List of usage examples for org.springframework.security.config.annotation.web.builders HttpSecurity headers
public HeadersConfigurer<HttpSecurity> headers() throws Exception
From source file:com.organization.projectname.config.WebSecurityConfig.java
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity/* w w w. j a v a 2 s . c o m*/ // we don't need CSRF because our token is invulnerable .csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and() // don't create session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .authorizeRequests() //.antMatchers(HttpMethod.OPTIONS, "/**").permitAll() // allow anonymous resource requests .antMatchers(HttpMethod.GET, "/", "/*.html", "/favicon.ico", "/**/*.html", "/**/*.css", "/**/*.js") .permitAll().antMatchers("/api/v1/auth").permitAll().antMatchers("/api/v1/").permitAll() .antMatchers("/api/v1/admin").hasRole("ADMIN").anyRequest().authenticated(); // Custom JWT based security filter httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); // disable page caching httpSecurity.headers().cacheControl(); }
From source file:com.isalnikov.config.SecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { http.addFilterBefore(authorizationFilter(), UserAuthorizationFilter.class); http.authorizeRequests()// w w w . j a va 2 s. c o m //http://www.webremeslo.ru/html/glava10.html .antMatchers("/page**").permitAll() .antMatchers("/login").permitAll().antMatchers("/user").hasRole("USER").antMatchers("/csrf") .hasRole("USER").anyRequest().authenticated().and().formLogin() // default login jsp //.failureUrl("/login") //.failureHandler((new SimpleUrlAuthenticationFailureHandler()) .permitAll().and().logout() //default logout jsp .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) // .deleteCookies("JSESSIONID,SPRING_SECURITY_REMEMBER_ME_COOKIE") .permitAll(); http.sessionManagement().maximumSessions(1).and().invalidSessionUrl("/login"); // http // .headers() // .frameOptions().sameOrigin() // .httpStrictTransportSecurity().disable(); //http.exceptionHandling().authenticationEntryPoint(null); http.headers().addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy", "default-src 'self'")) .addHeaderWriter(new StaticHeadersWriter("X-WebKit-CSP", "default-src 'self'")); }
From source file:de.interseroh.report.webconfig.SecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { String successfulLoginPage = env.getProperty("login.successful.page", SUCCESSFUL_LOGIN_PAGE); String successfulLogoutPage = env.getProperty("logout.successful.page", SUCCESSFUL_LOGOUT_PAGE); http.authorizeRequests().antMatchers("/", SUCCESSFUL_LOGIN_PAGE, "/resources/**", "/imprint", "/images/**") // white list of urls .permitAll() // allow anyone on these links .anyRequest().authenticated() // all other urls need a // authentication .and().formLogin() // configure the login .loginPage("/login") // this is the loginPage .failureUrl("/login?error") // redirect to this page on failure .defaultSuccessUrl(successfulLoginPage) // redirect to this page // on success .permitAll() // permit any user to access the login page .and().logout() // logout config .logoutUrl("/logout") // url to trigger logout .logoutSuccessUrl(successfulLogoutPage) // redirect to start // page .permitAll(); // allow anyone to call the logout page http.csrf().disable(); // TODO Why is CSRF disabled? http.headers().disable(); // TODO need a different solution then // disabling security headers. }
From source file:org.esupportail.publisher.config.SecurityConfiguration.java
@Override protected void configure(HttpSecurity http) throws Exception { http.addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class).exceptionHandling() .authenticationEntryPoint(casAuthenticationEntryPoint()).and() .addFilterBefore(casAuthenticationFilter(), BasicAuthenticationFilter.class) .addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class); // .and()//from ww w .j a v a 2s . co m // .rememberMe() // .rememberMeServices(rememberMeServices) // .key(env.getProperty("jhipster.security.rememberme.key")) // .and() // .formLogin() // .loginProcessingUrl("/api/authentication") // .successHandler(ajaxAuthenticationSuccessHandler) // .failureHandler(ajaxAuthenticationFailureHandler) // .usernameParameter("j_username") // .passwordParameter("j_password") // .permitAll() http.headers().frameOptions().disable().authorizeRequests().antMatchers("/app/**").authenticated() .antMatchers("/api/register").denyAll().antMatchers("/api/activate").denyAll() .antMatchers("/api/authenticate").denyAll().antMatchers("/api/logs/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/api/enums/**").permitAll() .antMatchers("/api/conf/**").permitAll().antMatchers("/api/**") .hasAuthority(AuthoritiesConstants.USER).antMatchers("/metrics/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/health/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/trace/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/dump/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/shutdown/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/beans/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/configprops/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/info/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/autoconfig/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/env/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/trace/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/api-docs/**") .hasAuthority(AuthoritiesConstants.ADMIN).antMatchers("/published/**") .access("hasRole('" + AuthoritiesConstants.ANONYMOUS + "') and (hasIpAddress('" + ipVariableHolder.getIpRange() + "') or hasIpAddress('127.0.0.1/32') or hasIpAddress('::1'))") .antMatchers(FeedController.PRIVATE_RSS_FEED_URL_PATH + "**") .access("hasRole('" + AuthoritiesConstants.ANONYMOUS + "') and (hasIpAddress('" + ipVariableHolder.getIpRange() + "') or hasIpAddress('127.0.0.1/32') or hasIpAddress('::1'))") .antMatchers(PROTECTED_PATH + "**").authenticated().antMatchers("/view/**").permitAll(); http.logout().logoutUrl("/api/logout").logoutSuccessHandler(ajaxLogoutSuccessHandler) .invalidateHttpSession(true).deleteCookies("JSESSIONID").permitAll(); }
From source file:org.opentestsystem.ap.iat.config.SecurityConfig.java
/** * Defines the web based security configuration. * * @param http It allows configuring web based security for specific http requests. * @throws Exception/* ww w . java 2s. c o m*/ */ @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().authenticationEntryPoint(samlEntryPoint()); http.csrf().disable(); http.addFilterBefore(forwardedHeaderFilter(), ChannelProcessingFilter.class) .addFilterAfter(metadataGeneratorFilter(), ForwardedHeaderFilter.class) .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); http.headers().frameOptions().sameOrigin(); http.authorizeRequests() .antMatchers("/saml/**", "/manage/**/health**", "/manage/**/info**", "/assets/**", "**.js", "favicon.**", "/fontawesome**", "/glyphicons**", "/api/sec/**", "/api/ivs/**", "/error/403.html", "/keepalive") .permitAll(); http.authorizeRequests().antMatchers("/**").hasAnyRole("ADMIN", "USER"); http.logout().logoutSuccessUrl("/"); http.exceptionHandling().accessDeniedHandler(accessDeniedHandler()); }