private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; }
@Bean public OncePerRequestFilter protocolForwardFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { String forwardedProtocolHeader = request.getHeader("X-Forwarded-Proto"); boolean forwardToHttps = Boolean.parseBoolean(environment.getProperty("forward.to.https", "true")); if (forwardToHttps && forwardedProtocolHeader != null && forwardedProtocolHeader.equals("http")) { response.sendRedirect(environment.getProperty("secure.base.url", "https://putput.org") + request.getRequestURI()); } else { filterChain.doFilter(request, response); } } }; }
private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request .getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken()); cookie.setPath("/"); response.addCookie(cookie); } filterChain.doFilter(request, response); } }; }
private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class .getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; }
private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if(csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if(cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; }
private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request .getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; }
@Override public void configure(HttpSecurity http) throws Exception { http.addFilterAfter(new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { // We don't want to allow access to a resource with no token so clear // the security context in case it is actually an OAuth2Authentication if (tokenExtractor.extract(request) == null) { SecurityContextHolder.clearContext(); } filterChain.doFilter(request, response); } }, AbstractPreAuthenticatedProcessingFilter.class); http.authorizeRequests().anyRequest().authenticated(); }
/** * Method csrfHeaderFilter creates filter for correct csrf security * @return OncePerRequestFilter for correct csrf security */ private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); cookie.setSecure(true); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; }
@Bean public FilterRegistrationBean<?> stickyCloudFoundryFilter() { FilterRegistrationBean<Filter> filter = new FilterRegistrationBean<Filter>(); filter.setOrder(Ordered.LOWEST_PRECEDENCE); filter.setFilter(new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { if (!response.containsHeader("Set-Cookie")) { response.addCookie(new Cookie("JSESSIONID", cookie)); } filterChain.doFilter(request, response); } }); return filter; }
private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); cookie.setHttpOnly(true); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; }
@Override protected void configure(HttpSecurity http) throws Exception { configureHeaders(http.headers()); http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint()) .and().requestMatchers().antMatchers("/admin/**", "/signout").and() .addFilterAfter(new OncePerRequestFilter() { // TODO this filter needs to be removed once basic auth is removed @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication == null || !authentication.isAuthenticated() || !(authentication.getPrincipal() instanceof Long)) { throw new BadCredentialsException("Not a github user!"); } filterChain.doFilter(request, response); } }, ExceptionTranslationFilter.class); http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/signout")) .logoutSuccessUrl("/").and().authorizeRequests().anyRequest() .authenticated(); if (isForceHttps()) { http.requiresChannel().anyRequest().requiresSecure(); } }
@Bean public FilterRegistrationBean saveLoginOriginFilter() { Filter filter = new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { if (request.getRemoteUser() == null && request.getRequestURI().endsWith("/login")) { String referrer = request.getHeader("referer"); if (!StringUtils.isBlank(referrer) && request.getSession().getAttribute(SAVED_LOGIN_ORIGIN_URI) == null) { log.debug("Saving login origin URI: {}", referrer); request.getSession().setAttribute(SAVED_LOGIN_ORIGIN_URI, referrer); } } filterChain.doFilter(request, response); } }; FilterRegistrationBean bean = new FilterRegistrationBean(filter); bean.setOrder(Ordered.HIGHEST_PRECEDENCE); return bean; }
@Override public void configure(HttpSecurity http) throws Exception { http.addFilterAfter(new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { // We don't want to allow access to a resource with no token so clear // the security context in case it is actually an OAuth2Authentication if (tokenExtractor.extract(request) == null) { SecurityContextHolder.clearContext(); } filterChain.doFilter(request, response); } }, AbstractPreAuthenticatedProcessingFilter.class); http.csrf().disable(); http .authorizeRequests() .antMatchers( "/stockmanagement", "/webjars/**", "/stockmanagement/webjars/**", "/stockmanagement/docs/**" ).permitAll() .antMatchers("/**").fullyAuthenticated(); }
@Override public void configure(HttpSecurity http) throws Exception { http.addFilterAfter(new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { // We don't want to allow access to a resource with no token so clear // the security context in case it is actually an OAuth2Authentication if (tokenExtractor.extract(request) == null) { SecurityContextHolder.clearContext(); } filterChain.doFilter(request, response); } }, AbstractPreAuthenticatedProcessingFilter.class); http.csrf().disable(); http .authorizeRequests() .antMatchers( "/template", "/webjars/**", "/template/webjars/**", "/template/docs/**" ).permitAll() .antMatchers("/**").fullyAuthenticated(); }
private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(final HttpServletRequest prequest, final HttpServletResponse presponse, final FilterChain pfilterChain) throws ServletException, IOException { WebSecurityConfig.this.csrfCookieHandler.setCookie(prequest, presponse); pfilterChain.doFilter(prequest, presponse); } }; }
@Bean public FilterRegistrationBean securityHeadersFilter(@Value("${pds.piwik.url}") String urlPiwik) { return filter(2, new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { filterChain.doFilter(request, response); response.setHeader("X-XSS-Protection", "0"); response.setHeader("X-Content-Type-Options", "nosniff"); response.setHeader("Content-Security-Policy", "script-src: 'self' 'unsafe-inline' '" + urlPiwik + "' 'barra.brasil.gov.br'; default-src: 'self'"); } }); }
@Bean public ResourceServerConfigurer resourceServerConfigurerAdapter() { return new ResourceServerConfigurerAdapter() { @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId("todo"); } @Override public void configure(HttpSecurity http) throws Exception { http.addFilterAfter(new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { // We don't want to allow access to a resource with no token so clear // the security context in case it is actually an OAuth2Authentication if (tokenExtractor.extract(request) == null) { SecurityContextHolder.clearContext(); } filterChain.doFilter(request, response); } }, AbstractPreAuthenticatedProcessingFilter.class); http.csrf().disable(); http.authorizeRequests().anyRequest().authenticated(); } }; }
@Bean @ConditionalOnClass(OncePerRequestFilter.class) @ConditionalOnProperty(value = "loc.web.springmvc.log.enabled", matchIfMissing = true) public Filter accessLogFilter(LocSpringMvcLogProperties locSpringMvcProperties) { return new LocAccessLogFilter(locSpringMvcProperties); }
/** * Spring security offers in-built protection for cross site request forgery * (CSRF) by needing a custom token in the header for any requests that are * NOT safe i.e. modify the resources from the server e.g. POST, PUT & PATCH * etc.<br> * <br> * * This protection is achieved using cookies that send a custom value (would * remain same for the session) in the first request and then the front-end * would send back the value as a custom header.<br> * <br> * * In this method we create a filter that is applied to the web security as * follows: * <ol> * <li>Spring security provides the CSRF token value as a request attribute; * so we extract it from there.</li> * <li>If we have the token, Angular wants the cookie name to be * "XSRF-TOKEN". So we add the cookie if it's not there and set the path for * the cookie to be "/" which is root. In more complicated cases, this might * have to be the context root of the api gateway.</li> * <li>We forward the request to the next filter in the chain</li> * </ol> * * The request-to-cookie filter that we add needs to be after the * <code>csrf()</code> filter so that the request attribute for CsrfToken * has been already added before we start to process it. * * @return */ private Filter createCSRFHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class .getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, CSRF_COOKIE_NAME); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie(CSRF_COOKIE_NAME, token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; }
