@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/login*", "/after**").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login.html") .defaultSuccessUrl("/deptform.html") .failureUrl("/login.html?error=true") .and().logout().logoutUrl("/logout.html") .logoutSuccessUrl("/after_logout.html"); http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); http.sessionManagement().sessionFixation().newSession(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/index.html").permitAll() .anyRequest().fullyAuthenticated()// .and() .logout() .logoutSuccessUrl("/") .permitAll() .and() .addFilterAt(filter(), BasicAuthenticationFilter.class) .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); http.authorizeRequests().antMatchers("/CSS/**","/JS/**","/images/**").permitAll().anyRequest().permitAll(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/open/**") .permitAll() .anyRequest() .authenticated() .and() .exceptionHandling() .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")) .and() .logout() .logoutSuccessUrl("/") .permitAll() .and() .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); // .csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .and() .formLogin() .loginProcessingUrl("/api/authentication") .successHandler((request, response, authentication) -> response.setStatus(HttpServletResponse.SC_OK)) .failureHandler((request, response, exception) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Wrong username or password")) .permitAll() .and() .logout() .logoutUrl("/api/logout") .logoutSuccessHandler((request, response, authentication) -> response.setStatus(HttpServletResponse.SC_OK)) .permitAll() .and() .authorizeRequests() .antMatchers("/api/account/registration").permitAll() .antMatchers(HttpMethod.GET, "/api/lots/**").permitAll() .antMatchers("/api/users").hasAuthority(ADMIN_ROLE) .antMatchers("/api/**").authenticated(); }
/** * Security Config, to allow following requests without authorization. * <ul> * <li>show index.html Landing page</li> * <li>allow loading of compiled JS and CSS</li> * <li>allow loading of files in assets folder, e.g. BootsTrap CSS and BootsTrap or jQuery JS</li> * <li>API requests</li> * </ul> * * @param http {@link HttpSecurity} * @throws Exception {@link Exception} if something goes wrong * @since 1.1.1-SNAPSHOT */ @Override protected void configure(final HttpSecurity http) throws Exception { http .antMatcher("/**") .authorizeRequests() .antMatchers( "/", // allow request to root "/login**", // allow login request "/app/get/**", // allow default "get" requests "/app/update/product/**/download", // allow updates to product, if it gets downloaded "/app/download/product/**", // allow product downloads "/index.html", "/**.js", "/**.css", "/**.woff", "/**.woff2", "/**.ttf", "/assets/**", // static resources "/api**").permitAll() .anyRequest().authenticated() .and().logout().logoutSuccessUrl("/").permitAll() .and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringAntMatchers("/nocsrf", "/console/**") .and().exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")) .and().headers().frameOptions().disable() /** * limit access to amazonaws domain */ // .addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "ALLOW-FROM amazonaws.com")) .and().addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home", "/login").permitAll() .antMatchers("/app/**").permitAll() .antMatchers("/vendor/**").permitAll() .antMatchers("/fonts/**").permitAll() .antMatchers("/assets/images/**").permitAll() .antMatchers("/*.js").permitAll() .antMatchers("/*.ttf").permitAll() .antMatchers("/*.woff2").permitAll() .anyRequest().authenticated() .and().httpBasic() .and() .logout() .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()) .invalidateHttpSession(true) .deleteCookies("JSESSIONID"); if (Arrays.asList(environment.getActiveProfiles()).contains(MetronRestConstants.CSRF_ENABLE_PROFILE)) { http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); } else { http.csrf().disable(); } }
