@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .exceptionHandling() .authenticationEntryPoint(this.authenticationEntryPoint) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers(HttpMethod.POST, formBasedAuthEntry).permitAll() .antMatchers(HttpMethod.GET, apiAuthEntry).permitAll() .antMatchers(apiAuthEntry).authenticated() .antMatchers(dbStatusAuthEntry).access("hasIpAddress('127.0.0.1')") .anyRequest().permitAll() .and() .addFilterBefore(corsFilter(), SessionManagementFilter.class) .addFilterBefore(buildDeviceLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(buildJwtTokenAuthenticationProcessingFilterDbStatus(), UsernamePasswordAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() .and() .logout() .and() .authorizeRequests() .antMatchers("/index.html", "/login", "/", "/hystrix.stream", "/turbine.stream", "/epicfail", "/admin/json/healthchecks.json") .permitAll() .anyRequest().authenticated() .and() .csrf().csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), SessionManagementFilter.class); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .and() .authorizeRequests() .antMatchers("/turbine.stream").permitAll() .antMatchers("/test").permitAll() .antMatchers("/service/**").permitAll() .antMatchers("/api/user").permitAll() .antMatchers("/api/user-activation/activate/*/").permitAll() .anyRequest().authenticated() .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl("/login?logout") .and() .addFilterAfter(new CsrfHeaderFilter(), SessionManagementFilter.class) .csrf() .csrfTokenRepository(csrfTokenRepository()); }
@Override protected void configure(final HttpSecurity http) throws Exception { final BasicAuthenticationEntryPoint basicAuthEntryPoint = new BasicAuthenticationEntryPoint(); basicAuthEntryPoint.setRealmName(springSecurityProperties.getBasic().getRealm()); HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system/admin.*").csrf().disable(); if (springSecurityProperties.isRequireSsl()) { httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and(); } httpSec.addFilterBefore(new Filter() { @Override public void init(final FilterConfig filterConfig) throws ServletException { userAuthenticationFilter.init(filterConfig); } @Override public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { userAuthenticationFilter.doFilter(request, response, chain); } @Override public void destroy() { userAuthenticationFilter.destroy(); } }, RequestHeaderAuthenticationFilter.class) .addFilterAfter(new AuthenticationSuccessTenantMetadataCreationFilter(systemManagement, systemSecurityContext), SessionManagementFilter.class) .authorizeRequests().anyRequest().authenticated() .antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**") .hasAnyAuthority(SpPermission.SYSTEM_ADMIN); httpSec.httpBasic().and().exceptionHandling().authenticationEntryPoint(basicAuthEntryPoint); httpSec.anonymous().disable(); httpSec.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); }
@Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().disable() .csrf() .csrfTokenRepository(csrfTokenRepository()) .and() .sessionManagement() .enableSessionUrlRewriting(true) .and() .formLogin() .usernameParameter(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_USERNAME_KEY) .passwordParameter(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_PASSWORD_KEY) .loginProcessingUrl("/j_spring_security_check") .loginPage(LOG_IN_URL_PAGE) .defaultSuccessUrl(DEFAULT_TARGET_URL_PAGE) .failureUrl(AUTHENTICATION_FAILURE_URL_PAGE) .and() .logout() .logoutUrl(LOG_OUT_URL_PAGE) .logoutSuccessUrl(LOG_OUT_SUCCESS_URL) .invalidateHttpSession(true) .and() .authorizeRequests() .antMatchers(LOG_IN_URL_PAGE, LOG_OUT_URL_PAGE, "/css/**", "/js/**", "/img/**", "/**/favicon.ico", "/webjars/**", "/signup").permitAll() .antMatchers("/**").fullyAuthenticated() .anyRequest().authenticated() .and() .addFilterAfter(csrfHeaderFilter(), SessionManagementFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .authenticationEntryPoint(new