List of usage examples for org.springframework.security.config.annotation.web.builders HttpSecurity csrf
public CsrfConfigurer<HttpSecurity> csrf() throws Exception
From source file:istata.WebSecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().authenticated().and().formLogin().loginPage("/login").permitAll() .and().logout().permitAll().and().exceptionHandling() .authenticationEntryPoint(new AjaxAwareAuthenticationEntryPoint("/login")); ;// w w w .j av a 2 s . c o m // FIXME, we might want to have this enabled at some point ar at least // for some resources http.csrf().disable(); }
From source file:org.watterssoft.SecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests()//from w w w . ja v a 2s . co m .antMatchers("/resources/**", "/signup", "/about", "/jquery/**", "/js/**", "/logout").permitAll() .antMatchers("/admin/**").hasRole("ADMIN").antMatchers("/db/**") .access("hasRole('ROLE_ADMIN') and hasRole('ROLE_DBA')").anyRequest().authenticated().and() .formLogin().loginPage("/login").defaultSuccessUrl("/").permitAll(); http.csrf().disable(); }
From source file:br.com.gerenciapessoal.security.SecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { JsfLoginUrlAuthenticationEntryPoint jsfLoginEntry = new JsfLoginUrlAuthenticationEntryPoint(); jsfLoginEntry.setLoginFormUrl("/Login.xhtml"); jsfLoginEntry.setRedirectStrategy(new JsfRedirectStrategy()); JsfAccessDeniedHandler jsfDeniedHandler = new JsfAccessDeniedHandler(); jsfDeniedHandler.setLoginPath("/AcessoNegado.xhtml"); jsfDeniedHandler.setContextRelative(true); http.csrf().disable().headers().frameOptions().sameOrigin().and() .authorizeRequests().antMatchers("/Login.xhtml", "/Erro.xhtml", "/javax.faces.resource/**") .permitAll().antMatchers("/Home.xhtml", "/AcessoNegado.xhtml", "/usuarios/CadastroUsuario.xhtml") .authenticated().antMatchers("/usuarios/PesquisaUsuario.xhtml", "/banco/CadastroBanco.xhtml") .hasRole("ADMINISTRADORES").antMatchers("/lancamentos/**", "/conta/**", "banco/PesquisaBanco.xhtml") .hasAnyRole("COMUN", "ADMINISTRADORES").anyRequest().denyAll().and() .formLogin().loginPage("/Login.xhtml").failureUrl("/Login.xhtml?invalid=true").and() .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).and() .exceptionHandling().accessDeniedPage("/AcessoNegado.xhtml").authenticationEntryPoint(jsfLoginEntry) .accessDeniedHandler(jsfDeniedHandler); }
From source file:com.appspot.potlachkk.config.WebSecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { // We don't want to cache requests during login http.requestCache().requestCache(new NullRequestCache()); //I am not sure if this configuration is not a "work-aroud" //maybe there is a simpler/more elegant solution //Avoid CSRF token related problems with mobile clients http.csrf().disable(); //if attempt to access protected URL without authentication //send the client HTTP code (instead of redirecting to login form) //now to login a POST to /login with password=pass1&username=user1 //Content-Type: application/x-www-form-urlencoded must be sent http.exceptionHandling().authenticationEntryPoint(JSON_AUTHENTICATION_ENTRY_POINT); http.formLogin().successHandler(NO_REDIRECT_SUCCESS_HANDLER).failureHandler(NO_REDIRECT_FAILURE_HANDLER) .permitAll().and().logout().logoutUrl("/logout").logoutSuccessHandler(JSON_LOGOUT_SUCCESS_HANDLER) .deleteCookies("JSESSIONID").invalidateHttpSession(true).permitAll(); //GAE - specific localhost maintenance URL http.authorizeRequests().antMatchers("/_ah/**").permitAll(); //configuration URL - should be disabled in production http.authorizeRequests().antMatchers("/config").permitAll(); http.authorizeRequests().antMatchers("/delconfig").permitAll(); //test/*from w w w . j a v a2 s . c o m*/ http.authorizeRequests().antMatchers("/image/**").permitAll(); //http.authorizeRequests().antMatchers("/chain/**").permitAll(); //http.authorizeRequests().antMatchers("/gift/**").permitAll(); http.authorizeRequests().anyRequest().authenticated(); }
From source file:jp.pigumer.sso.WebSecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().authenticationEntryPoint(samlEntryPoint()); http.csrf().disable(); http.authorizeRequests().antMatchers("/", "/saml/**").permitAll().anyRequest().authenticated(); http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); http.logout().logoutSuccessUrl("/"); }
From source file:net.oneandone.stool.overview.config.SecurityConfiguration.java
@Override protected void configure(HttpSecurity http) throws Exception { CasAuthenticationFilter filter;/* w ww. j a v a2 s .c o m*/ CasAuthenticationEntryPoint entryPoint; filter = new CasAuthenticationFilter(); filter.setAuthenticationManager(authenticationManager()); entryPoint = new CasAuthenticationEntryPoint(); entryPoint.setLoginUrl(session.configuration.ldapSso + "/login/"); entryPoint.setServiceProperties(serviceProperties()); http.csrf().disable().exceptionHandling().authenticationEntryPoint(entryPoint).and().addFilter(filter); if (session.configuration.ldapUrl.isEmpty()) { http.authorizeRequests().antMatchers("/**").hasRole("ANONYMOUS"); } else { http.authorizeRequests().antMatchers("/whoami").fullyAuthenticated().antMatchers("/**") .hasRole("LOGIN"); } }
