/** {@inheritDoc} */ @Override protected void configure(HttpSecurity httpSecurity) throws Exception { RequestMatcher matcher = new AntPathRequestMatcher("/login"); DelegatingRequestMatcherHeaderWriter headerWriter = new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter()); //to disable loading application back button after logout httpSecurity .headers() .defaultsDisabled() .cacheControl().and() .contentTypeOptions().and().addHeaderWriter(headerWriter) .httpStrictTransportSecurity() .includeSubDomains(true) .maxAgeInSeconds(31536000).and() .frameOptions().sameOrigin().xssProtection().block(false); // httpSecurity.requestCache().requestCache(new NullRequestCache()); httpSecurity /*.csrf() .disable()*/ .authorizeRequests() .expressionHandler(webExpressionHandler()) .antMatchers("/forgotPwd", "/resetPwd*", "/successRegister*", "/invalidSession.html", "/registrationConfirm*", "/registration.html", "/user/registration", "/login*") .permitAll() // .antMatchers(HttpMethod.POST,"/api","/api/**").hasRole("ROLE_ADMIN") .anyRequest().fullyAuthenticated() .and() .formLogin() .loginPage("/login.html") .defaultSuccessUrl("/home.html") .usernameParameter("username") .passwordParameter("password") .failureUrl("/login.html?error=true") // .successHandler(myAuthenticationSuccessHandler) // .failureHandler(authenticationFailureHandler) .permitAll() .and() .sessionManagement() .invalidSessionUrl("/invalidSession.html") .sessionFixation().none() .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl("/login.html") .invalidateHttpSession(true) .deleteCookies("remember-me", "SESSION") .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .permitAll() .and() .rememberMe() .rememberMeServices(rememberMeServices()) .tokenValiditySeconds(86400) .rememberMeCookieName("remember-me") .and() .exceptionHandling().accessDeniedPage("/403"); }