NoWWWAuthenticate401ResponseEntryPoint("lap")) .and() .authorizeRequests() .antMatchers("/features/**", "/", "/login", "/user").permitAll() .antMatchers("/admin/**","/history/**","/pipelines/**").authenticated() .and() .logout() .invalidateHttpSession(true) .deleteCookies("X-LAP-TENANT") .and().csrf().csrfTokenRepository(csrfTokenRepository()) /** * * TODO revisit after updating to Spring Security 4.1 * Currently the SessionManagementFilter is added here instead of the CsrfFilter * Two session tokens are generated, one token is created before login and one token is created after. * The Csrf doesn't update with the second token. Logout does not work as a side effect. * Replacing the CsrfFilter with the SessionManagmenentFilter is the current fix. * @link https://github.com/dsyer/spring-security-angular/issues/15 * * .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); * */ .and().addFilterAfter(csrfHeaderFilter(), SessionManagementFilter.class); }
@Bean public SessionManagementFilter sessionManagementFilter(SecurityContextRepository securityContextRepository, SessionAuthenticationStrategy sessionAuthenticationStrategy){ return new SessionManagementFilter(securityContextRepository, sessionAuthenticationStrategy); }
/** * Method configure is main config class for http security * @param http is HttpSecurity for configuring http security * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .authenticationEntryPoint(new RedirectAuthenticationEntryPoint()) .and().rememberMe() .userDetailsService(userDetailsService) .key("steam") .useSecureCookie(true) .tokenValiditySeconds(25000) .and().authorizeRequests() .antMatchers("/index.html", "/", "/login", "/javascript/**", "/fonts/**", "/stylesheets/**", "/images/**", "/api/currency-rate", "/favicon.ico") .permitAll() .antMatchers(HttpMethod.GET, "/attention").hasAnyAuthority("ROLE_ADMIN", "ROLE_ENGINEER", "ROLE_BOSS") .antMatchers(HttpMethod.GET, "/delay").hasAnyAuthority("ROLE_ADMIN", "ROLE_ENGINEER", "ROLE_BOSS") .antMatchers(HttpMethod.POST, "/api/cheques/{\\d+}/diagnostics").hasAnyAuthority("ROLE_ADMIN", "ROLE_ENGINEER", "ROLE_BOSS") .antMatchers(HttpMethod.DELETE, "/api/cheques/{\\d+}/diagnostics/{\\d+}").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.DELETE, "/api/cheques/{\\d+}/notes/{\\d+}").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.DELETE, "/api/cheques/{\\d+}").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.DELETE, "/api/photo/{\\d+}/{\\d+}").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.GET, "/api/currency-rate-list").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.POST, "/api/currency-rate").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.POST, "/api/user").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.DELETE, "/api/user/{\\d+}").hasAuthority("ROLE_ADMIN") .anyRequest().authenticated() .and().logout() .logoutSuccessUrl("/") .invalidateHttpSession(true) .deleteCookies("JSESSIONID") .and().csrf() .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), SessionManagementFilter.class) .addFilterBefore(new ReCaptchaAuthFilter(reCaptchaProperties), BasicAuthenticationFilter.class) .headers().contentSecurityPolicy("default-src https: 'self'; " + "object-src 'none'; " + "script-src 'self' https://www.google.com https://www.gstatic.com; " + "style-src 'self' 'unsafe-inline'; " + "img-src 'self' data:; " + "connect-src 'self' ws://127.0.0.1:35729") .and().addHeaderWriter(new StaticHeadersWriter("Referrer-Policy", "no-referrer-when-downgrade")); }
private void addSessionManagementFilter(List<Filter> filters, SecurityContextRepository contextRepository) { SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(contextRepository); filters.add(sessionManagementFilter); }
private void csrf(HttpSecurity http) throws Exception { http.csrf() .ignoringAntMatchers("/users/current") .and() .addFilterAfter(csrfTokenFilter(), SessionManagementFilter.class); }