@Override protected void configure(HttpSecurity http) throws Exception { //@formatter:off http .antMatcher("/**") .authorizeRequests() .antMatchers("/", "/login**", "/webjars/**").permitAll() .anyRequest().authenticated() .and() .exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")) .and() .logout().logoutSuccessUrl("/").permitAll() .and() .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .and() .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); //@formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { boolean usingFacebookAuthentication = facebook().getClientId() != null && !facebook().getClientId().isEmpty(); if (usingFacebookAuthentication) { // @formatter:off http.antMatcher("/**").authorizeRequests().antMatchers("/**").permitAll().anyRequest() .authenticated().and().exceptionHandling() .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).and().logout() .logoutSuccessUrl("/").permitAll().and().csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and() .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); // @formatter:on } else { http.antMatcher("/**").authorizeRequests().anyRequest().permitAll(); } }
@Override public void configure(HttpSecurity http) throws Exception { // @formatter:off http.logout().and().authorizeRequests().antMatchers("/**/*.html", "/login").permitAll().anyRequest() .authenticated().and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/**").authorizeRequests() .antMatchers("/", "/index.html", "/assets/**", "/login", "/api/catalog/**").permitAll().anyRequest().authenticated() .and().logout().logoutSuccessUrl("/").permitAll() .and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); // What Angular would like is for the server to send it a cookie called "XSRF-TOKEN" and if it sees that, it will send the value back as a header named "X-XSRF-TOKEN". 需要注意withHttpOnlyFalse后容易受到XSS攻击 //.and().csrf().disable(); // 这样虽然可以工作,但不安全 }
@Override protected void configure(HttpSecurity security) throws Exception { security .authorizeRequests() // authorize all requests using the access rules defined earlier .antMatchers("/", "/list/**", "/articles/**", "/search/**", "/popular", "/popular/**", "hottest/**", "/about", "/profile", "/fs/**").permitAll() .antMatchers("/api/session/list") .hasAuthority("VIEW_USER_SESSIONS") .anyRequest().authenticated() .and().formLogin() .loginPage("/login").failureUrl("/login?loginFailed") .defaultSuccessUrl("/admin") .usernameParameter("username") .passwordParameter("password") .permitAll() .and().logout() .logoutUrl("/logout").logoutSuccessUrl("/login?loggedOut") .invalidateHttpSession(true).deleteCookies("JSESSIONID") .permitAll() .and().sessionManagement() .sessionFixation().changeSessionId() .maximumSessions(1).maxSessionsPreventsLogin(false) .sessionRegistry(this.sessionRegistry()) .and().and().csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .requireCsrfProtectionMatcher(request -> { String m = request.getMethod(); return !request.getServletPath().startsWith("/api/") && ("POST".equals(m)) || "PUT".equals(m) || "DELETE".equals(m) || "PATCH".equals(m); // rest services 不用考虑跨站请求伪造 }); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().ignoringAntMatchers("/api/login", "/api/signup") .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint).and() .addFilterBefore(jwtAuthenticationTokenFilter(), BasicAuthenticationFilter.class) .authorizeRequests().anyRequest().authenticated().and().formLogin().loginPage("/api/login") .successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler) .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/api/logout")) .logoutSuccessHandler(logoutSuccess).deleteCookies(TOKEN_COOKIE); }
@Override public void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/", "/login", "/login/**", "**/public/**").permitAll()// .anyRequest().authenticated()// .and().exceptionHandling()// .and().logout().logoutSuccessUrl("/").permitAll()// .and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); }
@Override @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.formLogin().and().antMatcher("/**").authorizeRequests().antMatchers("/", "/login**", "/img/**", "/webjars/**").permitAll().anyRequest() .authenticated().and().exceptionHandling() .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")).and().logout() .logoutSuccessUrl("/").permitAll().and().csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and() .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); // @formatter:on }
