@Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/","/home","/register","/login").permitAll() .antMatchers("/private/**").authenticated() .antMatchers("/post").authenticated() .antMatchers("/post/postComment").authenticated() .antMatchers(HttpMethod.DELETE , "/post/**").hasAuthority("ROLE_ADMIN"); }
@Override public void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests().antMatchers("/**").authenticated().antMatchers(HttpMethod.GET, "/api") // 拦截用户,必须具有所列权限 .hasAuthority("ROLE_USER"); }
@Override public void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests().antMatchers("/**").authenticated().antMatchers(HttpMethod.GET, "/api") // 拦截用户,必须具有所列权限 .hasAuthority("ROLE_USER"); }
httpSecurity.authorizeRequests().antMatchers("/static/tosca/**").hasAnyAuthority("ADMIN", "COMPONENTS_MANAGER", "COMPONENTS_BROWSER"); httpSecurity.authorizeRequests().antMatchers("/rest/admin/health").permitAll(); httpSecurity.authorizeRequests().antMatchers("/rest/admin/**").hasAuthority("ADMIN"); httpSecurity.authorizeRequests().antMatchers("/rest/audit/**").hasAuthority("ADMIN"); httpSecurity.authorizeRequests().antMatchers("/rest/v1/audit/**").hasAuthority("ADMIN");
@Override protected void configure(HttpSecurity http) throws Exception{ http // .exceptionHandling().authenticationEntryPoint( restAuthenticationEntryPoint ).and() // .sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS ).and() .addFilterBefore(jwtAuthenticationTokenFilter(), BasicAuthenticationFilter.class) .authorizeRequests() .antMatchers("/product/image/**").permitAll() .antMatchers(HttpMethod.GET, "/product/**").permitAll() .antMatchers(HttpMethod.GET, "/group/**").permitAll() .antMatchers("/cart/**").permitAll() .antMatchers("/v2/**").permitAll() .antMatchers("/swagger-ui.html").permitAll() .antMatchers("/webjars/**").permitAll() .antMatchers("/swagger-resources/**").permitAll() .anyRequest().authenticated() // .anyRequest().hasRole("admin") << Works with ROLE entities while we have SimpleGrantedAuthority... .anyRequest().hasAuthority("admin") // .httpBasic().disable(); .and().formLogin().successHandler(authenticationSuccessHandler) .failureHandler(authenticationFailureHandler) // From https://github.com/bfwg/springboot-jwt-starter .and().csrf().disable(); } }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/auth").authenticated() // 需携带有效 token .antMatchers("/admin").hasAuthority("admin") // 需拥有 admin 这个权限 .antMatchers("/ADMIN").hasRole("ADMIN") // 需拥有 ADMIN 这个身份 .anyRequest().permitAll() // 允许所有请求通过 .and() // 配置被拦截时的处理 .exceptionHandling() .authenticationEntryPoint(this.unauthorizedHandler) // 添加 token 无效或者没有携带 token 时的处理 .accessDeniedHandler(this.accessDeniedHandler) //添加无权限时的处理 .and() .csrf() .disable() // 禁用 Spring Security 自带的跨域处理 .sessionManagement() // 定制我们自己的 session 策略 .sessionCreationPolicy(SessionCreationPolicy.STATELESS); // 调整为让 Spring Security 不创建和使用 session /** * 本次 json web token 权限控制的核心配置部分 * 在 Spring Security 开始判断本次会话是否有权限时的前一瞬间 * 通过添加过滤器将 token 解析,将用户所有的权限写入本次会话 */ http .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); } }
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/css/**").permitAll() .antMatchers("/js/**").permitAll() .antMatchers(INDEX_URL).hasAnyAuthority(ADMIN_ROLE, USER_ROLE) .antMatchers(USERS_URL).hasAuthority(ADMIN_ROLE) .antMatchers(ADD_USER_URL).hasAuthority(ADMIN_ROLE) .anyRequest().authenticated() .and() .formLogin() .loginPage(LOGIN_URL) .permitAll() .loginProcessingUrl(LOGIN_URL) .defaultSuccessUrl(INDEX_URL) .and() .logout() .permitAll(); http.csrf().ignoringAntMatchers(LOGIN_URL, USERS_URL); } }
@Override protected void configure(HttpSecurity http) throws Exception { http. authorizeRequests() .antMatchers("/").permitAll() .antMatchers("/login").permitAll() .antMatchers("/registration").permitAll() .antMatchers("/admin/**").hasAuthority("ADMIN").anyRequest() .authenticated().and().csrf().disable().formLogin() .loginPage("/login").failureUrl("/login?error=true") .defaultSuccessUrl("/admin/home") .usernameParameter("email") .passwordParameter("password") .and().logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .logoutSuccessUrl("/").and().exceptionHandling() .accessDeniedPage("/access-denied"); }
