@Override protected void configure(final HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/" + Endpoints.VERSIONS_CONTROLLER + "/**").permitAll() .antMatchers("/actuator/**").hasRole("admin") .and() .httpBasic() .and() .headers().httpStrictTransportSecurity(); }
.frameOptions() .sameOrigin() .httpStrictTransportSecurity() .disable(); http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
.xssProtection() .and() .httpStrictTransportSecurity() .and() .frameOptions()
private HttpSecurity hsts(HttpSecurity security) throws Exception { HeadersConfigurer<HttpSecurity>.HstsConfig hstsConfig = security.headers().httpStrictTransportSecurity(); Boolean hstsEnabled = environment.getProperty("http.hsts.enabled", Boolean.class, true); if (hstsEnabled) { return hstsConfig .includeSubDomains(environment.getProperty("http.hsts.include-sub-domains", Boolean.class, true)) .maxAgeInSeconds(environment.getProperty("http.hsts.max-age", Long.class, 31536000L)) .and().and(); } return hstsConfig.disable().and(); }
private HttpSecurity hsts(HttpSecurity security) throws Exception { HeadersConfigurer<HttpSecurity>.HstsConfig hstsConfig = security.headers().httpStrictTransportSecurity(); Boolean hstsEnabled = environment.getProperty("http.hsts.enabled", Boolean.class, true); if (hstsEnabled) { return hstsConfig .includeSubDomains(environment.getProperty("http.hsts.include-sub-domains", Boolean.class, true)) .maxAgeInSeconds(environment.getProperty("http.hsts.max-age", Long.class, 31536000L)) .and().and(); } return hstsConfig.disable().and(); }
private void configureHSTS(HttpSecurity http) throws Exception { HeadersConfigurer<HttpSecurity>.HstsConfig hsts = http.headers().httpStrictTransportSecurity(); // If using SSL then enable the hsts and secure forwarding if (sslOn && sslHstsEnabled) { // only enable "requiresSecure" for browser requests (not for XHR/REST requests) // this options sets the REQUIRES_SECURE_CHANNEL attribute and causes ChannelProcessingFilter // to perform a 302 redirect to https:// http.portMapper().http(webPort).mapsTo(sslPort); http.requiresChannel().requestMatchers(browserHtmlRequestMatcher).requiresSecure(); hsts.maxAgeInSeconds(sslHstsMaxAge).includeSubDomains(sslHstsIncludeSubDomains); } else { hsts.disable(); } }