@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().fullyAuthenticated() .and() .formLogin(); }
@Override protected void configure(HttpSecurity http) throws Exception { AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer(); FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping(); http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping); configure(configurer); http.apply(configurer); String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token"); String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key"); String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token"); if (!endpoints.getEndpointsConfigurer().isUserDetailsServiceOverride()) { UserDetailsService userDetailsService = http.getSharedObject(UserDetailsService.class); endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService); } // @formatter:off http .authorizeRequests() .antMatchers(tokenEndpointPath).fullyAuthenticated() .antMatchers(tokenKeyPath).access(configurer.getTokenKeyAccess()) .antMatchers(checkTokenPath).access(configurer.getCheckTokenAccess()) .and() .requestMatchers() .antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER); // @formatter:on http.setSharedObject(ClientDetailsService.class, clientDetailsService); }
@Override protected void configure(HttpSecurity http) throws Exception { http .cors().and() .rememberMe().disable() .authorizeRequests() .anyRequest().fullyAuthenticated() .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); // x509 http.addFilterBefore(x509FilterBean(), AnonymousAuthenticationFilter.class); // jwt http.addFilterBefore(jwtFilterBean(), AnonymousAuthenticationFilter.class); // otp http.addFilterBefore(otpFilterBean(), AnonymousAuthenticationFilter.class); // knox http.addFilterBefore(knoxFilterBean(), AnonymousAuthenticationFilter.class); // anonymous http.anonymous().authenticationFilter(anonymousFilterBean()); }
.antMatchers(method, antPatterns).and() .authorizeRequests() .antMatchers(method, antPatterns).fullyAuthenticated();
@Override protected void configure(HttpSecurity http) throws Exception { AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer(); FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping(); http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping); configure(configurer); http.apply(configurer); String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token"); String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key"); String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token"); if (!endpoints.getEndpointsConfigurer().isUserDetailsServiceOverride()) { UserDetailsService userDetailsService = http.getSharedObject(UserDetailsService.class); endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService); } // @formatter:off http .authorizeRequests() .antMatchers(tokenEndpointPath).fullyAuthenticated() .antMatchers(tokenKeyPath).access(configurer.getTokenKeyAccess()) .antMatchers(checkTokenPath).access(configurer.getCheckTokenAccess()) .and() .requestMatchers() .antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER); // @formatter:on http.setSharedObject(ClientDetailsService.class, clientDetailsService); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .mvcMatchers("/**").permitAll() //任何访问都必须授权 .anyRequest().fullyAuthenticated() //配置那些路径可以不用权限访问 .mvcMatchers("/login", "/login/wechat").permitAll() .and() .formLogin() //登陆成功后的处理,因为是API的形式所以不用跳转页面 .successHandler(new MyAuthenticationSuccessHandler()) //登陆失败后的处理 .failureHandler(new MySimpleUrlAuthenticationFailureHandler()) .and() //登出后的处理 .logout().logoutSuccessHandler(new RestLogoutSuccessHandler()) .and() //认证不通过后的处理 .exceptionHandling() .authenticationEntryPoint(new RestAuthenticationEntryPoint()); http.addFilterAt(myFilterSecurityInterceptor, FilterSecurityInterceptor.class); http.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); //http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); http.csrf().disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer(); FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping(); http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping); configure(configurer); http.apply(configurer); String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token"); String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key"); String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token"); if (!endpoints.getEndpointsConfigurer().isUserDetailsServiceOverride()) { UserDetailsService userDetailsService = http.getSharedObject(UserDetailsService.class); endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService); } // @formatter:off http .authorizeRequests() .antMatchers(tokenEndpointPath).fullyAuthenticated() .antMatchers(tokenKeyPath).access(configurer.getTokenKeyAccess()) .antMatchers(checkTokenPath).access(configurer.getCheckTokenAccess()) .and() .requestMatchers() .antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER); // @formatter:on http.setSharedObject(ClientDetailsService.class, clientDetailsService); }
