessHandler(successHandler).permitAll() .and() .exceptionHandling().accessDeniedPage("/login?unauthorized="); }
@Override protected void configure(HttpSecurity http) throws Exception { JwtAuthenticationFilter jwtAuthFilter = new JwtAuthenticationFilter(jwtEncoder, super.authenticationManager()); http .addFilterBefore(jwtAuthFilter, BasicAuthenticationFilter.class) .csrf().disable() .authorizeRequests() .antMatchers("/public/**").permitAll() .antMatchers("/health/**").permitAll() .antMatchers("/admin/**").hasAnyRole("ADMIN") .antMatchers("/plugins/**").hasAnyRole("ADMIN") .antMatchers("/view/plugins/**").hasAnyRole("ADMIN") .antMatchers("/login**").permitAll() .antMatchers("/**").hasAnyRole("ADMIN", "SHOW") .and() .formLogin() .loginPage("/login").failureUrl("/login?error") .successHandler(successHandler) .permitAll() .and() .logout().logoutSuccessHandler(successHandler).permitAll() .and() .exceptionHandling().accessDeniedPage("/login?unauthorized=") .and() .headers().frameOptions().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.addFilterBefore(tokenAuthenticationFilter, BasicAuthenticationFilter.class); http .authorizeRequests() // Authenticate endpoint can be access by anyone .antMatchers("/api/v1/login").anonymous() // All Others will be secure .antMatchers("/api/v1/**").hasAnyRole("USER"); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.addFilterBefore(tokenAuthenticationFilter, BasicAuthenticationFilter.class); http .authorizeRequests() // Authenticate endpoint can be access by anyone .antMatchers("/login.html").anonymous() // Secure the endpoints .antMatchers("/api/v1/*").hasAnyRole("USER"); }
/** * Configure HttpSecurity. This includes:<br> * - resources requiring authorized <br> * - resources that are free to access <br> * - csrf token mapping <br> * - construction of the security filter chain * * @param httpSecurity * @throws Exception */ @Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .csrf().disable().headers().frameOptions().disable().and() .antMatcher("/**").authorizeRequests() .antMatchers("/login/**").permitAll() .antMatchers("/abilities/**").permitAll() .antMatchers("/jsondoc/**").permitAll() .antMatchers("/jsondoc-ui.html").permitAll() .antMatchers("/webjars/jsondoc-ui-webjar/**").permitAll() .anyRequest().authenticated().and() .exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()).and(); httpSecurity.addFilterBefore(statelessJwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); httpSecurity.addFilterBefore(createOAuth2Filter(), BasicAuthenticationFilter.class); }
private void addAuthenticationFilters(List<Filter> filters, MotechURLSecurityRule securityRule) { List<Scheme> supportedSchemes = securityRule.getSupportedSchemes(); if (securityRule.isRest()) { if (supportedSchemes.contains(Scheme.BASIC)) { MotechRestBasicAuthenticationEntryPoint restAuthPoint = new MotechRestBasicAuthenticationEntryPoint(settingsFacade); BasicAuthenticationFilter basicAuthFilter = new BasicAuthenticationFilter(authenticationManager, restAuthPoint); filters.add(basicAuthFilter); } } else { if (supportedSchemes.contains(Scheme.USERNAME_PASSWORD)) { filters.add(usernamePasswordAuthenticationFilter); } if (supportedSchemes.contains(Scheme.OPEN_ID)) { filters.add(openIDAuthenticationFilter); } } }
/** * Defines the web based security configuration. * * @param http * It allows configuring web based security for specific http requests. * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().authenticationEntryPoint(samlEntryPoint()); http.csrf().disable(); http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class) .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); http.authorizeRequests() .antMatchers(PW_LOGIN_PAGE_PATH).denyAll() // don't offer local login form in SAML SSO scenario .antMatchers(START_PAGE_PATH).permitAll() // .antMatchers(ERROR_PAGE_PATH).permitAll() // .antMatchers("/saml/**").permitAll() // .antMatchers(AUTHENTICATED_PAGE_PATH).authenticated() // .antMatchers(ANONYMOUS_PAGE_PATH).anonymous() // .antMatchers(USER_ROLE_PAGE_PATH).hasAuthority(RoleId.USER_ROLE_ID.getId()) // .antMatchers(ADMIN_ROLE_PAGE_PATH).hasAuthority(RoleId.ADMIN_ROLE_ID.getId()) // .anyRequest().authenticated(); http.logout().logoutSuccessUrl("/"); }
@Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .authenticationEntryPoint(samlEntryPoint()); http .anonymous() .disable(); http .csrf() .disable(); http .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class) .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); http.regexMatcher("^((?!" + Urls.IFRAME_FI_BASE + "|" + Urls.IFRAME_SV_BASE + ").)*$").headers().frameOptions().sameOrigin(); }