@Override public void configure(HttpSecurity http) throws Exception { // @formatter:off http .logout() .logoutUrl("/logout") .logoutSuccessUrl("/auth/logout") .clearAuthentication(true).invalidateHttpSession(true) .and() .antMatcher("/**").authorizeRequests() .antMatchers("/", "/login").permitAll() .anyRequest().authenticated().and().csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/**").authorizeRequests() .antMatchers("/", "/login**", "/webjars/**", "/js/application.js") .permitAll().anyRequest() .authenticated().and().exceptionHandling() .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")).and().logout() .logoutSuccessUrl("/").permitAll().and().csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and() .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/**") .authorizeRequests().antMatchers("/", "/login**", "/webjars**").permitAll().anyRequest().authenticated().and() .exceptionHandling()/*.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))*/.and() .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/").permitAll().and() .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and() .addFilterBefore(this.ssoFilter(), DigestAuthenticationFilter.class) .headers().httpStrictTransportSecurity().disable().and() .requestCache().requestCache(new NullRequestCache()).and() ; }
/** * This is the main method to configure the {@link HttpSecurity}. * * @param http the {@link HttpSecurity} to modify * @throws Exception if an error occurs */ @Override protected void configure(HttpSecurity http) throws Exception { http // enable csrf protection for Angular .csrf() .csrfTokenRepository(CookieCsrfTokenRepository .withHttpOnlyFalse()) .ignoringAntMatchers("/rest/auth/token") .and() // enable role hierarchy .authorizeRequests().expressionHandler(expressionHandler()) // /rest/auth/token is used for token receiving and updating .antMatchers("/").permitAll() .antMatchers("/rest/repository/browser/**").permitAll() .antMatchers("/admin/**").permitAll() .antMatchers("/rest/auth/token").permitAll() .antMatchers("/docs/index.html").permitAll() .anyRequest().authenticated() .and() // Call our errorHandler if authentication/authorization fails .exceptionHandling().authenticationEntryPoint(unauthorizedHandler) .and() // don't create session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // Custom JWT based security filter http .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); http .headers() .cacheControl().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/**").authorizeRequests() .antMatchers("/" , "/login**", "/webjars**").permitAll() .anyRequest().authenticated() .and() .logout().logoutSuccessUrl("/").permitAll() .and() .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .and() .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class) .exceptionHandling() .authenticationEntryPoint(http401UnauthorizedEntryPoint()) .and() .rememberMe() .rememberMeServices(rememberMeServices) .rememberMeParameter("remember-me") .key(jHipsterProperties.getSecurity().getRememberMe().getKey()) .and() .formLogin() .loginProcessingUrl("/api/authentication") .successHandler(ajaxAuthenticationSuccessHandler()) .failureHandler(ajaxAuthenticationFailureHandler()) .usernameParameter("j_username") .passwordParameter("j_password") .permitAll() .and() .logout() .logoutUrl("/api/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler()) .permitAll() .and() .headers() .frameOptions() .disable() .and() .authorizeRequests() .antMatchers("/api/register").permitAll() .antMatchers("/api/activate").permitAll() .antMatchers("/api/authenticate").permitAll() .antMatchers("/api/account/reset_password/init").permitAll() .antMatchers("/api/account/reset_password/finish").permitAll() .antMatchers("/api/profile-info").permitAll() .antMatchers("/api/**").authenticated() .antMatchers("/management/health").permitAll() .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN) .antMatchers("/v2/api-docs/**").permitAll() .antMatchers("/swagger-resources/configuration/ui").permitAll() .antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .ignoringAntMatchers("/api/webhooks/**") .ignoringAntMatchers("/api/v1/**") .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .and() .