Example usage for org.springframework.security.config.annotation.web.builders HttpSecurity csrf

List of usage examples for org.springframework.security.config.annotation.web.builders HttpSecurity csrf

  1. HOME
  2. Java
  3. org.springframework
  4. org.springframework.security.config.annotation.web.builders.*
  5. HttpSecurity
  6. csrf

Introduction

In this page you can find the example usage for org.springframework.security.config.annotation.web.builders HttpSecurity csrf.

Prototype

public CsrfConfigurer<HttpSecurity> csrf() throws Exception

Source Link

Document

Adds CSRF support.

Usage

From source file:com.sothawo.taboo2.SecurityConfig.java

@Override
protected void configure(HttpSecurity http) throws Exception {
    boolean requireSsl = securityProperties.isRequireSsl();
    boolean basicEnabled = securityProperties.getBasic().isEnabled();
    log.debug("configuring http, requires ssl: {}, basic authentication: {}", requireSsl, basicEnabled);
    if (requireSsl) {
        http.requiresChannel().anyRequest().requiresSecure();
    }//from   w w w. j  av  a  2  s.c  om
    if (basicEnabled) {
        // authentication for the taboo2 service only, the app itself doesn't need use it to display it's own login
        // form.
        http.authorizeRequests().antMatchers("/taboo2/**").authenticated().anyRequest().permitAll();
    }
    http.httpBasic().realmName("taboo2");
    http.csrf().disable();
}

From source file:com.netflix.genie.web.security.saml.SAMLConfig.java

/**
 * Defines the web based security configuration.
 *
 * @param http It allows configuring web based security for specific http requests.
 * @throws Exception on any error//w w w. j  av a 2s .c o m
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // @formatter:off
    http.httpBasic().authenticationEntryPoint(samlEntryPoint());
    http.csrf().disable();
    http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(),
            BasicAuthenticationFilter.class);
    http.antMatcher("/**").authorizeRequests().antMatchers("/actuator/**").permitAll().antMatchers("/api/**")
            .permitAll().antMatchers("/error").permitAll().antMatchers("/saml/**").permitAll().anyRequest()
            .authenticated().and().x509().authenticationUserDetailsService(this.x509UserDetailsService);
    http.logout().logoutSuccessUrl("/");
    // @formatter:on
}

From source file:com.netflix.genie.security.saml.SAMLConfig.java

/**
 * Defines the web based security configuration.
 *
 * @param http It allows configuring web based security for specific http requests.
 * @throws Exception on any error/*  w ww.  jav a  2  s  .com*/
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // @formatter:off
    http.httpBasic().authenticationEntryPoint(samlEntryPoint());
    http.csrf().disable();
    http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(),
            BasicAuthenticationFilter.class);
    http.antMatcher("/**").authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
            .antMatchers("/api/**").permitAll().antMatchers("/error").permitAll().antMatchers("/saml/**")
            .permitAll().anyRequest().authenticated().and().x509()
            .authenticationUserDetailsService(this.x509UserDetailsService);
    http.logout().logoutSuccessUrl("/");
    // @formatter:on
}

From source file:com.esquema.seguridad.ApplicationSecurity.java

@Override
protected void configure(HttpSecurity http) throws Exception {

    /* Inicio/*from w w  w.  java2 s .c  o m*/
     *********************** Manejo de sesin y autenticacin **************************************/
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()
            .antMatchers("/esquema/**").fullyAuthenticated().and().httpBasic();
    //.formLogin();
    /********************** Manejo de sesin y autenticacin ***************************************
    * Fin */

    /* Inicio
     *********************** Manejo de sesin y autenticacin **************************************/
    http.authorizeRequests().antMatchers("/").permitAll().and().authorizeRequests()
            .antMatchers("/h2/**", "/H2/**").permitAll();
    http.csrf().disable();
    http.headers().frameOptions().disable();
    /********************** Manejo de sesin y autenticacin ***************************************
    * Fin */

    /* Inicio
     *********************** Hace que el request sea solo por HTTPS **************************************
    http
        .requiresChannel().antMatchers("/escribe tu ruta aqu/**").requiresSecure();
    http.csrf().disable();
    /********************** Hace que el request sea solo por HTTPS ***************************************
    * Fin */

