@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/game/**", "/app/**").authenticated() .and() .requestCache() .requestCache(new NullRequestCache()) .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl("/") .deleteCookies() .invalidateHttpSession(true) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() .apply(securityConfigurer()); }
@Override protected void configure(HttpSecurity http) throws Exception { // 关闭csrf验证 http.csrf().disable() // 对请求进行认证 .authorizeRequests() // 所有 / 的所有请求 都放行 .antMatchers("/").permitAll() .antMatchers("/bootstrap-3.3.7-dist/**", "/bootstrap-switch-master/**").permitAll() .antMatchers("/bootstrap-table/**", "/Font-Awesome-3.2.1/**", "/favicon.ico").permitAll() .antMatchers("/images/**", "/css/**", "/js/**", "/laydate/**", "/nprogress/**").permitAll() .antMatchers("/swagger/**", "/theme/**", "/webuploader/**", "/jquery-i18n-properties/**").permitAll() // 所有 /login 的POST请求 都放行 .antMatchers(HttpMethod.POST, "/login").permitAll() // 所有请求需要身份认证 .anyRequest().authenticated() .and() // 对login进行过滤 .addFilterBefore(new JWTLoginFilter("/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class) // 对其他的api进行过滤 .addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); http.requestCache().requestCache(new NullRequestCache()); http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/api/register").permitAll() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .anyRequest().authenticated() .and() .requestCache() .requestCache(new NullRequestCache()) .and() .httpBasic() .and() .csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { // 关闭csrf验证 http.csrf().disable() //.headers().frameOptions().disable() //.and() // 对请求进行认证 .authorizeRequests() // 所有 / 的所有请求 都放行 .antMatchers("/").permitAll() .antMatchers("/v1/batch/identify").permitAll() .antMatchers("/bootstrap-3.3.7-dist/**", "/bootstrap-switch-master/**").permitAll() .antMatchers("/bootstrap-table/**", "/Font-Awesome-3.2.1/**", "/favicon.ico").permitAll() .antMatchers("/images/**", "/css/**", "/js/**", "/laydate/**", "/nprogress/**").permitAll() .antMatchers("/swagger/**", "/theme/**", "/webuploader/**", "/jquery-i18n-properties/**").permitAll() // 所有 /login 的POST请求 都放行 .antMatchers(HttpMethod.POST, "/login").permitAll() // 所有请求需要身份认证 .anyRequest().authenticated() .and() // 对login进行过滤 .addFilterBefore(new JWTLoginFilter("/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class) // 对其他的api进行过滤 .addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); http.requestCache().requestCache(new NullRequestCache()); http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); }
@Override protected void configure(HttpSecurity http) throws Exception { SimpleUrlAuthenticationSuccessHandler simpleUrlAuthenticationSuccessHandler = new SimpleUrlAuthenticationSuccessHandler("/"); simpleUrlAuthenticationSuccessHandler.setUseReferer(false); simpleUrlAuthenticationSuccessHandler.setTargetUrlParameter("url"); DefaultRedirectStrategy defaultRedirectStrategy = new DefaultRedirectStrategy(); simpleUrlAuthenticationSuccessHandler.setRedirectStrategy(defaultRedirectStrategy); SimpleUrlLogoutSuccessHandler simpleUrlLogoutSuccessHandler = new SimpleUrlLogoutSuccessHandler(); simpleUrlLogoutSuccessHandler.setUseReferer(true); // @formatter:off http .authorizeRequests() .antMatchers(ckfinder.getServlet().getPath()).hasAnyRole("ADMIN") .and() .csrf() .disable() .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint()) .and() .formLogin() .loginPage("/login") .usernameParameter("user_id1") .passwordParameter("password1") .successHandler(simpleUrlAuthenticationSuccessHandler) .failureHandler(failureHandler()) .permitAll() .and() .headers() .cacheControl().disable() .httpStrictTransportSecurity().disable() .frameOptions().sameOrigin() .and() .logout() .logoutUrl("/logout.html") .logoutSuccessHandler(simpleUrlLogoutSuccessHandler) .permitAll() .and() .rememberMe() .rememberMeParameter("rememberMe") .tokenRepository(persistentTokenRepository) .and() .requestCache() .requestCache(new NullRequestCache()) .and() .servletApi(); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/**") .authorizeRequests().antMatchers("/", "/login**", "/webjars**").permitAll().anyRequest().authenticated().and() .exceptionHandling()/*.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))*/.and() .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/").permitAll().and() .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and() .addFilterBefore(this.ssoFilter(), DigestAuthenticationFilter.class) .headers().httpStrictTransportSecurity().disable().and() .requestCache().requestCache(new NullRequestCache()).and() ; }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/register/**", "/forgot-password/**", "/dist/**", "/console/**", "/test**").permitAll().anyRequest().authenticated() .and().formLogin().loginPage("/login") .defaultSuccessUrl("/dashboard").permitAll().and().logout() .permitAll().and().requestCache() .requestCache(new NullRequestCache()) .and().sessionManagement().sessionFixation().none() .and().csrf().disable(); http.headers().frameOptions().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .requestCache() .requestCache(new NullRequestCache()) .and() .httpBasic(); }
