List of usage examples for org.springframework.security.config.annotation.web.builders HttpSecurity csrf
public CsrfConfigurer<HttpSecurity> csrf() throws Exception
From source file:hu.fnf.devel.wishbox.gateway.SecurityConfiguration.java
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().fullyAuthenticated(); http.httpBasic();// w w w.ja v a 2 s .c om http.csrf().disable(); }
From source file:org.appverse.web.framework.backend.frontfacade.rest.authentication.basic.configuration.AppverseWebHttpBasicConfigurerAdapter.java
/** * CSRF is enabled by default. The authentication endopoints (login) does * not check CSRF (as it is the first request - you will not have a token * yet). After the login you will be able to retrieve the CSRF token from * the response header and use it in the next requests. * * Take into account that CSRF using HttpSessionCsrfRepository (default) * always implies to have a technical session (this does not mean you need * to make your services stateful. It is very well explained in Spring * documentation: Next paragraf if taken from: * http://docs.spring.io/spring-security * /site/docs/current/reference/htmlsingle/#csrf (Section "Loggin In": "In * order to protect against forging log in requests the log in form should * be protected against CSRF attacks too. Since the CsrfToken is stored in * HttpSession, this means an HttpSession will be created as soon as * CsrfToken token attribute is accessed. While this sounds bad in a RESTful * / stateless architecture the reality is that state is necessary to * implement practical security. Without state, we have nothing we can do if * a token is compromised. Practically speaking, the CSRF token is quite * small in size and should have a negligible impact on our architecture." *///from w w w . j a v a 2 s . c om @Override protected void configure(HttpSecurity http) throws Exception { if (securityEnableCsrf) { http.csrf().requireCsrfProtectionMatcher(new CsrfSecurityRequestMatcher()); } else http.csrf().disable(); http.authorizeRequests().antMatchers(baseApiPath + basicAuthenticationEndpointPath).permitAll() .antMatchers(baseApiPath + simpleAuthenticationEndpointPath).permitAll() .antMatchers(baseApiPath + "/**").fullyAuthenticated().antMatchers("/").permitAll().and().logout() .logoutUrl(basicAuthenticationLogoutEndpointPath) .logoutSuccessHandler(new SimpleNoRedirectLogoutSucessHandler()).permitAll().and().httpBasic().and() .sessionManagement().sessionFixation().newSession(); }
From source file:org.moserp.common.security.TestSecurityConfiguration.java
@Override protected void configure(HttpSecurity http) throws Exception { NegatedRequestMatcher matcher = new NegatedRequestMatcher(new AntPathRequestMatcher("/login", "POST")); http.csrf().disable().authorizeRequests().requestMatchers(matcher).authenticated().and().httpBasic(); }
From source file:shiver.me.timbers.spring.security.integration.JwtAnnotationSecurityConfiguration.java
@Override protected final void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(STATELESS); http.antMatcher("/jwt/**"); http.csrf().disable(); http.authorizeRequests().antMatchers("/jwt/one").access("hasRole('ONE')").antMatchers("/jwt/two") .access("hasRole('TWO')").anyRequest().authenticated(); http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/jwt/signIn") .permitAll();/* w w w . ja v a 2 s .c o m*/ http.logout().logoutUrl("/jwt/signOut").logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()); http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()); }
From source file:com.wiiyaya.consumer.web.initializer.config.SecurityConfig.java
private void configCsrf(HttpSecurity http) throws Exception { http.csrf().ignoringAntMatchers(ConfigURIResource.PATH_LOGIN); }
