List of usage examples for org.springframework.security.config.annotation.web.builders HttpSecurity csrf
public CsrfConfigurer<HttpSecurity> csrf() throws Exception
From source file:de.knightsoftnet.validationexample.server.spring.WebSecurityConfig.java
/** * configure security settings./*ww w. j ava 2s . c om*/ * * @param phttp http security */ @Override protected void configure(final HttpSecurity phttp) throws Exception { // NOPMD // csrf/xsrf protection phttp.csrf().csrfTokenRepository(this.csrfTokenRepository()) // .and().addFilterAfter(this.csrfHeaderFilter(), CsrfFilter.class) // .authorizeRequests() // // services without authentication .antMatchers(AppResourcePaths.PHONE_NUMBER, // AppResourcePaths.POSTAL_ADDRESS, // AppResourcePaths.SEPA, // PhoneNumber.ROOT + "/**") // .permitAll() // // all other requests need authentication .anyRequest().authenticated() // // handle not allowed access, delegate to authentication entry poing .and() // .exceptionHandling() // .authenticationEntryPoint(this.authenticationEntryPoint) // // login form handling .and() // .formLogin() // .permitAll().loginProcessingUrl(LOGIN_PATH) // .usernameParameter(Parameters.USERNAME) // .passwordParameter(Parameters.PASSWORD) // .successHandler(this.authSuccessHandler) // .failureHandler(this.authFailureHandler) // .and().logout().permitAll() // .logoutRequestMatcher(new AntPathRequestMatcher(LOGIN_PATH, "DELETE")) // .logoutSuccessHandler(this.logoutSuccessHandler) // .and() // .sessionManagement().maximumSessions(1); }
From source file:it.reply.orchestrator.config.security.WebSecurityConfig.java
@Override public void configure(HttpSecurity http) throws Exception { if (oidcProperties.isEnabled()) { http.csrf().disable(); http.authorizeRequests().anyRequest().fullyAuthenticated().anyRequest() .access("#oauth2.hasScopeMatching('openid')").and().sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); ResourceServerSecurityConfigurer configurer = new ResourceServerSecurityConfigurer(); configurer.setBuilder(http);/* w w w .j a v a 2s. c o m*/ configurer.tokenServices(applicationContext.getBean(ResourceServerTokenServices.class)); configurer.configure(http); // TODO Customize the authentication entry point in order to align the response body error // coming from the security filter chain to the ones coming from the REST controllers // see https://github.com/spring-projects/spring-security-oauth/issues/605 // configurer.authenticationEntryPoint(new CustomAuthenticationEntryPoint()); } else { super.configure(http); } }
From source file:br.com.hyperclass.snackbar.config.SecurityConfiguration.java
@Override public void configure(final HttpSecurity http) throws Exception { http.addFilter(preAuthenticationFilter()); http.addFilter(loginFilter());//from w w w . j a v a 2 s . c om http.addFilter(anonymousFilter()); http.csrf().disable(); http.authorizeRequests().antMatchers("/menu/**").hasRole("ADMIN").antMatchers("/stock/**").hasRole("ADMIN") .antMatchers("/order/**").permitAll().antMatchers("/cashier/**").authenticated().and().formLogin(); }
From source file:com.mysample.springbootsample.config.SecurityConfig.java
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { // Security configuration for H2 console access // !!!! You MUST NOT use this configuration for PRODUCTION site !!!! httpSecurity.authorizeRequests().antMatchers("/console/**").permitAll(); httpSecurity.csrf().disable(); httpSecurity.headers().frameOptions().disable(); // static resources httpSecurity.authorizeRequests()/* ww w. ja v a 2 s . com*/ .antMatchers("/css/**", "/js/**", "/images/**", "/resources/**", "/webjars/**").permitAll(); httpSecurity.authorizeRequests().antMatchers("/signin").anonymous().anyRequest().authenticated().and() .formLogin().loginPage("/signin").loginProcessingUrl("/sign-in-process.html") .failureUrl("/signin?error").usernameParameter("username").passwordParameter("password") .defaultSuccessUrl("/admin/dashboard.html", true).and().logout().logoutSuccessUrl("/signin?logout"); httpSecurity.exceptionHandling().accessDeniedPage("/admin/dashboard.html"); httpSecurity.sessionManagement().invalidSessionUrl("/signin"); }
From source file:org.openmhealth.shim.Application.java
@Override protected void configure(HttpSecurity http) throws Exception { /**// w w w. j a va2 s. c o m * Allow full anonymous authentication. */ http.csrf().disable().authorizeRequests().anyRequest().permitAll(); }
From source file:fi.helsinki.opintoni.config.SAMLSecurityConfiguration.java
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class).exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint); http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/error").permitAll() .antMatchers("/saml/**").permitAll().antMatchers("/redirect").permitAll() .antMatchers("/api/public/v1/**").permitAll().antMatchers("/api/admin/**") .access(Constants.ADMIN_ROLE_REQUIRED).antMatchers("/metrics/metrics/*") .access(securityUtils.getWhitelistedIpAccess()).anyRequest().authenticated(); }
From source file:de.kaiserpfalzEdv.office.ui.web.configuration.WebSecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { LOG.debug("Configuring HTTP Security: {}", http); // all requests are authenticated http.authorizeRequests().anyRequest().authenticated(); http.httpBasic();//from www . j ava 2s . c o m // Vaadin chokes if this filter is enabled, disable it! http.csrf().disable(); // TODO plumb custom HTTP 403 and 404 pages /* http.exceptionHandling().accessDeniedPage("/access?error"); */ }
From source file:org.opendatakit.configuration.TestBasicSecurityConfiguration.java
@Override protected void configure(HttpSecurity http) throws Exception { logger.info("Setting up authentication."); // We have a choice here; stateless OR enable sessions and use CSRF. http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.csrf().disable(); http.authorizeRequests().antMatchers("/*").permitAll(); http.authorizeRequests().antMatchers("/**").authenticated().and() .addFilterBefore(basicAuthenticationFilter(), AnonymousAuthenticationFilter.class); }
From source file:org.opendatakit.configuration.TestDigestSecurityConfiguration.java
@Override protected void configure(HttpSecurity http) throws Exception { logger.info("Setting up authentication."); // We have a choice here; stateless OR enable sessions and use CSRF. http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.csrf().disable(); http.authorizeRequests().antMatchers("/*").permitAll(); http.authorizeRequests().antMatchers("/**").authenticated().and() .addFilterBefore(basicAuthenticationFilter(), AnonymousAuthenticationFilter.class) .addFilter(digestAuthenticationFilter()); }
From source file:net.orpiske.tcs.service.config.SecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { /**//from w w w. j a v a 2s. c o m * Disabling CSRF because ... well ... because ... f**** you. I know it's good * but I need to research more about it. For now, I just want to get this site * up an running. * * Ref.: * http://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/ */ http.csrf().disable(); http.authorizeRequests().antMatchers(HttpMethod.POST, "/domain/**").hasRole("USER").and().httpBasic(); http.authorizeRequests().antMatchers(HttpMethod.GET, "/domain/**").permitAll(); http.authorizeRequests().antMatchers(HttpMethod.POST, "/references/**").hasRole("USER").and().httpBasic(); http.authorizeRequests().antMatchers("/tagcloud/**", "/tagcloud/domain/**").permitAll(); }