@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() //任何访问都必须授权 .anyRequest().fullyAuthenticated() //配置那些路径可以不用权限访问 .mvcMatchers("/login", "/login/wechat").permitAll() .and() .formLogin() //登陆成功后的处理,因为是API的形式所以不用跳转页面 .successHandler(new MyAuthenticationSuccessHandler()) //登陆失败后的处理 .failureHandler(new MySimpleUrlAuthenticationFailureHandler()) .and() //登出后的处理 .logout().logoutSuccessHandler(new RestLogoutSuccessHandler()) .and() //认证不通过后的处理 .exceptionHandling() .authenticationEntryPoint(new RestAuthenticationEntryPoint()); http.addFilterAt(myFilterSecurityInterceptor, FilterSecurityInterceptor.class); http.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); //http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); http.csrf().disable(); }
public void execute(FilterSecurityInterceptor filterSecurityInterceptor, Map<String, String> resourceMap) { Assert.notNull(filterSecurityInterceptor); Assert.notNull(resourceMap); logger.info("refresh url resource"); LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = null; requestMap = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>(); for (Map.Entry<String, String> entry : resourceMap.entrySet()) { String key = entry.getKey(); String value = entry.getValue(); requestMap.put(new AntPathRequestMatcher(key), SecurityConfig.createListFromCommaDelimitedString(value)); } FilterInvocationSecurityMetadataSource source = new DefaultFilterInvocationSecurityMetadataSource( requestMap); filterSecurityInterceptor.setSecurityMetadataSource(source); }
/** * @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity) */ @Override protected void configure(HttpSecurity http) throws Exception { http.exceptionHandling() .authenticationEntryPoint(casEntryPoint()) .and() .authorizeRequests() .antMatchers(ConstanteUtils.SECURITY_CONNECT_PATH+"/**").authenticated() .antMatchers("/**").permitAll() .antMatchers(ConstanteUtils.SECURITY_SWITCH_PATH).hasAuthority(NomenclatureUtils.DROIT_PROFIL_ADMIN) .antMatchers(ConstanteUtils.SECURITY_SWITCH_BACK_PATH).hasAuthority(SwitchUserFilter.ROLE_PREVIOUS_ADMINISTRATOR) .anyRequest().authenticated() .and() .addFilterBefore(singleSignOutFilter(), LogoutFilter.class) .addFilter(new LogoutFilter(casUrl + ConstanteUtils.SECURITY_LOGOUT_PATH, new SecurityContextLogoutHandler())) .addFilter(casAuthenticationFilter()) .addFilterAfter(switchUserFilter(), FilterSecurityInterceptor.class) /* La protection Spring Security contre le Cross Scripting Request Forgery est désactivée, Vaadin implémente sa propre protection */ .csrf().disable() .headers() /* Autorise l'affichage en iFrame */ .frameOptions().disable() /* Supprime la gestion du cache du navigateur, pour corriger le bug IE de chargement des polices cf. http://stackoverflow.com/questions/7748140/font-face-eot-not-loading-over-https */ .cacheControl().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http. csrf().disable().headers().frameOptions().disable(); http .authorizeRequests() .antMatchers("/admin/login","/","/*","/blog/**","/portfolio/**","/tweet/**").permitAll() .anyRequest().authenticated() //任何请求,登录后可以访问 .and() .formLogin() .loginPage("/admin/login") .failureUrl("/admin/login?error") .permitAll() //登录页面用户任意访问 .and() .logout().permitAll(); //注销行为任意访问 http.addFilterBefore(myFilterSecurityInterceptor, FilterSecurityInterceptor.class); }
/** * This is the equivalent to: * <pre> * <http pattern="/resources/**" security="none"/> * <http pattern="/css/**" security="none"/> * <http pattern="/webjars/**" security="none"/> * </pre> * * @param web WebSecurity * @throws Exception */ @Override public void configure(final WebSecurity web) throws Exception { web.ignoring() .antMatchers("/resources/**") .antMatchers("/css/**") .antMatchers("/webjars/**") ; // Thymeleaf needs to use the Thymeleaf configured FilterSecurityInterceptor // and not the default Filter from AutoConfiguration. final HttpSecurity http = getHttp(); web.postBuildAction(() -> { web.securityInterceptor(http.getSharedObject(FilterSecurityInterceptor.class)); }); }
/** * This is the equivalent to: * <pre> * <http pattern="/resources/**" security="none"/> * <http pattern="/css/**" security="none"/> * <http pattern="/webjars/**" security="none"/> * </pre> * * @param web * @throws Exception */ @Override public void configure(final WebSecurity web) throws Exception { web.ignoring() .antMatchers("/resources/**") .antMatchers("/css/**") .antMatchers("/webjars/**") ; // Thymeleaf needs to use the Thymeleaf configured FilterSecurityInterceptor // and not the default Filter from AutoConfiguration. final HttpSecurity http = getHttp(); web.postBuildAction(() -> { web.securityInterceptor(http.getSharedObject(FilterSecurityInterceptor.class)); }); }
/** * This is the equivalent to: * <pre> * <http pattern="/resources/**" security="none"/> * <http pattern="/css/**" security="none"/> * <http pattern="/webjars/**" security="none"/> * </pre> * * @param web * @throws Exception */ @Override public void configure(final WebSecurity web) throws Exception { // Ignore static resources and webjars from Spring Security web.ignoring() .antMatchers("/resources/**") .antMatchers("/css/**") .antMatchers("/webjars/**") ; // Thymeleaf needs to use the Thymeleaf configured FilterSecurityInterceptor // and not the default Filter from AutoConfiguration. final HttpSecurity http = getHttp(); web.postBuildAction(() -> { web.securityInterceptor(http.getSharedObject(FilterSecurityInterceptor.class)); }); }
/** * This is the equivalent to: * <pre> * <http pattern="/resources/**" security="none"/> * <http pattern="/css/**" security="none"/> * <http pattern="/webjars/**" security="none"/> * </pre> * * @param web * @throws Exception */ @Override public void configure(final WebSecurity web) throws Exception { // Ignore static resources and webjars from Spring Security web.ignoring() .antMatchers("/resources/**") .antMatchers("/css/**") .antMatchers("/webjars/**") ; // Thymeleaf needs to use the Thymeleaf configured FilterSecurityInterceptor // and not the default Filter from AutoConfiguration. final HttpSecurity http = getHttp(); web.postBuildAction(() -> { // web.securityInterceptor(http.getSharedObject(FilterSecurityInterceptor.class)); FilterSecurityInterceptor fsi = http.getSharedObject(FilterSecurityInterceptor.class); fsi.setSecurityMetadataSource(metadataSource); web.securityInterceptor(fsi); }); }