From source file:org.opendatakit.configuration.SecurityConfiguration.java
@Override protected void configure(HttpSecurity http) throws Exception { logger.info("Setting up authentication."); http.exceptionHandling().authenticationEntryPoint(delegatingAuthenticationEntryPoint()); // We have a choice here; stateless OR enable sessions and use CSRF. http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.csrf().disable(); http.authorizeRequests().antMatchers("/").permitAll(); http.authorizeRequests().antMatchers("/healthcheck").permitAll(); http.authorizeRequests().antMatchers("/swagger.json").permitAll(); http.authorizeRequests().antMatchers("/favicon.ico").permitAll(); http.authorizeRequests().antMatchers("/index.html").permitAll(); http.authorizeRequests().antMatchers("/swagger/**").permitAll(); http.authorizeRequests().antMatchers("/images/**").permitAll(); http.authorizeRequests().antMatchers("/odktables/**").hasRole("SYNCHRONIZE_TABLES"); http.authorizeRequests().antMatchers("/users/list").hasRole("USER"); // Backwards compatible // with aggregate http.authorizeRequests().antMatchers("/roles/granted").hasRole("USER"); // Backwards compatible // with aggregate http.authorizeRequests().antMatchers("/admin/**").hasRole("SITE_ACCESS_ADMIN"); // This is where we are currently enabling a fallback to Basic Authentication. // We may wish to remove this, as it is not very secure. On the other hand, we're not requiring // anyone to use it. http.authorizeRequests().antMatchers("/**").authenticated().and() .addFilterBefore(basicAuthenticationFilter(), AnonymousAuthenticationFilter.class) .addFilterAt(anonymousFilter(), AnonymousAuthenticationFilter.class) .addFilter(digestAuthenticationFilter()); }
From source file:de.thm.arsnova.config.SecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { http.exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint()); http.csrf().disable(); if (casEnabled) { http.addFilter(casAuthenticationFilter()); http.addFilter(casLogoutFilter()); }//from w w w . j a va 2 s.c o m if (googleEnabled) { http.addFilterAfter(googleFilter(), CasAuthenticationFilter.class); } if (facebookEnabled) { http.addFilterAfter(facebookFilter(), CasAuthenticationFilter.class); } if (twitterEnabled) { http.addFilterAfter(twitterFilter(), CasAuthenticationFilter.class); } }
From source file:com.orange.clara.cloud.services.sandbox.config.SecurityConfiguration.java
@Override public void configure(HttpSecurity http) throws Exception { String managementContextPath = managementServerProperties.getContextPath(); // @formatter:off if (securityProperties.isRequireSsl()) { LOGGER.info("SSL enabled in springboot config, cannot access this app using http"); http.requiresChannel().anyRequest().requiresSecure(); }//from w ww .ja v a 2 s .c o m if (securityProperties.isEnableCsrf()) { LOGGER.info("CSRF enabled in springboot config"); http.csrf().csrfTokenRepository(csrfTokenRepository()).and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); } http.authorizeRequests().antMatchers(managementContextPath + "/health", managementContextPath + "/info") .access("isAnonymous() or #oauth2.throwOnError(#oauth2.hasScope('" + oauth2AdminScope + "'))") .antMatchers(managementContextPath + "/**").access("#oauth2.hasScope('" + oauth2AdminScope + "')") .anyRequest().authenticated().and().formLogin().disable().logout().disable().sessionManagement() .sessionCreationPolicy(securityProperties.getSessions()); // @formatter:on }
From source file:com.miserablemind.butter.security.WebSecurityContext.java
/** * Main configuration method that defines the protected pages, log in form parameters, remember me and access {@link AccessDeniedHandler}. * * @param http A {@link HttpSecurity}. It is similar to Spring Security's XML <http> element in the namespace configuration. * @throws Exception//from w ww .j a v a 2 s.c o m */ @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/login", "/signup", "/error/**", "/reset-password/**", "/forgot-password/**", "/js/**", "/img/**", "/css/**").permitAll().anyRequest() .access("hasRole('ROLE_USER')"); http.formLogin().loginPage("/login").failureUrl("/login?error=true").passwordParameter("password") .usernameParameter("username").loginProcessingUrl("/login-submit").defaultSuccessUrl("/"); http.csrf().disable(); http.logout().invalidateHttpSession(true).logoutUrl("/logout-success"); http.rememberMe().key(this.configSystem.getRememberMeKey()).rememberMeServices(this.rememberMeServices()); http.exceptionHandling().accessDeniedHandler(this.accessDeniedHandler); }