@Override protected void configure(HttpSecurity http) throws Exception { http. authorizeRequests() .antMatchers("/").permitAll() .antMatchers("/login").permitAll() .antMatchers("/registration").permitAll() .antMatchers("/admin/**").hasAuthority("ADMIN").anyRequest() .authenticated().and().csrf().disable().formLogin() .loginPage("/login").failureUrl("/login?error=true") .defaultSuccessUrl("/admin/home") .usernameParameter("email") .passwordParameter("password") .and().logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .logoutSuccessUrl("/").and().exceptionHandling() .accessDeniedPage("/access-denied"); }
@Override protected void configure(HttpSecurity http) throws Exception { http.addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class).exceptionHandling() .authenticationEntryPoint(casAuthenticationEntryPoint()).and().addFilter(casAuthenticationFilter()) .addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class) .addFilterBefore(requestCasGlobalLogoutFilter(), LogoutFilter.class); http.headers().frameOptions().disable().authorizeRequests().antMatchers("/").permitAll() .antMatchers("/login", "/logout", "/secure").authenticated().antMatchers("/filtered") .hasAuthority(AuthoritiesConstants.ADMIN).anyRequest().authenticated(); /** * <logout invalidate-session="true" delete-cookies="JSESSIONID" /> */ http.logout().logoutUrl("/logout").logoutSuccessUrl("/").invalidateHttpSession(true) .deleteCookies("JSESSIONID"); // http.csrf(); } }
@Override public void configure(HttpSecurity http) throws Exception { http .requestMatcher(new OAuthRequestedMatcher()) .csrf().disable() .anonymous().disable() .authorizeRequests() .antMatchers(HttpMethod.OPTIONS).permitAll() // when restricting access to 'Roles' you must remove the "ROLE_" part role // for "ROLE_USER" use only "USER" .antMatchers("/api/hello").access("hasAnyRole('USER')") .antMatchers("/api/me").hasAnyRole("USER", "ADMIN") .antMatchers("/api/admin").hasRole("ADMIN") // use the full name when specifying authority access .antMatchers("/api/registerUser").hasAuthority("ROLE_REGISTER") // restricting all access to /api/** to authenticated users .antMatchers("/api/**").authenticated(); }
@Override protected void configure(HttpSecurity http) throws Exception { http .addFilterBefore(flowableCookieFilterRegistrationBean.getFilter(), UsernamePasswordAuthenticationFilter.class) .logout() .logoutUrl("/app/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler) .addLogoutHandler(new ClearFlowableCookieLogoutHandler()) .deleteCookies(CookieConstants.COOKIE_NAME) .and() .csrf() .disable() .authorizeRequests() .antMatchers("/app/rest/**").hasAuthority(DefaultPrivileges.ACCESS_ADMIN); } }
@Override protected void configure(HttpSecurity http) throws Exception { ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.authorizeRequests(); registry.antMatchers("/admin/**").hasAuthority(Role.ADMIN.toString()) .antMatchers("/image/**").permitAll() // .antMatchers("/webjars/**").permitAll() // .antMatchers("/js/**").permitAll() // .antMatchers("/css/**").permitAll() // .antMatchers("/img/**").permitAll() .and().formLogin().loginPage("/signin").defaultSuccessUrl("/").permitAll() .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).permitAll() .and().csrf().ignoringAntMatchers("/admin/**"/*,"/oauth*//**"*/); http.headers().frameOptions().disable().and() .rememberMe().tokenRepository(reMemberMeRepository); }
@Override public void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers("/**").authenticated() .antMatchers(HttpMethod.GET, "/users").hasAuthority("READ") .antMatchers(HttpMethod.POST, "/users").hasAuthority("WRITE"); }
@Override public void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests().antMatchers("/**").authenticated().antMatchers(HttpMethod.GET, "/foo") // 拦截用户,必须具有所列权限 .hasAuthority("FOO_READ"); // .antMatchers(HttpMethod.POST, "/foo").hasAuthority("FOO_WRITE"); // you can implement it like this, but I show method invocation security on write }
@Override public void configure(HttpSecurity http) throws Exception { http.requestMatcher(new OAuthRequestedMatcher()) .anonymous().disable() .authorizeRequests() .antMatchers(HttpMethod.OPTIONS).permitAll() .antMatchers("/api/hello").access("hasAnyRole('USER')") .antMatchers("/api/me").hasAnyRole("USER", "ADMIN") .antMatchers("/api/register").hasAuthority("ROLE_REGISTER"); }