/** * Defines the web based security configuration. * * @param http It allows configuring web based security for specific http requests. * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .authenticationEntryPoint(samlEntryPoint()); http .csrf() .disable(); http .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class) .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); http .authorizeRequests() .antMatchers("/").permitAll() .antMatchers("/error").permitAll() .antMatchers("/saml/**").permitAll() .anyRequest().authenticated(); http .logout() .logoutSuccessUrl("/"); }
@Override protected void configure(HttpSecurity http) throws Exception { //@formatter:off http .antMatcher("/**") .authorizeRequests() .antMatchers("/", "/login**", "/webjars/**").permitAll() .anyRequest().authenticated() .and() .exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")) .and() .logout().logoutSuccessUrl("/").permitAll() .and() .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .and() .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); //@formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/hello/secure/**") .authorizeRequests() .antMatchers("/hello/secure/**").hasRole("USER") .and() .antMatcher("/secure/**").authorizeRequests() .antMatchers("/secure/**").hasRole("USER") .and() .httpBasic() .and() .addFilterBefore( new BasicAuthenticationFilter(authenticationManager(), new BasicJsonEntryPoint()), BasicAuthenticationFilter.class) //todo: check the csrf capability with angularjs .csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers().antMatchers("/api/enrichment/tags") .and() .authorizeRequests() .anyRequest().authenticated() .and() .authenticationProvider(enricherAuthenticationProvider()) .httpBasic().authenticationEntryPoint(serviceBasicAuthenticationEntryPoint()) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .csrf().disable() .addFilterBefore(localeSettingFilter, BasicAuthenticationFilter.class) ; }
protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") .headers().disable() .csrf().disable() .exceptionHandling() .authenticationEntryPoint(digestAuthEndpoint) .and() .sessionManagement() .sessionCreationPolicy(STATELESS) .and() .authorizeRequests() .antMatchers("/api/rest/mobiledb/export").hasAuthority("MOBILE_DB_EXPORT") .antMatchers("/api/rest/mobiledb").hasAuthority("MOBILE_DB_SYNC") .anyRequest().authenticated() .and() .httpBasic() .and() .addFilterAfter(digestFilter, BasicAuthenticationFilter.class); }
@Override @SuppressWarnings("unchecked") public void configure(HttpSecurity http) throws Exception { AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class); clientCredentialsTokenEndpointFilter = new ClientCredentialsTokenEndpointFilter(); clientCredentialsTokenEndpointFilter.setAuthenticationManager(authenticationManager); clientCredentialsTokenEndpointFilter = postProcess(clientCredentialsTokenEndpointFilter); this.tokenGranter = tokenGranter(http); this.consumerTokenServices = consumerTokenServices(http); this.userApprovalHandler = userApprovalHandler(); // @formatter:off http .addFilterBefore(clientCredentialsTokenEndpointFilter, BasicAuthenticationFilter.class) .getConfigurer(ExceptionHandlingConfigurer.class) .accessDeniedHandler(accessDeniedHandler); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http. csrf().disable(). sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS). and(). authorizeRequests(). antMatchers(actuatorEndpoints()).hasRole(backendAdminRole). anyRequest().authenticated(). and(). anonymous().disable(). exceptionHandling().authenticationEntryPoint(unauthorizedEntryPoint()); http.addFilterBefore(new AuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class). addFilterBefore(new ManagementEndpointAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .userDetailsService(customUserDetailsService) .exceptionHandling().authenticationEntryPoint(unauthorizedEntryPoint) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .addFilterBefore(authenticationTokenProcessingFilter, BasicAuthenticationFilter.class) .authorizeRequests() .antMatchers("/resources/**", "/public/**", "/pv/**", "/api/browse/**").permitAll() .antMatchers("/env/**", "/info/**", "/metrics/**", "/health/**").permitAll() .antMatchers("/api/user/authenticate").permitAll() .antMatchers("/api/users/**").hasRole("admin") .antMatchers("/api/sites/**", "/api/pages/**", "/api/images/**", "/api/sitemap/**").hasRole("editor") .antMatchers("/api/dataformrecords/**", "/api/dataforms/**").hasRole("editor") .anyRequest().authenticated() .and().httpBasic() ; }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/css/**", "/server/**", "/scripts/**", "/webjars/**", "/templates/**").permitAll() .antMatchers("/*/swagger.json", "/*/swagger.yaml").permitAll() .and() .anonymous().disable() .exceptionHandling() .authenticationEntryPoint(unauthorizedEntryPoint()); http .addFilterBefore(new HttpAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class) .addFilterAfter(new SimpleCORSFilter(), HttpAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { final BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint(); basicAuthenticationEntryPoint.setRealmName(securityProperties.getBasic().getRealm()); basicAuthenticationEntryPoint.afterPropertiesSet(); final Filter oauthFilter = oauthFilter(); final BasicAuthenticationFilter basicAuthenticationFilter = new BasicAuthenticationFilter( providerManager(), basicAuthenticationEntryPoint); http.addFilterAfter(oauthFilter, basicAuthenticationFilter.getClass()); http.addFilterBefore(basicAuthenticationFilter, oauthFilter.getClass()); http.addFilterBefore(oAuth2AuthenticationProcessingFilter(), basicAuthenticationFilter.getClass()); this.authorizationProperties.getAuthenticatedPaths().add(dashboard("/**")); this.authorizationProperties.getAuthenticatedPaths().add(dashboard("")); ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http.authorizeRequests() .antMatchers(this.authorizationProperties.getPermitAllPaths().toArray(new String[0])) .permitAll() .antMatchers(this.authorizationProperties.getAuthenticatedPaths().toArray(new String[0])) .authenticated(); security = SecurityConfigUtils.configureSimpleSecurity(security, this.authorizationProperties); security.anyRequest().denyAll(); this.securityStateBean.setAuthorizationEnabled(true); http.httpBasic().and() .logout() .logoutSuccessUrl(dashboard("/logout-success-oauth.html")) .and().csrf().disable() .exceptionHandling() .defaultAuthenticationEntryPointFor(basicAuthenticationEntryPoint, new AntPathRequestMatcher("/api/**")) .defaultAuthenticationEntryPointFor(basicAuthenticationEntryPoint, new AntPathRequestMatcher("/actuator/**")) .defaultAuthenticationEntryPointFor( new LoginUrlAuthenticationEntryPoint(this.authorizationProperties.getLoginProcessingUrl()), AnyRequestMatcher.INSTANCE); this.securityStateBean.setAuthenticationEnabled(true); }
@Override protected void configure(HttpSecurity http) throws Exception { boolean usingFacebookAuthentication = facebook().getClientId() != null && !facebook().getClientId().isEmpty(); if (usingFacebookAuthentication) { // @formatter:off http.antMatcher("/**").authorizeRequests().antMatchers("/**").permitAll().anyRequest() .authenticated().and().exceptionHandling() .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).and().logout() .logoutSuccessUrl("/").permitAll().and().csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and() .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); // @formatter:on } else { http.antMatcher("/**").authorizeRequests().anyRequest().permitAll(); } }
@Override protected void configure(HttpSecurity http) throws Exception { //@formatter:off http .csrf().disable() .httpBasic() .authenticationEntryPoint(unauthorisedEntryPoint) .and() .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class) .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .formLogin() .loginProcessingUrl("/api/auth") .usernameParameter("username") .passwordParameter("password") .successHandler(authenticationSuccessHandler()) .failureHandler(authenticationFailureHandler()) .and() .logout() .logoutSuccessHandler(logoutSuccessHandler()) .invalidateHttpSession(true) .deleteCookies("JSESSIONID") .and() .authorizeRequests() .antMatchers("/**").permitAll() .and() .addFilterBefore(tokenAuthenticationFilter, BasicAuthenticationFilter.class) ; //@formatter:on }
private Filter tokenProcessingFilter() { return new BasicAuthenticationFilter(new AuthenticationManager() { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { User user = userRepository.findByEmail(authentication.getName()); if (user == null || user.getUsr() == null) { throw new BadCredentialsException("Invalid credentials! \n\n Please, login again."); } String token = user.getUsr().getDeviceToken(); String credentials = (String) authentication.getCredentials(); try { if(!BCrypt.checkpw(token, credentials)) { throw new BadCredentialsException("Invalid credentials! \n\n Please, login again."); } } catch (IllegalArgumentException e) { throw new BadCredentialsException("Invalid credentials! \n\n Please, login again."); } Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); authorities.add(new SimpleGrantedAuthority(user.getRole().name())); Authentication ret = new PreAuthenticatedAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), authorities ); return ret; } }) { @Override protected boolean isIgnoreFailure() { return true; } }; }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().ignoringAntMatchers("/api/login", "/api/signup") .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint).and() .addFilterBefore(jwtAuthenticationTokenFilter(), BasicAuthenticationFilter.class) .authorizeRequests().anyRequest().authenticated().and().formLogin().loginPage("/api/login") .successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler) .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/api/logout")) .logoutSuccessHandler(logoutSuccess).deleteCookies(TOKEN_COOKIE); }