/** * Defines the session authentication strategy. */ @Bean @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { // When using as confidential keycloak/OpenID Connect client: //return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); // When using as bearer-only keycloak/OpenID Connect client: return new NullAuthenticatedSessionStrategy(); }
/** * Configures the protected private resources. * * @param http HTTP sec object * @throws Exception ex */ @Override protected void configure(HttpSecurity http) throws Exception { ConfigObject protectedResources = Config.getConfig().getObject("security.protected"); ConfigValue apiSec = Config.getConfig().getValue("security.api_security"); boolean enableRestFilter = apiSec != null && Boolean.TRUE.equals(apiSec.unwrapped()); String signinPath = Config.getConfigParam("security.signin", "/signin"); String signoutPath = Config.getConfigParam("security.signout", "/signout"); String accessDeniedPath = Config.getConfigParam("security.access_denied", "/403"); String signoutSuccessPath = Config.getConfigParam("security.signout_success", signinPath); // If API security is disabled don't add the API endpoint to the list of protected resources if (enableRestFilter) { http.authorizeRequests().requestMatchers(RestRequestMatcher.INSTANCE); } parseProtectedResources(http, protectedResources); if (Config.getConfigBoolean("security.csrf_protection", true)) { http.csrf().requireCsrfProtectionMatcher(CsrfProtectionRequestMatcher.INSTANCE). csrfTokenRepository(csrfTokenRepository); } else { http.csrf().disable(); } http.sessionManagement().enableSessionUrlRewriting(false); http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER); http.sessionManagement().sessionAuthenticationStrategy(new NullAuthenticatedSessionStrategy()); http.exceptionHandling().authenticationEntryPoint(new SimpleAuthenticationEntryPoint(signinPath)); http.exceptionHandling().accessDeniedHandler(new SimpleAccessDeniedHandler(accessDeniedPath)); http.requestCache().requestCache(new SimpleRequestCache()); http.logout().logoutUrl(signoutPath).logoutSuccessUrl(signoutSuccessPath); http.rememberMe().rememberMeServices(rememberMeServices); registerAuthFilters(http); if (enableRestFilter) { if (jwtFilter != null) { jwtFilter.setAuthenticationManager(authenticationManager()); http.addFilterBefore(jwtFilter, RememberMeAuthenticationFilter.class); } RestAuthFilter restFilter = new RestAuthFilter(); http.addFilterAfter(restFilter, JWTRestfulAuthFilter.class); } }