@Override protected final void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(STATELESS); http.apply(jwt()); http.antMatcher("/jwt/**"); http.csrf().disable(); http.authorizeRequests() .antMatchers("/jwt/one").access("hasRole('ONE')") .antMatchers("/jwt/two").access("hasRole('TWO')") .anyRequest().authenticated(); http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/jwt/signIn") .permitAll(); http.logout().logoutUrl("/jwt/signOut") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()); http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home", "/login").permitAll() .antMatchers("/app/**").permitAll() .antMatchers("/vendor/**").permitAll() .antMatchers("/fonts/**").permitAll() .antMatchers("/assets/images/**").permitAll() .antMatchers("/*.js").permitAll() .antMatchers("/*.ttf").permitAll() .antMatchers("/*.woff2").permitAll() .anyRequest().authenticated() .and().httpBasic() .and() .logout() .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()) .invalidateHttpSession(true) .deleteCookies("JSESSIONID"); if (Arrays.asList(environment.getActiveProfiles()).contains(MetronRestConstants.CSRF_ENABLE_PROFILE)) { http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); } else { http.csrf().disable(); } }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/oauth/authorize").authenticated() .and() .formLogin().permitAll() .loginPage("/login") .loginProcessingUrl("/auth/login") .failureUrl("/login?error") .and() .rememberMe() .rememberMeParameter("remember-me") .rememberMeServices(rememberMeServices) .and() .logout() .invalidateHttpSession(true) .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()) .logoutUrl("/auth/logout") .permitAll() .and() .headers() .frameOptions().sameOrigin() .and() .sessionManagement() .maximumSessions(10) .sessionRegistry(sessionRegistry) .and() .sessionCreationPolicy(SessionCreationPolicy.ALWAYS) .and() .csrf() .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")) .disable() .cors().and() .apply(new SpringSocialConfigurer()); }
@Override protected final void configure(HttpSecurity http) throws Exception { http.antMatcher("/stormpath/**"); http.csrf().disable(); http.authorizeRequests() .antMatchers("/stormpath/one").access("hasRole('ONE')") .antMatchers("/stormpath/two").access("hasRole('TWO')") .anyRequest().authenticated(); http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/stormpath/signIn") .permitAll(); http.logout().logoutUrl("/stormpath/signOut") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()); http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()); }
@Override protected final void configure(HttpSecurity http) throws Exception { http.apply(jwt()); http.antMatcher("/all/**"); http.csrf().disable(); http.authorizeRequests() .antMatchers("/all/one").access("hasRole('ONE')") .antMatchers("/all/two").access("hasRole('TWO')") .anyRequest().authenticated(); http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/all/signIn") .permitAll(); http.logout().logoutUrl("/all/signOut") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()); http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()); }
@Override protected final void configure(HttpSecurity http) throws Exception { http.antMatcher("/all/**"); http.csrf().disable(); http.authorizeRequests() .antMatchers("/all/one").access("hasRole('ONE')") .antMatchers("/all/two").access("hasRole('TWO')") .anyRequest().authenticated(); http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/all/signIn") .permitAll(); http.logout().logoutUrl("/all/signOut") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()); http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()); }
@Override protected final void configure(HttpSecurity http) throws Exception { http.antMatcher("/normal/**"); http.csrf().disable(); http.authorizeRequests().anyRequest().authenticated(); http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/normal/signIn") .permitAll(); http.logout().logoutUrl("/normal/signOut").logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()); http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()); }
@Override protected final void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(STATELESS); http.antMatcher("/jwt/**"); http.csrf().disable(); http.authorizeRequests() .antMatchers("/jwt/one").access("hasRole('ONE')") .antMatchers("/jwt/two").access("hasRole('TWO')") .anyRequest().authenticated(); http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/jwt/signIn") .permitAll(); http.logout().logoutUrl("/jwt/signOut") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()); http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()); }
@Override protected final void configure(HttpSecurity http) throws Exception { http.apply(jwt()); http.antMatcher("/custom/**"); http.csrf().disable(); http.authorizeRequests().anyRequest().authenticated(); http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/custom/signIn") .permitAll(); http.logout().logoutUrl("/custom/signOut") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()); http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()); }
