List of usage examples for org.springframework.security.config.annotation.web.builders HttpSecurity csrf
public CsrfConfigurer<HttpSecurity> csrf() throws Exception
From source file:org.italiangrid.storm.webdav.spring.web.SecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { final List<GrantedAuthority> anonymousAccessPermissions = new ArrayList<GrantedAuthority>(); for (StorageAreaInfo sa : saConfiguration.getStorageAreaInfo()) { if (sa.anonymousReadEnabled()) { anonymousAccessPermissions.add(SAPermission.canRead(sa.name())); }//from w w w. ja va 2 s.com } VOMSAuthenticationProvider prov = new VOMSAuthenticationProvider(); http.csrf().disable(); http.authenticationProvider(prov).addFilter(buildVOMSAuthenticationFilter(prov)); if (!anonymousAccessPermissions.isEmpty()) { http.anonymous().authorities(anonymousAccessPermissions); } if (serviceConfiguration.isAuthorizationDisabled()) { http.authorizeRequests().anyRequest().permitAll(); } else { http.authorizeRequests().accessDecisionManager(accessDecisionManager()); addAccessRules(http); } }
From source file:com.hp.autonomy.frontend.find.idol.beanconfiguration.IdolSecurity.java
@SuppressWarnings("ProhibitedExceptionDeclared") @Override/*from w ww .j a v a2s . c o m*/ protected void configure(final HttpSecurity http) throws Exception { final LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPoints = new LinkedHashMap<>(); entryPoints.put(new AntPathRequestMatcher("/api/**"), new Http403ForbiddenEntryPoint()); entryPoints.put(AnyRequestMatcher.INSTANCE, new LoginUrlAuthenticationEntryPoint(FindController.DEFAULT_LOGIN_PAGE)); final AuthenticationEntryPoint authenticationEntryPoint = new DelegatingAuthenticationEntryPoint( entryPoints); http.csrf().disable().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint) .accessDeniedPage("/authentication-error").and().logout().logoutUrl("/logout") .logoutSuccessUrl(FindController.DEFAULT_LOGIN_PAGE).and().authorizeRequests() .antMatchers(FindController.APP_PATH + "**").hasAnyRole(FindRole.USER.name()) .antMatchers(FindController.CONFIG_PATH).hasRole(FindRole.CONFIG.name()) .antMatchers("/api/public/**").hasRole(FindRole.USER.name()).antMatchers("/api/bi/**") .hasRole(FindRole.BI.name()).antMatchers("/api/config/**").hasRole(FindRole.CONFIG.name()) .antMatchers("/api/admin/**").hasRole(FindRole.ADMIN.name()) .antMatchers(FindController.DEFAULT_LOGIN_PAGE).permitAll().antMatchers(FindController.LOGIN_PATH) .permitAll().antMatchers("/").permitAll().anyRequest().denyAll().and().headers().defaultsDisabled() .frameOptions().sameOrigin(); idolSecurityCustomizer.customize(http, authenticationManager()); }
From source file:de.chludwig.websec.saml2sp.springconfig.SamlSpringSecurityConfig.java
/** * Defines the web based security configuration. * * @param http//from w w w .j a v a 2 s . c o m * It allows configuring web based security for specific http requests. * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().authenticationEntryPoint(samlEntryPoint()); http.csrf().disable(); http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); http.authorizeRequests().antMatchers(PW_LOGIN_PAGE_PATH).denyAll() // don't offer local login form in SAML SSO scenario .antMatchers(START_PAGE_PATH).permitAll() // .antMatchers(ERROR_PAGE_PATH).permitAll() // .antMatchers("/saml/**").permitAll() // .antMatchers(AUTHENTICATED_PAGE_PATH).authenticated() // .antMatchers(ANONYMOUS_PAGE_PATH).anonymous() // .antMatchers(USER_ROLE_PAGE_PATH).hasAuthority(RoleId.USER_ROLE_ID.getId()) // .antMatchers(ADMIN_ROLE_PAGE_PATH).hasAuthority(RoleId.ADMIN_ROLE_ID.getId()) // .anyRequest().authenticated(); http.logout().logoutSuccessUrl("/"); }
From source file:com.vdenotaris.spring.boot.security.saml.web.config.WebSecurityConfig.java
/** * Defines the web based security configuration. * //from w w w. ja v a 2 s . c om * @param http It allows configuring web based security for specific http requests. * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().authenticationEntryPoint(samlEntryPoint()); http.csrf().disable(); http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/error").permitAll() .antMatchers("/saml/**").permitAll().anyRequest().authenticated(); http.logout().logoutSuccessUrl("/"); }
From source file:eu.trentorise.game.config.SecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { // application never creates an http session http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.authorizeRequests()//from ww w.j a v a2 s. c o m .antMatchers("/gengine/**", "/console/**", "/model/**", "/data/**", "/exec/**", "/notification/**") .access("hasRole('ROLE_ADMIN')").and().httpBasic(); http.authorizeRequests().antMatchers("/api/**").anonymous(); // disable csrf permits POST http call to DomainConsoleController // without using csrf token http.csrf().disable(); }
From source file:ch.wisv.areafiftylan.security.SecurityConfiguration.java