From source file:com.devnexus.ting.config.WebSecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { HttpSecurity httpSecurity = http.csrf().disable() //TODO Refactor login form .authorizeRequests().antMatchers("/s/admin/cfp**") .hasAnyAuthority("ROLE_ADMIN", "ROLE_CFP_REVIEWER", "ROLE_APP_USER").and().authorizeRequests() .antMatchers("/s/admin/index").hasAnyAuthority("ROLE_ADMIN", "ROLE_CFP_REVIEWER", "ROLE_APP_USER") .and().authorizeRequests().antMatchers("/s/admin/**").hasAnyAuthority("ROLE_ADMIN", "ROLE_APP_USER") .and().authorizeRequests()// w w w .j av a2 s. c o m .antMatchers("/s/cfp/index**", "/s/cfp/speaker**", "/s/cfp/abstract**", "/s/cfp/add-cfp-success**", "/s/cfp/speaker/**") .hasAnyAuthority("ROLE_ADMIN", "ROLE_APP_USER").and().authorizeRequests().antMatchers("/**") .permitAll().anyRequest().anonymous().and().logout().logoutSuccessUrl("/s/index") .logoutUrl("/s/logout").permitAll().and(); if (environment.getRequiredProperty("server.ssl.enabled", Boolean.class)) { httpSecurity = httpSecurity.requiresChannel().antMatchers("/s/admin/**").requiresSecure().and(); httpSecurity = httpSecurity.requiresChannel().antMatchers("/s/cfp/**").requiresSecure().and(); } final RoleAwareSimpleUrlAuthenticationSuccessHandler successHandler = new RoleAwareSimpleUrlAuthenticationSuccessHandler(); successHandler.setUseReferer(false); successHandler.setTargetUrlParameter("target"); successHandler.setDefaultTargetUrl("/s/admin/index"); httpSecurity.formLogin().loginProcessingUrl("/s/login").loginPage("/s/login") .failureUrl("/s/login?status=error").successHandler(successHandler).permitAll(); http.apply(new SpringSocialConfigurer().postLoginUrl("/s/cfp/index")); }
From source file:com.chortitzer.web.WebSecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { // Have to disable it for POST methods: // http://stackoverflow.com/a/20608149/1199132 http.csrf().disable(); // Logout and redirection: // http://stackoverflow.com/a/24987207/1199132 http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).invalidateHttpSession(true) .logoutSuccessUrl("/login.xhtml"); http.authorizeRequests()/*from w w w . j av a2 s. c o m*/ // Some filters enabling url regex: // http://stackoverflow.com/a/8911284/1199132 .regexMatchers("\\A/page1.xhtml\\?param1=true\\Z", "\\A/page2.xhtml.*").permitAll() //Permit access for all to error and denied views .antMatchers("/500.xhtml", "/denied.xhtml").permitAll() // Only access with admin role .antMatchers("/admin/**").hasRole("ADMIN") //Permit access only for some roles .antMatchers("/usi/**").hasAnyRole("ADMIN", "energia") //If user doesn't have permission, forward him to login page .and().formLogin().loginPage("/login.xhtml").loginProcessingUrl("/login") .defaultSuccessUrl("/index.xhtml").and().exceptionHandling().accessDeniedPage("/denied.xhtml"); }
From source file:cn.org.once.cstack.config.SecurityConfiguration.java
/** * Protection CSRF is not necessary to CI * * @param http/* w w w . j av a 2 s. c o m*/ * @throws Exception */ @Profile("test") private void disableProtectionCRSF(HttpSecurity http) throws Exception { http.csrf().disable(); }
From source file:com.toptal.conf.SecurityConfiguration.java
@Override protected final void configure(final HttpSecurity http) throws Exception { final String format = "%s/*"; http.csrf().disable(); http.httpBasic();//from w w w .ja va 2 s . c o m http.authorizeRequests().antMatchers(HttpMethod.POST, SignupController.PATH).anonymous() .antMatchers(UserController.PATH).hasRole(Role.ROLE_MANAGER.text()) .antMatchers(String.format(format, UserController.PATH)).hasRole(Role.ROLE_MANAGER.text()) .antMatchers(EntryController.PATH).hasRole(Role.ROLE_USER.text()) .antMatchers(String.format(format, EntryController.PATH)).hasRole(Role.ROLE_USER.text()); }
From source file:shiver.me.timbers.spring.security.integration.JwtApplySecurityConfiguration.java
@Override protected final void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(STATELESS); http.apply(jwt());//w ww .j ava2 s. c o m http.antMatcher("/jwt/**"); http.csrf().disable(); http.authorizeRequests().antMatchers("/jwt/one").access("hasRole('ONE')").antMatchers("/jwt/two") .access("hasRole('TWO')").anyRequest().authenticated(); http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/jwt/signIn") .permitAll(); http.logout().logoutUrl("/jwt/signOut").logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()); http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()); }