Example usage for org.springframework.security.config.annotation.web.builders HttpSecurity csrf

List of usage examples for org.springframework.security.config.annotation.web.builders HttpSecurity csrf

  1. HOME
  2. Java
  3. org.springframework
  4. org.springframework.security.config.annotation.web.builders.*
  5. HttpSecurity
  6. csrf

Introduction

In this page you can find the example usage for org.springframework.security.config.annotation.web.builders HttpSecurity csrf.

Prototype

public CsrfConfigurer<HttpSecurity> csrf() throws Exception

Source Link

Document

Adds CSRF support.

Usage

From source file:hu.fnf.devel.wishbox.gateway.SecurityConfiguration.java

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().anyRequest().fullyAuthenticated();

    http.httpBasic();// w  w  w.ja  v  a  2 s .c om

    http.csrf().disable();
}

From source file:org.appverse.web.framework.backend.frontfacade.rest.authentication.basic.configuration.AppverseWebHttpBasicConfigurerAdapter.java

/**
 * CSRF is enabled by default. The authentication endopoints (login) does
 * not check CSRF (as it is the first request - you will not have a token
 * yet). After the login you will be able to retrieve the CSRF token from
 * the response header and use it in the next requests.
 *
 * Take into account that CSRF using HttpSessionCsrfRepository (default)
 * always implies to have a technical session (this does not mean you need
 * to make your services stateful. It is very well explained in Spring
 * documentation: Next paragraf if taken from:
 * http://docs.spring.io/spring-security
 * /site/docs/current/reference/htmlsingle/#csrf (Section "Loggin In": "In
 * order to protect against forging log in requests the log in form should
 * be protected against CSRF attacks too. Since the CsrfToken is stored in
 * HttpSession, this means an HttpSession will be created as soon as
 * CsrfToken token attribute is accessed. While this sounds bad in a RESTful
 * / stateless architecture the reality is that state is necessary to
 * implement practical security. Without state, we have nothing we can do if
 * a token is compromised. Practically speaking, the CSRF token is quite
 * small in size and should have a negligible impact on our architecture."
 *///from w  w  w  . j  a  v  a  2 s  . c om
@Override
protected void configure(HttpSecurity http) throws Exception {
    if (securityEnableCsrf) {
        http.csrf().requireCsrfProtectionMatcher(new CsrfSecurityRequestMatcher());
    } else
        http.csrf().disable();

    http.authorizeRequests().antMatchers(baseApiPath + basicAuthenticationEndpointPath).permitAll()
            .antMatchers(baseApiPath + simpleAuthenticationEndpointPath).permitAll()
            .antMatchers(baseApiPath + "/**").fullyAuthenticated().antMatchers("/").permitAll().and().logout()
            .logoutUrl(basicAuthenticationLogoutEndpointPath)
            .logoutSuccessHandler(new SimpleNoRedirectLogoutSucessHandler()).permitAll().and().httpBasic().and()
            .sessionManagement().sessionFixation().newSession();
}

From source file:org.moserp.common.security.TestSecurityConfiguration.java

@Override
protected void configure(HttpSecurity http) throws Exception {
    NegatedRequestMatcher matcher = new NegatedRequestMatcher(new AntPathRequestMatcher("/login", "POST"));
    http.csrf().disable().authorizeRequests().requestMatchers(matcher).authenticated().and().httpBasic();
}

From source file:shiver.me.timbers.spring.security.integration.JwtAnnotationSecurityConfiguration.java

@Override
protected final void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(STATELESS);
    http.antMatcher("/jwt/**");
    http.csrf().disable();
    http.authorizeRequests().antMatchers("/jwt/one").access("hasRole('ONE')").antMatchers("/jwt/two")
            .access("hasRole('TWO')").anyRequest().authenticated();
    http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/jwt/signIn")
            .permitAll();/* w  w  w .  ja  v a 2  s  .c o  m*/
    http.logout().logoutUrl("/jwt/signOut").logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler());
    http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint());
}

From source file:com.wiiyaya.consumer.web.initializer.config.SecurityConfig.java

private void configCsrf(HttpSecurity http) throws Exception {
    http.csrf().ignoringAntMatchers(ConfigURIResource.PATH_LOGIN);
}

