@Override protected void configure(HttpSecurity http) throws Exception { LOG.debug("configuring HttpSecurity"); String canvasUrl = configService.getConfigValue("canvas_url"); if (StringUtils.isBlank(canvasUrl)) { throw new RuntimeException("Missing canvas_url config value"); } http.requestMatchers() .antMatchers("/launch").and() .addFilterBefore(configureProcessingFilter(), UsernamePasswordAuthenticationFilter.class) .authorizeRequests().anyRequest().authenticated().and().csrf().disable() .headers().addHeaderWriter(new XFrameOptionsHeaderWriter(new StaticAllowFromStrategy(new URI(canvasUrl)))) .addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy", "default-src 'self' https://s.ksucloud.net https://*.instructure.com; " + "font-src 'self' https://s.ksucloud.net https://*.instructure.com; " + "script-src 'self' 'unsafe-inline' https://ajax.googleapis.com; " + "style-src 'self' 'unsafe-inline' https://*.instructure.com https://www.k-state.edu" )) .addHeaderWriter(new StaticHeadersWriter("P3P", "CP=\"This is just to make IE happy with cookies in this iframe\"")); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/login*").permitAll() .antMatchers("/after_logout*").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login.html") .defaultSuccessUrl("/deptform.html") .failureUrl("/login.html?error=true") .and().logout().logoutUrl("/logout.html") .logoutSuccessUrl("/after_logout.html"); http.csrf().disable(); http.headers().defaultsDisabled().cacheControl() .and().httpStrictTransportSecurity() .and().contentTypeOptions().disable() .frameOptions().deny() .xssProtection().block(true) .and().addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","default-src 'self'")); }
/** * {@inheritDoc} * * Initializes the default {@link UserDetailsService} causing the {@link AuthenticationManagerBuilder} * creates automatically the {@link DaoAuthenticationProvider} that delegates on the given * {@link UserDetailsService}. * * Also setup the {@link BCryptPasswordEncoder} to use with the {@link DaoAuthenticationProvider} */ @Override protected void configure(HttpSecurity http) throws Exception { // Session management if (disableConcurrency) { http.sessionManagement().maximumSessions(1).expiredUrl("/login?expired"); } // CSP settings http .headers() .addHeaderWriter(new StaticHeadersWriter(X_CONTENT_SECURITY_POLICY_HEADER, DEFAULT_POLICY_DIRECTIVES)) .addHeaderWriter(new StaticHeadersWriter(CONTENT_SECURITY_POLICY_HEADER, DEFAULT_POLICY_DIRECTIVES)) .addHeaderWriter( new StaticHeadersWriter(X_WEBKIT_CSP_POLICY_HEADER, DEFAULT_POLICY_DIRECTIVES)); // Authentication http .authorizeRequests() .antMatchers("/public/**", "/webjars/**", "/resources/**", "/static/**", "/login/**").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage(LOGIN_FORM_URL) .permitAll() .and() .logout() .permitAll(); // IMPORTANT: loginPage() will set the URL path to which redirect to // identify the user it does NOT create the method that handles the // request. // se añade redirección personalizada en caso de excepción por acceso no autorizado http .exceptionHandling() .authenticationEntryPoint(new SpringletsSecurityWebAuthenticationEntryPoint()) .accessDeniedHandler(new SpringletsSecurityWebAccessDeniedHandlerImpl()); }
/** * Method configure is main config class for http security * @param http is HttpSecurity for configuring http security * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .authenticationEntryPoint(new RedirectAuthenticationEntryPoint()) .and().rememberMe() .userDetailsService(userDetailsService) .key("steam") .useSecureCookie(true) .tokenValiditySeconds(25000) .and().authorizeRequests() .antMatchers("/index.html", "/", "/login", "/javascript/**", "/fonts/**", "/stylesheets/**", "/images/**", "/api/currency-rate", "/favicon.ico") .permitAll() .antMatchers(HttpMethod.GET, "/attention").hasAnyAuthority("ROLE_ADMIN", "ROLE_ENGINEER", "ROLE_BOSS") .antMatchers(HttpMethod.GET, "/delay").hasAnyAuthority("ROLE_ADMIN", "ROLE_ENGINEER", "ROLE_BOSS") .antMatchers(HttpMethod.POST, "/api/cheques/{\\d+}/diagnostics").hasAnyAuthority("ROLE_ADMIN", "ROLE_ENGINEER", "ROLE_BOSS") .antMatchers(HttpMethod.DELETE, "/api/cheques/{\\d+}/diagnostics/{\\d+}").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.DELETE, "/api/cheques/{\\d+}/notes/{\\d+}").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.DELETE, "/api/cheques/{\\d+}").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.DELETE, "/api/photo/{\\d+}/{\\d+}").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.GET, "/api/currency-rate-list").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.POST, "/api/currency-rate").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.POST, "/api/user").hasAuthority("ROLE_ADMIN") .antMatchers(HttpMethod.DELETE, "/api/user/{\\d+}").hasAuthority("ROLE_ADMIN") .anyRequest().authenticated() .and().logout() .logoutSuccessUrl("/") .invalidateHttpSession(true) .deleteCookies("JSESSIONID") .and().csrf() .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(csrfHeaderFilter(), SessionManagementFilter.class) .addFilterBefore(new ReCaptchaAuthFilter(reCaptchaProperties), BasicAuthenticationFilter.class) .headers().contentSecurityPolicy("default-src https: 'self'; " + "object-src 'none'; " + "script-src 'self' https://www.google.com https://www.gstatic.com; " + "style-src 'self' 'unsafe-inline'; " + "img-src 'self' data:; " + "connect-src 'self' ws://127.0.0.1:35729") .and().addHeaderWriter(new StaticHeadersWriter("Referrer-Policy", "no-referrer-when-downgrade")); }
