List of usage examples for org.springframework.security.web.csrf CookieCsrfTokenRepository setCookieHttpOnly
public void setCookieHttpOnly(boolean cookieHttpOnly)
From source file:org.drugis.addis.config.SecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { String[] whitelist = { "/", "/trialverse", "/trialverse/**", "/patavi", // allow POST mcda models anonymously "/favicon.ico", "/favicon.png", "/app/**", "/auth/**", "/signin", "/signup", "/**/modal/*.html", "/manual.html" }; // Disable CSFR protection on the following urls: List<AntPathRequestMatcher> requestMatchers = Arrays.asList(whitelist).stream() .map(AntPathRequestMatcher::new).collect(Collectors.toList()); CookieCsrfTokenRepository csrfTokenRepository = new CookieCsrfTokenRepository(); csrfTokenRepository.setCookieHttpOnly(false); http.formLogin().loginPage("/signin").loginProcessingUrl("/signin/authenticate") .failureUrl("/signin?param.error=bad_credentials").and().authorizeRequests().antMatchers(whitelist) .permitAll().antMatchers(HttpMethod.GET, "/**").permitAll().antMatchers(HttpMethod.POST, "/**") .authenticated().antMatchers(HttpMethod.PUT, "/**").authenticated() .antMatchers(HttpMethod.DELETE, "/**").authenticated().and().rememberMe().and().exceptionHandling() .authenticationEntryPoint(new Http403ForbiddenEntryPoint()).and() .apply(new SpringSocialConfigurer().alwaysUsePostLoginUrl(false)).and().csrf() .csrfTokenRepository(csrfTokenRepository) .requireCsrfProtectionMatcher( request -> !(requestMatchers.stream().anyMatch(matcher -> matcher.matches(request)) || Optional.fromNullable(request.getHeader("X-Auth-Application-Key")).isPresent() || HttpMethod.GET.toString().equals(request.getMethod()))) .and().setSharedObject(ApplicationContext.class, context); http.addFilterBefore(new AuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class); }