/** * This method is responsible for the main security configuration. The formlogin() section defines how to login. * POST requests should be made to /login with a username and password field. Errors are redirected to /login?error. * The logout section is similar./*from w ww.java 2 s . c om*/ * <p> * The last section is about permissions. Anything related to Login is accessible for everyone. Use this for * URL-based permissions if that's the best way. Use Method specific permissions if this is not feasible. * <p> * By default, all requests to the API should come from authenticated sources. (USER or ADMIN) * * @param http default parameter * * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { // We use our own exception handling for unauthorized request. THis simply returns a 401 when a request // should have been authenticated. http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint); //@formatter:off http.formLogin().loginProcessingUrl("/login").successHandler(authenticationSuccessHandler) .failureHandler(authenticationFailureHandler).and().logout().logoutUrl("/logout"); //@formatter:on http.csrf(). // This is used for the Mollie webhook, so it shouldn't be protected by CSRF ignoringAntMatchers("/orders/status"). // Don't require CSRF on requests with valid Tokens requireCsrfProtectionMatcher(csrfRequestMatcher). // We also ignore this for Token requests ignoringAntMatchers("/token"). // Ignore the route to request a password reset, no CSRF protection is needed ignoringAntMatchers("/requestResetPassword"); //@formatter:on // This is the filter that adds the CSRF Token to the header. CSRF is enabled by default in Spring, this just // copies the content to the X-CSRF-TOKEN header field. http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class); // Add support for Token-base authentication http.addFilterAfter(new TokenAuthenticationFilter(authenticationTokenRepository), UsernamePasswordAuthenticationFilter.class); }
From source file:com.marklogic.samplestack.mock.MockApplicationSecurity.java
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers(HttpMethod.GET, "/session", "/questions/**", "/tags/**").permitAll() .and().authorizeRequests().antMatchers(HttpMethod.POST, "/search").permitAll().and() .authorizeRequests().antMatchers("/questions/**", "/contributors/**").authenticated().and() .authorizeRequests().anyRequest().denyAll(); http.formLogin().failureHandler(failureHandler).successHandler(successHandler).permitAll().and().logout() .logoutSuccessHandler(logoutSuccessHandler).permitAll(); http.csrf().disable(); http.exceptionHandling().authenticationEntryPoint(entryPoint) .accessDeniedHandler(samplestackAccessDeniedHandler); }
From source file:com.marklogic.samplestack.security.ApplicationSecurity.java
@Override /**/* w w w . j a v a 2 s .c o m*/ * Standard practice in Spring Security is to provide * this implementation method for building security. This method * configures the endpoints' security characteristics. * @param http Security object projided by the framework. */ protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers(HttpMethod.GET, "/session", "/questions/**", "/tags/**").permitAll() .and().authorizeRequests().antMatchers(HttpMethod.POST, "/search").permitAll().and() .authorizeRequests().antMatchers("/questions/**", "/contributors/**").authenticated().and() .authorizeRequests().anyRequest().denyAll(); http.formLogin().failureHandler(failureHandler).successHandler(successHandler).permitAll().and().logout() .logoutSuccessHandler(logoutSuccessHandler).permitAll(); http.csrf().disable(); http.exceptionHandling().authenticationEntryPoint(entryPoint) .accessDeniedHandler(samplestackAccessDeniedHandler); }
From source file:com.naveen.demo.config.Saml2SSOConfig.java
/** * Defines the web based security configuration. * //from w w w.j av a2s . co m * @param http It allows configuring web based security for specific http requests. * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/js/**", "/libs/**", "/login**").permitAll(); http.httpBasic().authenticationEntryPoint(samlEntryPoint()); http.csrf().disable(); http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); http.antMatcher("/login/**").authorizeRequests().anyRequest().authenticated(); /* http .authorizeRequests() .antMatchers("/").permitAll() .antMatchers("/error").permitAll() .antMatchers("/saml/**").permitAll() .anyRequest().authenticated();*/ http.logout().logoutSuccessUrl("/"); }
From source file:io.syndesis.runtime.SecurityConfiguration.java
@Override @SuppressWarnings("PMD.SignatureDeclareThrowsException") protected void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .addFilter(requestHeaderAuthenticationFilter()) .addFilter(new AnonymousAuthenticationFilter("anonymous")).authorizeRequests() .antMatchers(HttpMethod.OPTIONS).permitAll().antMatchers("/api/v1/swagger.*").permitAll() .antMatchers("/api/v1/index.html").permitAll().antMatchers("/api/v1/version").permitAll() .antMatchers(HttpMethod.GET, "/api/v1/credentials/callback").permitAll().antMatchers("/api/v1/**") .hasRole("AUTHENTICATED").anyRequest().permitAll(); http.csrf().disable(); }