import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration @EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // Prevent the HTTP response header of "Pragma: no-cache". http.headers().cacheControl().disable(); } }
@Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic(); http.csrf().disable(); http.headers().frameOptions().sameOrigin(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.headers().frameOptions().sameOrigin(); } }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.headers().frameOptions().sameOrigin(); http.authorizeRequests() .antMatchers("/openapi/**", "/vendor/**", "/styles/**", "/scripts/**", "/views/**", "/img/**").permitAll() .antMatchers("/**").authenticated(); http.formLogin().loginPage("/signin").permitAll().failureUrl("/signin?#/error").and().httpBasic(); SimpleUrlLogoutSuccessHandler urlLogoutHandler = new SimpleUrlLogoutSuccessHandler(); urlLogoutHandler.setDefaultTargetUrl("/signin?#/logout"); http.logout().logoutUrl("/user/logout").invalidateHttpSession(true).clearAuthentication(true) .logoutSuccessHandler(urlLogoutHandler); http.exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/signin")); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.headers().frameOptions().sameOrigin(); http.authorizeRequests() .antMatchers("/openapi/**", "/vendor/**", "/styles/**", "/scripts/**", "/views/**", "/img/**").permitAll() .antMatchers("/**").hasAnyRole(USER_ROLE); http.formLogin().loginPage("/signin").permitAll().failureUrl("/signin?#/error").and().httpBasic(); SimpleUrlLogoutSuccessHandler urlLogoutHandler = new SimpleUrlLogoutSuccessHandler(); urlLogoutHandler.setDefaultTargetUrl("/signin?#/logout"); http.logout().logoutUrl("/user/logout").invalidateHttpSession(true).clearAuthentication(true) .logoutSuccessHandler(urlLogoutHandler); http.exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/signin")); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests()//配置权限 // .antMatchers("/").access("hasRole('TEST')")//该路径需要TEST角色 .antMatchers("/").authenticated()//该路径需要登录认证 // .antMatchers("/brand/list").hasAuthority("TEST")//该路径需要TEST权限 .antMatchers("/**").permitAll() .and()//启用基于http的认证 .httpBasic() .realmName("/") .and()//配置登录页面 .formLogin() .loginPage("/login") .failureUrl("/login?error=true") .and()//配置退出路径 .logout() .logoutSuccessUrl("/") // .and()//记住密码功能 // .rememberMe() // .tokenValiditySeconds(60*60*24) // .key("rememberMeKey") .and()//关闭跨域伪造 .csrf() .disable() .headers()//去除X-Frame-Options .frameOptions() .disable(); }
/** * Configure. * * @param http the http * * @throws Exception the exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.headers().frameOptions().disable() .and() .formLogin() .loginPage("/login.html") .loginProcessingUrl("/login") .and() .logout().logoutUrl("/logout") .and() .csrf().disable() .authorizeRequests() .antMatchers("/api/**", "/applications/**", "/api/applications/**", "/login.html", "/**/*.css", "/img/**", "/third-party/**") .permitAll() .anyRequest().authenticated(); } }
httpSecurity.headers().cacheControl();
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated().and() // custom token authorize exception handler .exceptionHandling() .authenticationEntryPoint(unauthorizedHandler).and() // since we use jwt, session is not necessary .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() // since we use jwt, csrf is not necessary .csrf().disable(); http.addFilterBefore(new JwtAuthenticationTokenFilter(tokenProvider), UsernamePasswordAuthenticationFilter.class); // disable cache http.headers().cacheControl(); }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity // we don't need CSRF because our token is invulnerable .csrf().disable() .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and() // don't create session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .authorizeRequests() // Un-secure H2 Database .antMatchers("/h2-console/**/**").permitAll() .antMatchers("/auth/**").permitAll() .anyRequest().authenticated(); httpSecurity .addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class); // disable page caching httpSecurity .headers() .frameOptions().sameOrigin() // required to set for H2 else H2 Console will be blank. .cacheControl(); }
.addFilter(new WebAsyncManagerIntegrationFilter()) .exceptionHandling().and() .headers().and() .sessionManagement().and() .securityContext().and()
@Override public void configure(HttpSecurity http) throws Exception { //允许使用iframe 嵌套,避免swagger-ui 不被加载的问题 http.headers().frameOptions().disable(); ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http .authorizeRequests(); filterIgnorePropertiesConfig.getUrls().forEach(url -> registry.antMatchers(url).permitAll()); registry.anyRequest() .access("@permissionService.hasPermission(request,authentication)"); }
.and() .headers().frameOptions().disable() .and() .logout()
@EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http // ... .headers().disable(); } }
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity.authorizeRequests().antMatchers("/").permitAll().and() .authorizeRequests().antMatchers("/console/**").permitAll(); httpSecurity.csrf().disable(); httpSecurity.headers().frameOptions().disable(); }
.addFilter(new WebAsyncManagerIntegrationFilter()) .exceptionHandling().and() .headers().and() .sessionManagement().and() .securityContext().and()
protected void configure(HttpSecurity http) throws Exception { http.httpBasic().and().authorizeRequests().antMatchers("/students/**") .hasRole("USER").antMatchers("/**").hasRole("ADMIN").and() .csrf().disable().headers().frameOptions().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() //Disable CSRF (cross site request forgery) //Spring Security will never create an {@link HttpSession} and it will never use it .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/auth/**").permitAll() .anyRequest().authenticated(); http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); http.headers().cacheControl(); }
protected void configure(HttpSecurity http) throws Exception { http.httpBasic().and().authorizeRequests().antMatchers("/students/**") .hasRole("USER").antMatchers("/users/**").hasRole("USER") .antMatchers("/**").hasRole("ADMIN").and().csrf().disable() .headers().frameOptions().disable(); }