Java 类org.springframework.security.web.access.channel.ChannelProcessingFilter 实例源码

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .requiresChannel()
        .anyRequest().requiresSecure();
    http
        .httpBasic()
        .authenticationEntryPoint(samlEntryPoint());
    http
        .csrf()
        .disable();
    http
        .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
        .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);

    http
        .authorizeRequests()
        .antMatchers("/saml/**").permitAll()
        .antMatchers("/health").permitAll()
        .antMatchers("/error").permitAll()
        .anyRequest().authenticated();
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf()
            .disable()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .exceptionHandling()
            .authenticationEntryPoint(http401UnauthorizedEntryPoint)
            .and()
            .authorizeRequests()
            .antMatchers("/login/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .addFilterBefore(crossOriginResourceSharingFilter, ChannelProcessingFilter.class)
            .addFilterBefore(statelessAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}

@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
            .authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "**").permitAll()
                .anyRequest().authenticated()
        .and()
            .httpBasic()
                .disable()
            .csrf()
            .disable()
        .addFilterBefore(corsFilter(), ChannelProcessingFilter.class);
}

/**
 * Fluent API that pre-configures HttpSecurity with SAML specific configuration.
 *
 * @param http HttpSecurity instance
 * @return Same HttpSecurity instance
 * @throws Exception Exception
 */
// CSRF must be disabled when processing /saml/** to prevent "Expected CSRF token not found" exception.
// See: http://stackoverflow.com/questions/26508835/spring-saml-extension-and-spring-security-csrf-protection-conflict/26560447
protected final HttpSecurity samlizedConfig(final HttpSecurity http) throws Exception {
    http.httpBasic().authenticationEntryPoint(samlEntryPoint())
            .and()
            .csrf().ignoringAntMatchers("/saml/**")
            .and()
            .authorizeRequests().antMatchers("/saml/**").permitAll()
            .and()
            .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
            .addFilterAfter(filterChainProxy(), BasicAuthenticationFilter.class);

    // store CSRF token in cookie
    if (samlConfigBean().getStoreCsrfTokenInCookie()) {
        http.csrf()
                .csrfTokenRepository(csrfTokenRepository())
                .and()
                .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class);
    }

    return http;
}

@Override
protected void configure(HttpSecurity http) throws Exception
{
    super.configure(http);
    http
        .addFilterBefore(new SimpleCorsFilter(), ChannelProcessingFilter.class)
        .csrf().disable()
        .requestMatchers()
            .antMatchers("/oidc/**","/sso/**") // "/sso/**" matches the urls used by the keycloak adapter
    .and()
        .authorizeRequests()
            .expressionHandler(webExpressionHandler())
            // Some general filters for access, more specific ones are set at each method
            .antMatchers(HttpMethod.POST, "/oidc/api/report-bug").permitAll()
            .antMatchers(HttpMethod.POST, "/oidc/api/org/apply").permitAll()
            .antMatchers(HttpMethod.GET, "/oidc/api/certificates/crl/*").permitAll()
            .antMatchers(HttpMethod.GET, "/oidc/api/certificates/ocsp/**").permitAll()
            .antMatchers(HttpMethod.POST, "/oidc/api/certificates/ocsp/*").permitAll()
            .antMatchers(HttpMethod.POST, "/oidc/api/**").authenticated()
            .antMatchers(HttpMethod.PUT, "/oidc/api/**").authenticated()
            .antMatchers(HttpMethod.DELETE, "/oidc/api/**").authenticated()
            .antMatchers(HttpMethod.GET, "/oidc/api/**").authenticated()
    ;
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .httpBasic()
        .authenticationEntryPoint(samlEntryPoint());
    http
        .csrf()
        .disable();
    http
        .authorizeRequests()
        .antMatchers("/", "/saml/**").permitAll()
        .anyRequest().authenticated();
    http
        .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
        .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http
        .logout()
        .logoutSuccessUrl("/");