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint) .and() .rememberMe() .rememberMeServices(rememberMeServices) .rememberMeParameter("remember-me") .key(jHipsterProperties.getSecurity().getRememberMe().getKey()) .and() .formLogin() .loginProcessingUrl("/api/authentication") .successHandler(ajaxAuthenticationSuccessHandler) .failureHandler(ajaxAuthenticationFailureHandler) .usernameParameter("j_username") .passwordParameter("j_password") .permitAll() .and() .logout() .logoutUrl("/api/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler) .permitAll() .and() .headers() .frameOptions() .sameOrigin() .and() .authorizeRequests() //.antMatchers("/api/register").permitAll() .antMatchers("/api/activate").permitAll() .antMatchers("/api/authenticate").permitAll() //.antMatchers("/api/account/reset_password/init").permitAll() //.antMatchers("/api/account/reset_password/finish").permitAll() .antMatchers("/api/profile-info").permitAll() .antMatchers("/api/webhooks/**").permitAll() .antMatchers("/api/v1/**").permitAll() .antMatchers("/api/**").authenticated() .antMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN) .antMatchers("/websocket/**").permitAll() .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN) .antMatchers("/v2/api-docs/**").permitAll() .antMatchers("/swagger-resources/configuration/ui").permitAll() .antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .and() .addFilterBefore(corsFilter, CsrfFilter.class) .exceptionHandling() .authenticationEntryPoint(problemSupport) .accessDeniedHandler(problemSupport) .and() .rememberMe() .rememberMeServices(rememberMeServices) .rememberMeParameter("remember-me") .key(jHipsterProperties.getSecurity().getRememberMe().getKey()) .and() .formLogin() .loginProcessingUrl("/api/authentication") .successHandler(ajaxAuthenticationSuccessHandler()) .failureHandler(ajaxAuthenticationFailureHandler()) .usernameParameter("j_username") .passwordParameter("j_password") .permitAll() .and() .logout() .logoutUrl("/api/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler()) .permitAll() .and() .headers() .frameOptions() .disable() .and() .authorizeRequests() .antMatchers("/api/register").permitAll() .antMatchers("/api/activate").permitAll() .antMatchers("/api/authenticate").permitAll() .antMatchers("/api/account/reset-password/init").permitAll() .antMatchers("/api/account/reset-password/finish").permitAll() .antMatchers("/api/profile-info").permitAll() .antMatchers("/api/**").authenticated() .antMatchers("/management/health").permitAll() .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN) .antMatchers("/v2/api-docs/**").permitAll() .antMatchers("/swagger-resources/configuration/ui").permitAll() .antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN); }
@Override protected void configure(HttpSecurity http) throws Exception { http .headers().disable() //.csrf().disable() .authorizeRequests() .antMatchers("/failure").permitAll() .antMatchers("/user/session").permitAll() .antMatchers("/user/createaccount").permitAll() .antMatchers("/user/resetPassword").permitAll() .antMatchers("/user/processResetPasswordUrl").permitAll() .antMatchers("/user/changePassword").permitAll() .antMatchers("/user/registrationConfirm").permitAll() .antMatchers("/v2/api-docs").hasAnyAuthority("admin") .antMatchers("/users/**").hasAnyAuthority("admin") .anyRequest().authenticated() .and() .exceptionHandling() .authenticationEntryPoint(restAuthenticationEntryPoint) .accessDeniedHandler(restAccessDeniedHandler) .and() .formLogin() .loginProcessingUrl("/authenticate") .successHandler(restAuthenticationSuccessHandler) .failureHandler(restAuthenticationFailureHandler) .usernameParameter("username") .passwordParameter("password") .permitAll() .and() .logout() .logoutUrl("/logout") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()) .deleteCookies("JSESSIONID") .permitAll() .and() .rememberMe() .rememberMeServices(rememberMeServices) .key(REMEMBER_ME_KEY) .and() .csrf() .requireCsrfProtectionMatcher(csrfRequestMatcher) .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/home").permitAll(); http.authorizeRequests().antMatchers("/api/**").authenticated(); http.logout().logoutSuccessUrl("/").permitAll(); http.authorizeRequests().anyRequest().permitAll(); http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); http.addFilterBefore(aadAuthFilter, UsernamePasswordAuthenticationFilter.class); }
/** * AngularJS Cookie Csrf protection * Angular Need withHttpOnlyFalse * @return */ @Bean public CookieCsrfTokenRepository tokenRepository(){ return CookieCsrfTokenRepository.withHttpOnlyFalse(); }
