Java tutorial
/* * To change this license header, choose License Headers in Project Properties. * To change this template file, choose Tools | Templates * and open the template in the editor. */ package hr.foi.sis.conf; import com.allanditzel.springframework.security.web.csrf.CsrfTokenResponseHeaderBindingFilter; import hr.foi.sis.services.PersonDetailsService; import org.jboss.logging.Param; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; import org.springframework.security.authentication.encoding.ShaPasswordEncoder; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.stereotype.Component; /** * * @author paz */ @Component @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class ConfSecurity extends WebSecurityConfigurerAdapter { @Autowired PBKDF2AuthProvider authenticationProvider; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(authenticationProvider); } @Override protected void configure(HttpSecurity http) throws Exception { http.sessionManagement().maximumSessions(1); http.csrf().disable().authorizeRequests().antMatchers("/admin-page.html").access("hasRole('ROLE_ADMIN')") .antMatchers("/user-page.html").access("isAuthenticated()") .antMatchers("/index.html", "/register.html", "spring-security.css").permitAll() .antMatchers("/register.html").permitAll().and().formLogin().loginPage("/login.html") .usernameParameter("username").passwordParameter("password").failureUrl("/login-error.html") .defaultSuccessUrl("/user-page.html").and().logout().logoutUrl("/logout") .logoutSuccessUrl("/index.html").and().exceptionHandling() .accessDeniedPage("/acces-denied-page.html").and().headers().xssProtection(); //CsrfTokenResponseHeaderBindingFilter csrfTokenFilter = new CsrfTokenResponseHeaderBindingFilter(); //http.addFilterAfter(csrfTokenFilter, CsrfFilter.class); } }