@Override protected final void configure(HttpSecurity http) throws Exception { http.antMatcher("/custom/**"); http.csrf().disable(); http.authorizeRequests().anyRequest().authenticated(); http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/custom/signIn") .permitAll(); http.logout().logoutUrl("/custom/signOut") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()); http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http //.headers() //.frameOptions().sameOrigin() // .and() .authorizeRequests() .antMatchers("/index.html", "/csrf", "/", "/router").permitAll() .antMatchers("/info", "/health").permitAll() .anyRequest().authenticated() .and() .rememberMe() .rememberMeServices(this.rememberMeServices) .key(this.appProperties.getRemembermeCookieKey()) .and() .formLogin() .successHandler(this.authenticationSuccessHandler) .failureHandler(new JsonAuthFailureHandler()) .permitAll() .and() .logout() .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()) .deleteCookies("JSESSIONID") .permitAll() .and() .exceptionHandling() .authenticationEntryPoint(new Http401UnauthorizedEntryPoint()); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { if (config.getUrl().startsWith("https://")) { LOGGER.info("Enabled force https"); http.requiresChannel().anyRequest().requiresSecure(); } http // cache control .headers() .cacheControl().disable() .and() // access control .authorizeRequests() .antMatchers( // == static resources -> permit all "/css/**", "/images/**", "/js/**", "/fonts/**", "/favicon.ico", // == login/register/email_verify -> permit all "/register/**", "/login", "/email_verify/do_verify", // == error page -> permit all "/error", "/yggdrasil/**" ).permitAll() .antMatchers( // == (re)send_verify_email -> permit authenticated users "/email_verify/**" ).authenticated() // == other urls -> permit verified users .anyRequest().hasAuthority("ROLE_VERIFIED") .and() // login .exceptionHandling() .authenticationEntryPoint(authEntry) // redirect to '/email_verify' is email is not verified .accessDeniedHandler((request, response, ex) -> { if (!isAjax(request)) { Optional<User> user = UserService.getCurrentUser(); if (user.isPresent() && !user.get().isEmailVerified()) { response.sendRedirect("/email_verify"); return; } } request.setAttribute(ERROR_ATTRIBUTE, ex); response.sendError(SC_FORBIDDEN, E_ACCESS_DENIED); }) .and() // logout .logout() .logoutUrl("/logout") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.NO_CONTENT)) .and(); }
@Override protected void configure(HttpSecurity http) throws Exception { final RequestMatcher textHtmlMatcher = new MediaTypeRequestMatcher( contentNegotiationStrategy, MediaType.TEXT_HTML); final String loginPage = dashboard("/#/login"); final BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint(); basicAuthenticationEntryPoint.setRealmName(securityProperties.getBasic().getRealm()); basicAuthenticationEntryPoint.afterPropertiesSet(); http .csrf() .disable() .authorizeRequests() .antMatchers("/") .authenticated() .antMatchers( dashboard("/**"), "/authenticate", "/security/info", "/features", "/assets/**").permitAll() .and() .formLogin().loginPage(loginPage) .loginProcessingUrl(dashboard("/login")) .defaultSuccessUrl(dashboard("/")).permitAll() .and() .logout().logoutUrl(dashboard("/logout")) .logoutSuccessUrl(dashboard("/logout-success.html")) .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()).permitAll() .and().httpBasic() .and().exceptionHandling() .defaultAuthenticationEntryPointFor( new LoginUrlAuthenticationEntryPoint(loginPage), textHtmlMatcher) .defaultAuthenticationEntryPointFor(basicAuthenticationEntryPoint, AnyRequestMatcher.INSTANCE) .and() .authorizeRequests() .anyRequest().authenticated(); final SessionRepositoryFilter<ExpiringSession> sessionRepositoryFilter = new SessionRepositoryFilter<ExpiringSession>( sessionRepository()); sessionRepositoryFilter .setHttpSessionStrategy(new HeaderHttpSessionStrategy()); http.addFilterBefore(sessionRepositoryFilter, ChannelProcessingFilter.class).csrf().disable(); http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED); }
@Override protected void configure(HttpSecurity http) throws Exception { http .headers().disable() //.csrf().disable() .authorizeRequests() .antMatchers("/failure").permitAll() .antMatchers("/user/session").permitAll() .antMatchers("/user/createaccount").permitAll() .antMatchers("/user/resetPassword").permitAll() .antMatchers("/user/processResetPasswordUrl").permitAll() .antMatchers("/user/changePassword").permitAll() .antMatchers("/user/registrationConfirm").permitAll() .antMatchers("/v2/api-docs").hasAnyAuthority("admin") .antMatchers("/users/**").hasAnyAuthority("admin") .anyRequest().authenticated() .and() .exceptionHandling() .authenticationEntryPoint(restAuthenticationEntryPoint) .accessDeniedHandler(restAccessDeniedHandler) .and() .formLogin() .loginProcessingUrl("/authenticate") .successHandler(restAuthenticationSuccessHandler) .failureHandler(restAuthenticationFailureHandler) .usernameParameter("username") .passwordParameter("password") .permitAll() .and() .logout() .logoutUrl("/logout") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()) .deleteCookies("JSESSIONID") .permitAll() .and() .rememberMe() .rememberMeServices(rememberMeServices) .key(REMEMBER_ME_KEY) .and() .csrf() .requireCsrfProtectionMatcher(csrfRequestMatcher) .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); }
private void logout(HttpSecurity http) throws Exception { http.logout().logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()); }