/** * HTTP Security configuration * * <pre><http auto-config="true"></pre> is equivalent to: * <pre> * <http> * <form-login /> * <http-basic /> * <logout /> * </http> * </pre> * * Which is equivalent to the following JavaConfig: * * <pre> * http.formLogin() * .and().httpBasic() * .and().logout(); * </pre> * * @param http HttpSecurity configuration. * @throws Exception Authentication configuration exception * * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html"> * Spring Security 3 to 4 migration</a> */ @Override protected void configure(final HttpSecurity http) throws Exception { // Matching http.authorizeRequests() // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! ) .antMatchers("/admin/h2/**").permitAll() .antMatchers("/", "/favicon*").permitAll() .antMatchers("/login/*").permitAll() .antMatchers("/logout").permitAll() .antMatchers("/signin/**").permitAll() .antMatchers("/signup/*").permitAll() .antMatchers("/errors/**").permitAll() .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()") .antMatchers("/events/").hasRole("ADMIN") .antMatchers("/**").hasRole("USER"); http.requestCache().requestCache(new NullRequestCache()); http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED); // Login http.formLogin() .loginPage("/login/form") .loginProcessingUrl("/login") .failureUrl("/login/form?error") .usernameParameter("username") .passwordParameter("password") .defaultSuccessUrl("/default", true) .permitAll(); // Logout http.logout() .logoutUrl("/logout") .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true) .permitAll(); // Anonymous http.anonymous(); // CSRF is enabled by default, with Java Config http.csrf().disable(); // Exception Handling http.exceptionHandling() .accessDeniedPage("/errors/403") ; // Enable <frameset> in order to use H2 web console http.headers().frameOptions().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { /** * To keep readability, please do not use IDE's code organization feature for this code. * * Current format for security configuration is: * .security feature() // Feature method to config * .feature-specific configurations() * .and() // And of the configuration for the feature * .another security feature() * .configuration() */ http .authorizeRequests() .antMatchers("/api/session").permitAll() .antMatchers("/h2-console/**").permitAll() .antMatchers("/api/**").authenticated() .and() .headers() .frameOptions().disable() // for h2 .and() .requestCache() .requestCache(new NullRequestCache()) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() .rememberMe() .rememberMeServices(rememberMeServices()) .key(oSoonProperties.getRememberMeKey()) .and() .csrf() .disable() .logout() .logoutRequestMatcher(r -> r.getMethod().equalsIgnoreCase("DELETE") && r.getRequestURI().equalsIgnoreCase("/api/session")) .logoutSuccessUrl("/") .clearAuthentication(true) .deleteCookies(oSoonProperties.getCookieName()) .and() .addFilterBefore(rememberMeAuthenticationFilter(), RememberMeAuthenticationFilter.class); }
/** * This method is used to inject access control policies into Spring * security to control what resources / paths / http methods clients have * access to. */ @Override protected void configure(final HttpSecurity http) throws Exception { // By default, Spring inserts a token into web pages to prevent // cross-site request forgery attacks. // See: http://en.wikipedia.org/wiki/Cross-site_request_forgery // // Unfortunately, there is no easy way with the default setup to communicate // these CSRF tokens to a mobile client so we disable them. // Don't worry, the next iteration of the example will fix this // problem. http.csrf().disable(); // We don't want to cache requests during login http.requestCache().requestCache(new NullRequestCache()); // Allow all clients to access the login page and use // it to login http.formLogin() // The default login url on Spring is "j_security_check" ... // which isn't very friendly. We change the login url to // something more reasonable ("/login"). .loginProcessingUrl(VideoSvcApi.LOGIN_PATH) // The default login system is designed to redirect you to // another URL after you successfully authenticate. For mobile // clients, we don't want to be redirected, we just want to tell // them that they successfully authenticated and return a session // cookie to them. this extra configuration option ensures that the // client isn't redirected anywhere with an HTTP 302 response code. .successHandler(NO_REDIRECT_SUCCESS_HANDLER) // Allow everyone to access the login URL .permitAll(); // Make sure that clients can logout too!! http.logout() // Change the default logout path to /logout .logoutUrl(VideoSvcApi.LOGOUT_PATH) // Make sure that a redirect is not sent to the client // on logout .logoutSuccessHandler(JSON_LOGOUT_SUCCESS_HANDLER) // Allow everyone to access the logout URL .permitAll(); // Require clients to login and have an account with the "user" role // in order to access /video // http.authorizeRequests().antMatchers("/video").hasRole("user"); // Require clients to login and have an account with the "user" role // in order to send a POST request to /video // http.authorizeRequests().antMatchers(HttpMethod.POST, "/video").hasRole("user"); // We force clients to authenticate before accessing ANY URLs // other than the login and lougout that we have configured above. http.authorizeRequests().anyRequest().authenticated(); }