}

@Override
protected void configure(HttpSecurity http) throws Exception {

  // // http://stackoverflow.com/questions/31724994/spring-data-rest-and-cors

  http
      .addFilterBefore(newCorsFilter(), ChannelProcessingFilter.class)
      .httpBasic()
      .and()
      .authorizeRequests()
      // .antMatchers("/index.html", "/home.html", "/login.html", "/", "turbine/**", "/user").permitAll()
      /* 
       * when running a local spring simple stomp broker, this is needed because
       * the credentials do not work when given to AngularStompDK in atacama
       * so we are forced to unsecure the simple stomp broker for now...
       */
      .antMatchers("/ticks/**").permitAll() 
      .anyRequest()
      .hasAnyRole("USER")
      // .authenticated()
      .and()
      .csrf().csrfTokenRepository(newCsrfTokenRepository())
      .and()
      .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class);

}

@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .authorizeRequests()
                .antMatchers("/login").permitAll()
            .and()
                .formLogin()
                    .loginPage("/login")
                    .loginProcessingUrl("/j_spring_security_check")
                    .failureUrl("/login?error")
                    .usernameParameter("email")
                    .passwordParameter("password")
            .and()
                .logout()
                    .logoutUrl("/j_spring_security_logout")
                    .logoutSuccessUrl("/login?logout")
            .and()
                .csrf()
            .and()
                .exceptionHandling()
                    .accessDeniedPage("/403")
            .and()
                .addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class);
}

private void addSecureChannel(List<Filter> filters, Protocol protocol) {
    ChannelProcessingFilter channelProcessingFilter = new ChannelProcessingFilter();
    channelProcessingFilter.setChannelDecisionManager(channelDecisionManager);

    RequestMatcher anyRequest = AnyRequestMatcher.INSTANCE;

    LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<>();
    Collection<ConfigAttribute> configAtts = new ArrayList<>();

    switch (protocol) {
        case HTTP:
            configAtts.add(new SecurityConfig("ANY_CHANNEL"));
            break;
        case HTTPS:
            configAtts.add(new SecurityConfig("REQUIRES_SECURE_CHANNEL"));
            break;
        default:
    }

    requestMap.put(anyRequest, configAtts);
    FilterInvocationSecurityMetadataSource securityMetadataSource = new DefaultFilterInvocationSecurityMetadataSource(requestMap);
    channelProcessingFilter.setSecurityMetadataSource(securityMetadataSource);

    filters.add(channelProcessingFilter);
}

/**
 * Defines the web based security configuration.
 *
 * @param http
 *         It allows configuring web based security for specific http requests.
 * @throws Exception
 */
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.httpBasic().authenticationEntryPoint(samlEntryPoint());
    http.csrf().disable();
    http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
            .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http.authorizeRequests()
            .antMatchers(PW_LOGIN_PAGE_PATH).denyAll() // don't offer local login form in SAML SSO scenario
            .antMatchers(START_PAGE_PATH).permitAll() //
            .antMatchers(ERROR_PAGE_PATH).permitAll() //
            .antMatchers("/saml/**").permitAll() //
            .antMatchers(AUTHENTICATED_PAGE_PATH).authenticated() //
            .antMatchers(ANONYMOUS_PAGE_PATH).anonymous() //
            .antMatchers(USER_ROLE_PAGE_PATH).hasAuthority(RoleId.USER_ROLE_ID.getId()) //
            .antMatchers(ADMIN_ROLE_PAGE_PATH).hasAuthority(RoleId.ADMIN_ROLE_ID.getId()) //
            .anyRequest().authenticated();
    http.logout().logoutSuccessUrl("/");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .httpBasic()
            .authenticationEntryPoint(samlEntryPoint());
    http
            .anonymous()
            .disable();
    http
            .csrf()
            .disable();
    http
            .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
            .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);

    http.regexMatcher("^((?!" + Urls.IFRAME_FI_BASE + "|" + Urls.IFRAME_SV_BASE + ").)*$").headers().frameOptions().sameOrigin();
}

/**
 * Defines the web based security configuration.
 * 
 * @param   http It allows configuring web based security for specific http requests.
 * @throws  Exception 
 */
@Override  
protected void configure(HttpSecurity http) throws Exception {
    http
        .httpBasic()
            .authenticationEntryPoint(samlEntryPoint());
    http
        .csrf()
            .disable();
    http
        .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
        .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http        
        .authorizeRequests()
        .antMatchers("/").permitAll()
        .antMatchers("/error").permitAll()
        .antMatchers("/saml/**").permitAll()
        .anyRequest().authenticated();
    http
        .logout()
            .logoutSuccessUrl("/");
}

