@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.anonymous().disable() .antMatcher("/oauth/token") .authorizeRequests().anyRequest().authenticated() .and() .httpBasic().authenticationEntryPoint(authenticationEntryPoint()) .and() .csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/token")).disable() .exceptionHandling().accessDeniedHandler(accessDeniedHandler()) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.anonymous().disable() .antMatcher("/oauth/token") .authorizeRequests().anyRequest().authenticated() .and() .httpBasic().authenticationEntryPoint(authenticationEntryPoint()) .and() .csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/token")).disable() .exceptionHandling().accessDeniedHandler(accessDeniedHandler()) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.anonymous().disable() .antMatcher("/token") .authorizeRequests().anyRequest().authenticated() .and() .httpBasic().authenticationEntryPoint(authenticationEntryPoint()) .and() .csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/token")).disable() .exceptionHandling().accessDeniedHandler(accessDeniedHandler()) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.anonymous().disable() .antMatcher("/oauth/token") .authorizeRequests().anyRequest().authenticated() .and() .httpBasic().authenticationEntryPoint(authenticationEntryPoint()) .and() .csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/token")).disable() .exceptionHandling().accessDeniedHandler(accessDeniedHandler()) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/path")) .ignoringRequestMatchers(this.requestMatcher); // @formatter:on } }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.anonymous().disable() .antMatcher("/oauth/token") .authorizeRequests().anyRequest().authenticated() .and() .httpBasic().authenticationEntryPoint(authenticationEntryPoint()) .and() .csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/token")).disable() .exceptionHandling() .accessDeniedHandler(accessDeniedHandler()) .authenticationEntryPoint(authenticationEntryPoint()) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.anonymous().disable() .antMatcher("/oauth/token") .authorizeRequests().anyRequest().authenticated() .and() .httpBasic().authenticationEntryPoint(authenticationEntryPoint()) .and() .csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/token")).disable() .exceptionHandling().accessDeniedHandler(accessDeniedHandler()) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // @formatter:on ClientCredentialsTokenEndpointFilter filter = new ClientCredentialsTokenEndpointFilter(); filter.setAuthenticationManager(super.authenticationManagerBean()); filter.afterPropertiesSet(); http.addFilterBefore(filter, BasicAuthenticationFilter.class); }
http.csrf().csrfTokenRepository(new CookieCsrfTokenRepository()).requireCsrfProtectionMatcher( httpServletRequest -> httpServletRequest.getMethod().equals("POST") );
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/oauth/**") .authenticated() .and() .csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")).disable() .formLogin().permitAll().and() .logout().permitAll().and() ; } }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http. requestMatchers() // /oauth/authorize link org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint // 必须登录过的用户才可以进行 oauth2 的授权码申请 .antMatchers("/", "/home","/login","/oauth/authorize") .and() .authorizeRequests() .anyRequest().permitAll() .and() .formLogin() .loginPage("/login") .and() .httpBasic() .disable() .exceptionHandling() .accessDeniedPage("/login?authorization_error=true") .and() // TODO: put CSRF protection back into this endpoint .csrf() .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")) .disable(); // .loginPage("/login") // .failureUrl("/login?authentication_error=true") // .httpBasic(); // @formatter:on } }
@Override public void configure(HttpSecurity http) throws Exception { http .exceptionHandling() .authenticationEntryPoint(customAuthenticationEntryPoint) .and() .logout() .logoutUrl("/oauth/logout") .logoutSuccessHandler(customLogoutSuccessHandler) .and() .csrf() .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")) .disable() .headers() .frameOptions().disable() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/hello/").permitAll() .antMatchers("/secure/**").authenticated(); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.cors() // if Spring MVC is on classpath and no CorsConfigurationSource is provided, Spring Security will use CORS configuration provided to Spring MVC .and() .authenticationProvider(customAuthProvider()) .csrf() .ignoringAntMatchers("/stomp/**") .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")) .disable() .headers() .frameOptions().disable() .and() .authorizeRequests() .expressionHandler(webExpressionHandler()) .antMatchers("/oauth/token").permitAll() .anyRequest().authenticated() .and() .exceptionHandling() // TODO: 예외 처리 방식은 추후 정리 .accessDeniedPage("/station.login.jsp?authorization_error=true"); // @formatter:on http.headers().frameOptions().disable(); http.authorizeRequests().anyRequest().permitAll(); }
.requireCsrfProtectionMatcher(mangoRequiresCsrfMatcher) .csrfTokenRepository(csrfTokenRepository);
.requireCsrfProtectionMatcher(mangoRequiresCsrfMatcher) .csrfTokenRepository(csrfTokenRepository);
http.rememberMe().useSecureCookie(true); http.csrf().csrfTokenRepository(csrfTokenRepository()) .requireCsrfProtectionMatcher(new FacebookCanvasAllowingProtectionMatcher()).and() .addFilterAfter(new XSRFTokenCookieFilter(), CsrfFilter.class);
protected HttpSecurity defaultHttp(HttpSecurity http) throws Exception { // @formatter:off return http.sessionManagement().sessionCreationPolicy(IF_REQUIRED) .and() .csrf().requireCsrfProtectionMatcher(requireCsrfProtectionMatcher()) .csrfTokenRepository(csrfTokenRepository()) .and() .addFilterAfter(weChatMpOAuth2AuthenticationProcessingFilter(wxMpService), CsrfFilter.class) .exceptionHandling() .authenticationEntryPoint(restAuthenticationEntryPoint()) .and(); // @formatter:on }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().requireCsrfProtectionMatcher(keycloakCsrfRequestMatcher()) .and() .sessionManagement() .sessionAuthenticationStrategy(sessionAuthenticationStrategy()) .and() .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class) .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class) .addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class) .addFilterAfter(keycloakAuthenticatedActionsRequestFilter(), KeycloakSecurityContextRequestFilter.class) .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint()) .and() .logout() .addLogoutHandler(keycloakLogoutHandler()) .logoutUrl("/sso/logout").permitAll() .logoutSuccessUrl("/"); }
http.csrf().requireCsrfProtectionMatcher(CsrfProtectionRequestMatcher.INSTANCE). csrfTokenRepository(csrfTokenRepository); } else {
http.csrf().requireCsrfProtectionMatcher(CsrfProtectionRequestMatcher.INSTANCE). csrfTokenRepository(csrfTokenRepository); } else {
RequestMatcher matcher = new AndRequestMatcher(new DefaultRequiresCsrfMatcher(), notIgnored); csrfConfigurer.requireCsrfProtectionMatcher(matcher);