From source file:com.devnexus.ting.config.WebSecurityConfig.java

@Override
protected void configure(HttpSecurity http) throws Exception {
    HttpSecurity httpSecurity = http.csrf().disable() //TODO Refactor login form
            .authorizeRequests().antMatchers("/s/admin/cfp**")
            .hasAnyAuthority("ROLE_ADMIN", "ROLE_CFP_REVIEWER", "ROLE_APP_USER").and().authorizeRequests()
            .antMatchers("/s/admin/index").hasAnyAuthority("ROLE_ADMIN", "ROLE_CFP_REVIEWER", "ROLE_APP_USER")
            .and().authorizeRequests().antMatchers("/s/admin/**").hasAnyAuthority("ROLE_ADMIN", "ROLE_APP_USER")
            .and().authorizeRequests()// w w w  .j  av  a2  s. c o m
            .antMatchers("/s/cfp/index**", "/s/cfp/speaker**", "/s/cfp/abstract**", "/s/cfp/add-cfp-success**",
                    "/s/cfp/speaker/**")
            .hasAnyAuthority("ROLE_ADMIN", "ROLE_APP_USER").and().authorizeRequests().antMatchers("/**")
            .permitAll().anyRequest().anonymous().and().logout().logoutSuccessUrl("/s/index")
            .logoutUrl("/s/logout").permitAll().and();

    if (environment.getRequiredProperty("server.ssl.enabled", Boolean.class)) {
        httpSecurity = httpSecurity.requiresChannel().antMatchers("/s/admin/**").requiresSecure().and();
        httpSecurity = httpSecurity.requiresChannel().antMatchers("/s/cfp/**").requiresSecure().and();
    }

    final RoleAwareSimpleUrlAuthenticationSuccessHandler successHandler = new RoleAwareSimpleUrlAuthenticationSuccessHandler();
    successHandler.setUseReferer(false);
    successHandler.setTargetUrlParameter("target");
    successHandler.setDefaultTargetUrl("/s/admin/index");

    httpSecurity.formLogin().loginProcessingUrl("/s/login").loginPage("/s/login")
            .failureUrl("/s/login?status=error").successHandler(successHandler).permitAll();

    http.apply(new SpringSocialConfigurer().postLoginUrl("/s/cfp/index"));
}

From source file:com.chortitzer.web.WebSecurityConfig.java

@Override
protected void configure(HttpSecurity http) throws Exception {

    // Have to disable it for POST methods:
    // http://stackoverflow.com/a/20608149/1199132
    http.csrf().disable();

    // Logout and redirection:
    // http://stackoverflow.com/a/24987207/1199132
    http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).invalidateHttpSession(true)
            .logoutSuccessUrl("/login.xhtml");

    http.authorizeRequests()/*from  w  w w .  j  av  a2  s. c  o m*/
            // Some filters enabling url regex:
            // http://stackoverflow.com/a/8911284/1199132
            .regexMatchers("\\A/page1.xhtml\\?param1=true\\Z", "\\A/page2.xhtml.*").permitAll()
            //Permit access for all to error and denied views
            .antMatchers("/500.xhtml", "/denied.xhtml").permitAll()
            // Only access with admin role
            .antMatchers("/admin/**").hasRole("ADMIN")
            //Permit access only for some roles
            .antMatchers("/usi/**").hasAnyRole("ADMIN", "energia")
            //If user doesn't have permission, forward him to login page
            .and().formLogin().loginPage("/login.xhtml").loginProcessingUrl("/login")
            .defaultSuccessUrl("/index.xhtml").and().exceptionHandling().accessDeniedPage("/denied.xhtml");
}

From source file:cn.org.once.cstack.config.SecurityConfiguration.java

/**
 * Protection CSRF is not necessary to CI
 *
 * @param http/*  w  w w . j  av a 2  s. c o m*/
 * @throws Exception
 */
@Profile("test")
private void disableProtectionCRSF(HttpSecurity http) throws Exception {
    http.csrf().disable();
}

From source file:com.toptal.conf.SecurityConfiguration.java

@Override
protected final void configure(final HttpSecurity http) throws Exception {
    final String format = "%s/*";
    http.csrf().disable();
    http.httpBasic();//from   w w w  .ja  va 2 s . c  o  m
    http.authorizeRequests().antMatchers(HttpMethod.POST, SignupController.PATH).anonymous()
            .antMatchers(UserController.PATH).hasRole(Role.ROLE_MANAGER.text())
            .antMatchers(String.format(format, UserController.PATH)).hasRole(Role.ROLE_MANAGER.text())
            .antMatchers(EntryController.PATH).hasRole(Role.ROLE_USER.text())
            .antMatchers(String.format(format, EntryController.PATH)).hasRole(Role.ROLE_USER.text());
}

From source file:shiver.me.timbers.spring.security.integration.JwtApplySecurityConfiguration.java

@Override
protected final void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(STATELESS);
    http.apply(jwt());//w  ww .j ava2  s. c  o  m
    http.antMatcher("/jwt/**");
    http.csrf().disable();
    http.authorizeRequests().antMatchers("/jwt/one").access("hasRole('ONE')").antMatchers("/jwt/two")
            .access("hasRole('TWO')").anyRequest().authenticated();
    http.formLogin().successHandler(new NoRedirectAuthenticationSuccessHandler()).loginPage("/jwt/signIn")
            .permitAll();
    http.logout().logoutUrl("/jwt/signOut").logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler());
    http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint());
}