@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .authorizeRequests()
            .antMatchers("/api/*").fullyAuthenticated()
            .and()
            .addFilterBefore(new CorsConfiguration(), ChannelProcessingFilter.class);
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable();
    http.addFilterBefore(simpleCORSFilter(), ChannelProcessingFilter.class);
    http.cors().and()
        .authorizeRequests()

        .antMatchers("/api/v1/register/**").permitAll()
        .antMatchers("/api/v1/reset/**").permitAll()
        .antMatchers("/api/v1/**").authenticated()
        .anyRequest().permitAll()

        .and()
        .formLogin()
        .loginPage("/userloginpage").passwordParameter("password").usernameParameter("username")
        .successHandler(authHandler.successHandler())
        .failureHandler(authHandler.failureHandler())
        .permitAll()

        .and()
        .exceptionHandling()
        .accessDeniedHandler(authHandler.accessDeniedHandler())
        .authenticationEntryPoint(authHandler.authenticationEntryPoint())

        .and()
        .logout().logoutUrl("/userlogoutpage")
        .logoutSuccessHandler(authHandler.logoutSuccessHandler())
        .permitAll();
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
            .csrf()
            .disable();
    http
            .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
            .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/error").permitAll()
            .antMatchers("/saml/**").permitAll()
            .antMatchers("/css/**").permitAll()
            .anyRequest().authenticated();

    http
            .exceptionHandling().accessDeniedHandler(new AccessDeniedHandlerImpl())
            .authenticationEntryPoint(getAuthEntryPoint())
            .and()
            .formLogin()
            .loginProcessingUrl("/authenticate")
            .usernameParameter("username")
            .passwordParameter("password")
            .successHandler(new FormAuthSuccessHandler())
            .failureHandler(new SimpleUrlAuthenticationFailureHandler())
            .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/")
            .permitAll();
}

@Override
public void init(HttpSecurity http) {

    metadataProvider = identityProvider.metadataProvider();
    ExtendedMetadata extendedMetadata = extendedMetadata(identityProvider.discoveryEnabled);
    extendedMetadataDelegate = extendedMetadataDelegate(extendedMetadata);
    serviceProvider.keyManager = serviceProvider.keyManager();
    cachingMetadataManager = cachingMetadataManager();
    webSSOProfile = new WebSSOProfileImpl(samlProcessor, cachingMetadataManager);
    samlAuthenticationProvider = samlAuthenticationProvider(webSSOProfileConsumer);

    bootstrap();

    SAMLContextProvider contextProvider = contextProvider();
    SAMLEntryPoint samlEntryPoint = samlEntryPoint(contextProvider);

    try {
        http
            .httpBasic()
            .authenticationEntryPoint(samlEntryPoint);

        CsrfConfigurer<HttpSecurity> csrfConfigurer = http.getConfigurer(CsrfConfigurer.class);
        if(csrfConfigurer != null) {
            // Workaround to get working with Spring Security 3.2.
            RequestMatcher ignored = new AntPathRequestMatcher("/saml/SSO");
            RequestMatcher notIgnored = new NegatedRequestMatcher(ignored);
            RequestMatcher matcher = new AndRequestMatcher(new DefaultRequiresCsrfMatcher(), notIgnored);

            csrfConfigurer.requireCsrfProtectionMatcher(matcher);
        }
    } catch (Exception e) {
        e.printStackTrace();
    }

    http
        .addFilterBefore(metadataGeneratorFilter(samlEntryPoint, extendedMetadata), ChannelProcessingFilter.class)
        .addFilterAfter(samlFilter(samlEntryPoint, contextProvider), BasicAuthenticationFilter.class)
        .authenticationProvider(samlAuthenticationProvider);
}

@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .authorizeRequests()
            .antMatchers("/hello").permitAll()
            .antMatchers("/**").permitAll()
            .and()
            .anonymous()
            .and()
            .addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.addFilterBefore(new LoggingRequestFilter(), ChannelProcessingFilter.class).authorizeRequests()
            .antMatchers("/public/**").permitAll();
    super.configure(http);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    final RequestMatcher textHtmlMatcher = new MediaTypeRequestMatcher(
            contentNegotiationStrategy,
            MediaType.TEXT_HTML);

    final String loginPage = dashboard("/#/login");

    final BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
    basicAuthenticationEntryPoint.setRealmName(securityProperties.getBasic().getRealm());
    basicAuthenticationEntryPoint.afterPropertiesSet();