@Override protected void configure(HttpSecurity http) throws Exception { if (ShepherConstants.LOGIN_TYPE_LDAP.equals(loginType.toUpperCase())) { http.csrf().disable() .authorizeRequests() .anyRequest() .fullyAuthenticated() .and() .formLogin(); } else if (ShepherConstants.LOGIN_TYPE_CAS.equals(loginType.toUpperCase())) { http.csrf().disable().addFilter(new UsernamePasswordAuthenticationFilter()) .addFilterBefore(casAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterAfter(getCas20ProxyReceivingTicketValidationFilter(), AuthenticationFilter.class); } else if (ShepherConstants.LOGIN_TYPE_DEMO.equals(loginType.toUpperCase())) { http.csrf().disable() .authorizeRequests() .anyRequest().hasRole("USER") .and() .formLogin() .loginPage("/login") .passwordParameter("password") .usernameParameter("username") .permitAll() .and() .logout() .permitAll(); } }
@Override protected void configure(HttpSecurity http) throws Exception { http // Starts authorizing configurations. .authorizeRequests() // Ignore the "/" and "/index.html" .antMatchers("/", "/**.html", "/**.js").permitAll() // Authenticate all remaining URLs. .anyRequest().fullyAuthenticated() .and() // Setting the logout URL "/logout" - default logout URL. .logout() // After successful logout the application will redirect to "/" path. .logoutSuccessUrl("/") .permitAll() .and() // Setting the filter for the URL "/google/login". .addFilterAt(filter(), BasicAuthenticationFilter.class) .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/login**").permitAll() .antMatchers("/static/**","/webjars/**").permitAll() .antMatchers("/about").permitAll() .antMatchers("/admin/**").fullyAuthenticated() .antMatchers("/").permitAll() .and() .formLogin() .loginPage("/login") .failureUrl("/login?error") .successHandler(customLoginSuccessHandler) .permitAll() .and() .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .logoutSuccessHandler(customLogoutSuccessHandler) .invalidateHttpSession(true) .deleteCookies("JSESSIONID") .permitAll(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.addFilterAfter(switchUserProcessingFilter(), FilterSecurityInterceptor.class); http.antMatcher("/" + BLOSSOM_BASE_PATH + "/**") .authorizeRequests().anyRequest().fullyAuthenticated() .and().formLogin().loginPage("/" + BLOSSOM_BASE_PATH + "/login") .failureUrl("/" + BLOSSOM_BASE_PATH + "/login?error") .successHandler(blossomAuthenticationSuccessHandler).permitAll() .and().logout() .logoutRequestMatcher(new AntPathRequestMatcher("/" + BLOSSOM_BASE_PATH + "/logout")) .deleteCookies(BLOSSOM_REMEMBER_ME_COOKIE_NAME) .logoutSuccessUrl("/" + BLOSSOM_BASE_PATH + "/login").permitAll() .and().rememberMe().rememberMeCookieName(BLOSSOM_REMEMBER_ME_COOKIE_NAME) .and().exceptionHandling().defaultAuthenticationEntryPointFor( (request, response, authException) -> response.sendError(401), new RequestHeaderRequestMatcher("X-Requested-With", "XMLHttpRequest")) .and().sessionManagement() .maximumSessions(webBackOfficeProperties.getMaxSessionsPerUser()).maxSessionsPreventsLogin(true) .expiredSessionStrategy( new BlossomInvalidSessionStrategy("/" + BLOSSOM_BASE_PATH + "/login")) .sessionRegistry(sessionRegistry); } }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/login**").permitAll() .antMatchers("/profile/**").fullyAuthenticated() .antMatchers("/").permitAll() .and() .formLogin() .loginPage("/login") .failureUrl("/login?error") .permitAll() .and() .logout() .invalidateHttpSession(true) .deleteCookies("JSESSIONID") .permitAll(); }
/** * {@inheritDoc} */ @Override protected void configure(HttpSecurity http) throws Exception { // Access to all paths is restricted by default. // We want to restrict access to one path and leave all other paths open. // Starting with Spring Security 4.2 we do not need to explicitly apply the Stormpath configuration in Spring Boot // any more (note that it is still required in regular Spring) http .authorizeRequests() .antMatchers("/restricted").fullyAuthenticated() .antMatchers("/**").permitAll(); } }
@Override protected void configure(HttpSecurity http) throws Exception { //@formatter:off http .antMatcher("/h2-console/**") .authorizeRequests() .anyRequest().fullyAuthenticated() .and() .csrf().disable() .headers().frameOptions().sameOrigin(); //@formatter:on } }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers(HttpMethod.GET, "/api/version").permitAll() .antMatchers(HttpMethod.GET, "/api/event").hasAnyRole(USER_ROLE, ADMIN_ROLE) .antMatchers(HttpMethod.GET, "/api/event/{eventId}").hasRole(ADMIN_ROLE) .anyRequest().fullyAuthenticated(); http.httpBasic(); http.csrf().disable(); } }
@Override public void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().fullyAuthenticated(); RequestMatcherConfigurer requests = http.requestMatchers(); if (endpoints != null) { // Assume we are in an Authorization Server requests .requestMatchers(new AndRequestMatcher( new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping()), new AntPathRequestMatcher("/" + BLOSSOM_API_BASE_PATH + "/**"))); } } }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().fullyAuthenticated(); http.httpBasic(); http.csrf().disable(); } }
/** * {@inheritDoc} */ @Override protected void configure(HttpSecurity http) throws Exception { // Starting with Spring Security 4.2 we do not need to explicitly apply the Stormpath configuration in Spring Boot // any more (note that it is still required in regular Spring) http .authorizeRequests() .antMatchers("/restricted").fullyAuthenticated() .antMatchers("/**").permitAll(); }
http.authorizeRequests().anyRequest().fullyAuthenticated() .and(). formLogin().usernameParameter("name") // 用户名参数