}

From source file:org.openlmis.notification.ResourceServerSecurityConfiguration.java

@Override
public void configure(HttpSecurity http) throws Exception {
    http.addFilterAfter(new OncePerRequestFilter() {
        @Override/*ww w  .  j  a  va2s. co m*/
        protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
                FilterChain filterChain) throws ServletException, IOException {
            // We don't want to allow access to a resource with no token so clear
            // the security context in case it is actually an OAuth2Authentication
            if (tokenExtractor.extract(request) == null) {
                SecurityContextHolder.clearContext();
            }
            filterChain.doFilter(request, response);
        }
    }, AbstractPreAuthenticatedProcessingFilter.class);
    http.csrf().disable();

    http.anonymous().and().authorizeRequests()
            .antMatchers("/notification", "/webjars/**", "/notification/webjars/**", "/notification/docs/**")
            .permitAll().antMatchers("/**").fullyAuthenticated();
}

From source file:org.openlmis.fulfillment.security.ResourceServerSecurityConfiguration.java

@Override
public void configure(HttpSecurity http) throws Exception {
    http.addFilterAfter(new OncePerRequestFilter() {
        @Override/*w  w w.  j  ava  2s .c  o m*/
        protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
                FilterChain filterChain) throws ServletException, IOException {
            // We don't want to allow access to a resource with no token so clear
            // the security context in case it is actually an OAuth2Authentication
            if (tokenExtractor.extract(request) == null) {
                SecurityContextHolder.clearContext();
            }
            filterChain.doFilter(request, response);
        }
    }, AbstractPreAuthenticatedProcessingFilter.class);
    http.csrf().disable();

    http.authorizeRequests()
            .antMatchers("/fulfillment", "/webjars/**", "/fulfillment/webjars/**", "/fulfillment/docs/**")
            .permitAll().antMatchers("/**").fullyAuthenticated();
}

From source file:it.infn.mw.iam.config.saml.SamlConfig.java

@Override
protected void configure(HttpSecurity http) throws Exception {
    String pattern = "/saml/**";

    http.antMatcher(pattern);//  w w  w. j a  v a2 s .c  o m

    http.csrf().ignoringAntMatchers(pattern);

    http.authorizeRequests().antMatchers(pattern).permitAll();

    http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(),
            BasicAuthenticationFilter.class);
}

From source file:eu.eidas.sp.CsrfSecurityConfig.java

@Override
protected void configure(HttpSecurity http) throws Exception {

    // Build the request matcher for CSFR protection
    RequestMatcher csrfRequestMatcher = new RequestMatcher() {

        // Disable CSFR protection on the following urls:
        private AntPathRequestMatcher[] requestMatchers = { new AntPathRequestMatcher("/respeidas", "POST"),
                new AntPathRequestMatcher("/mdeidas", "GET") };

        @Override//  w  w w  .  j  a v  a2  s .  co  m
        public boolean matches(HttpServletRequest request) {
            // If the request match one url the CSFR protection will be disabled
            for (AntPathRequestMatcher rm : requestMatchers) {
                if (rm.matches(request)) {
                    return false;
                }
            }
            return true;
        } // method matches

    }; // new RequestMatcher

    // Set security configurations
    http
            // Disable the csrf protection on some request matches
            .csrf().disable();
    //.requireCsrfProtectionMatcher(csrfRequestMatcher).and();
}

From source file:io.syndesis.runtime.KeycloakConfiguration.java

@Override
@SuppressWarnings("PMD.SignatureDeclareThrowsException")
protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .sessionAuthenticationStrategy(sessionAuthenticationStrategy()).and()
            .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
            .addFilterBefore(keycloakAuthenticationProcessingFilter(), X509AuthenticationFilter.class)
            .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint()).and().authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS).permitAll().antMatchers("/api/v1/swagger.*").permitAll()
            .antMatchers("/api/v1/index.html").permitAll()
            .antMatchers(HttpMethod.GET, "/api/v1/credentials/callback").permitAll().antMatchers("/api/v1/**")
            .authenticated().antMatchers("/api/setup").authenticated().anyRequest().permitAll();

    http.csrf().disable();
}