    http
        .csrf()
        .disable()
        .authorizeRequests()
        .antMatchers("/")
        .authenticated()
        .antMatchers(
                dashboard("/**"),
                "/authenticate",
                "/security/info",
                "/features",
                "/assets/**").permitAll()
    .and()
        .formLogin().loginPage(loginPage)
        .loginProcessingUrl(dashboard("/login"))
        .defaultSuccessUrl(dashboard("/")).permitAll()
    .and()
        .logout().logoutUrl(dashboard("/logout"))
            .logoutSuccessUrl(dashboard("/logout-success.html"))
        .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()).permitAll()
    .and().httpBasic()
        .and().exceptionHandling()
        .defaultAuthenticationEntryPointFor(
                new LoginUrlAuthenticationEntryPoint(loginPage),
                textHtmlMatcher)
        .defaultAuthenticationEntryPointFor(basicAuthenticationEntryPoint,
                AnyRequestMatcher.INSTANCE)
    .and()
        .authorizeRequests()
        .anyRequest().authenticated();

    final SessionRepositoryFilter<ExpiringSession> sessionRepositoryFilter = new SessionRepositoryFilter<ExpiringSession>(
            sessionRepository());
    sessionRepositoryFilter
            .setHttpSessionStrategy(new HeaderHttpSessionStrategy());

    http.addFilterBefore(sessionRepositoryFilter,
            ChannelProcessingFilter.class).csrf().disable();
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
        .authorizeRequests()
            .antMatchers("/users*/**", "/professors*/**", "/students*/**",
                    "/organizations*/**", "/coordinators*/**").authenticated()
            //ProposalWithdrawal
            .antMatchers(HttpMethod.PUT, "/proposalWithdrawals*/**").authenticated()
            .antMatchers(HttpMethod.POST, "/proposalWithdrawals*/**").authenticated()
            .antMatchers(HttpMethod.DELETE, "/proposalWithdrawals*/**").authenticated()
            .antMatchers(HttpMethod.PATCH, "/proposalWithdrawals*/**").authenticated()
            //PublishProposal
            .antMatchers(HttpMethod.GET, "/proposalPublications*/**").authenticated()
            .antMatchers(HttpMethod.PUT, "/proposalPublications*/**").authenticated()
            .antMatchers(HttpMethod.POST, "/proposalPublications*/**").authenticated()
            .antMatchers(HttpMethod.DELETE, "/proposalPublications*/**").authenticated()
            .antMatchers(HttpMethod.PATCH, "/proposalPublications*/**").authenticated()
            //Comment
            .antMatchers(HttpMethod.GET, "/comments*/**").authenticated()
            .antMatchers(HttpMethod.PUT, "/comments*/**").authenticated()
            .antMatchers(HttpMethod.POST, "/comments*/**").authenticated()
            .antMatchers(HttpMethod.DELETE, "/comments*/**").authenticated()
            .antMatchers(HttpMethod.PATCH, "/comments*/**").authenticated()
            //Proposal
            .antMatchers(HttpMethod.GET, "/proposals*/**").authenticated()
            .antMatchers(HttpMethod.PUT, "/proposals*/**").authenticated()
            .antMatchers(HttpMethod.POST, "/proposals*/**").authenticated()
            .antMatchers(HttpMethod.DELETE, "/proposals*/**").authenticated()
            .antMatchers(HttpMethod.PATCH, "/proposals*/**").authenticated()
            //ProposalSubmission
            .antMatchers(HttpMethod.GET, "/proposalSubmissions*/**").authenticated()
            .antMatchers(HttpMethod.POST, "/proposalSubmissions*/**").authenticated()
            .antMatchers(HttpMethod.DELETE, "/proposalSubmissions*/**").authenticated()
            .antMatchers(HttpMethod.PUT, "/proposalSubmissions*/**").authenticated()
            .antMatchers(HttpMethod.PATCH, "/proposalSubmissions*/**").authenticated()
            //ProposalRegistration
            .antMatchers("/proposalRegistrations*/**").hasAnyRole("ADMIN", "COORDINATOR")
            .anyRequest().permitAll()
            .and()
        .httpBasic()
            .realmName("ThesisMarketAPI")
            .and()
        .addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class)
        .csrf()
            .disable();
}