List of usage examples for org.springframework.security.config.annotation.web.builders HttpSecurity headers
public HeadersConfigurer<HttpSecurity> headers() throws Exception
From source file:org.opentestsystem.ap.ivs.config.SecurityConfig.java
@Override public void configure(final HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests().antMatchers("/manage/info*", "/manage/health*", "/api/**") .permitAll().anyRequest().authenticated().and().httpBasic(); // disable page caching http.headers().cacheControl(); }
From source file:org.opentestsystem.ap.irs.config.SecurityConfig.java
@Override public void configure(final HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests() // Allow access to basic actuator endpoints .antMatchers("/manage/info*", "/manage/health*", "/api/**").permitAll().anyRequest().authenticated() .and().httpBasic();/*from w w w. j a v a 2 s .c o m*/ // disable page caching http.headers().cacheControl(); }
From source file:com.mysample.springbootsample.config.SecurityConfig.java
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { // Security configuration for H2 console access // !!!! You MUST NOT use this configuration for PRODUCTION site !!!! httpSecurity.authorizeRequests().antMatchers("/console/**").permitAll(); httpSecurity.csrf().disable();/*from w ww . j a v a 2s .co m*/ httpSecurity.headers().frameOptions().disable(); // static resources httpSecurity.authorizeRequests() .antMatchers("/css/**", "/js/**", "/images/**", "/resources/**", "/webjars/**").permitAll(); httpSecurity.authorizeRequests().antMatchers("/signin").anonymous().anyRequest().authenticated().and() .formLogin().loginPage("/signin").loginProcessingUrl("/sign-in-process.html") .failureUrl("/signin?error").usernameParameter("username").passwordParameter("password") .defaultSuccessUrl("/admin/dashboard.html", true).and().logout().logoutSuccessUrl("/signin?logout"); httpSecurity.exceptionHandling().accessDeniedPage("/admin/dashboard.html"); httpSecurity.sessionManagement().invalidSessionUrl("/signin"); }
From source file:com.castlemock.war.config.SecurityConfig.java
/** * The method configure is responsible for the security configuration. * * @param httpSecurity httpSecurity will be used to configure the authentication process. * @throws Exception Throws an exception if the configuration fails *///from ww w. j a v a 2s . co m @Override protected void configure(final HttpSecurity httpSecurity) throws Exception { httpSecurity.authorizeRequests().antMatchers("/web/**").authenticated().and().formLogin() .loginPage("/login").failureUrl("/login?error").usernameParameter("username") .passwordParameter("password").and().logout().logoutSuccessUrl("/login?logout").and().csrf().and() .rememberMe().tokenRepository(tokenRepository).tokenValiditySeconds(tokenValiditySeconds).and() .exceptionHandling().accessDeniedPage("/forbidden"); httpSecurity.authorizeRequests().antMatchers("/mock/**").permitAll().and().csrf().disable(); httpSecurity.headers().cacheControl().disable(); }
From source file:com.xiovr.unibot.config.WebSecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { // http.authorizeRequests().antMatchers("/css/**", "/images/**, /js/**") // .permitAll().anyRequest().authenticated(); ///* w w w .j a v a 2 s . c o m*/ // http.formLogin().failureUrl("/login").loginPage("/login") // .loginProcessingUrl("/login/submit") // .usernameParameter("username").passwordParameter("password") // .defaultSuccessUrl("/", false).permitAll(); // http.logout().logoutUrl("/logout").invalidateHttpSession(true) // .permitAll(); http.headers().addHeaderWriter( new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN)); http.headers().xssProtection(); http.headers().cacheControl(); http.headers().contentTypeOptions(); HstsHeaderWriter writer = new HstsHeaderWriter(false); writer.setRequestMatcher(AnyRequestMatcher.INSTANCE); http.headers().addHeaderWriter(writer); http.csrf().disable(); http.authorizeRequests().antMatchers("/css/**", "/images/**").permitAll().anyRequest().authenticated(); http.formLogin().usernameParameter("username").passwordParameter("password").loginPage("/login") .loginProcessingUrl("/login/submit").defaultSuccessUrl("/", false).permitAll().and() .exceptionHandling().accessDeniedPage("/error").and().logout().permitAll(); }
From source file:org.devgateway.toolkit.forms.FormsSecurityConfig.java
@Override protected void configure(final HttpSecurity http) throws Exception { super.configure(http); // we do not allow anyonymous token. When // enabled this basically means any guest // user will have an annoymous default role http.anonymous().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER). //we let Wicket create and manage sessions, so we disable //session creation by spring and().csrf().disable(); // csrf protection interferes with some wicket stuff // we enable http rememberMe cookie for autologin // http.rememberMe().key(UNIQUE_SECRET_REMEMBER_ME_KEY); // resolved the error Refused to display * in a frame because it set // 'X-Frame-Options' to 'DENY'. http.headers().contentTypeOptions().and().xssProtection().and().cacheControl().and() .httpStrictTransportSecurity().and().frameOptions().sameOrigin(); }
From source file:org.owasp.webgoat.WebSecurityConfig.java
@Override protected void configure(HttpSecurity http) throws Exception { ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http .authorizeRequests().antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**") .permitAll().antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") // .antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") // .anyRequest().hasAnyRole("WEBGOAT_USER", "WEBGOAT_ADMIN", "SERVER_ADMIN"); security.and().formLogin().loginPage("/login").defaultSuccessUrl("/welcome.mvc", true) .usernameParameter("username").passwordParameter("password").permitAll(); security.and().logout().permitAll(); security.and().csrf().disable();/*from w ww .j a v a2s . c o m*/ http.headers().cacheControl().disable(); http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login")); }
From source file:com.esquema.seguridad.ApplicationSecurity.java
@Override protected void configure(HttpSecurity http) throws Exception { /* Inicio/*from ww w . ja v a2 s . c o m*/ *********************** Manejo de sesin y autenticacin **************************************/ http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests() .antMatchers("/esquema/**").fullyAuthenticated().and().httpBasic(); //.formLogin(); /********************** Manejo de sesin y autenticacin *************************************** * Fin */ /* Inicio *********************** Manejo de sesin y autenticacin **************************************/ http.authorizeRequests().antMatchers("/").permitAll().and().authorizeRequests() .antMatchers("/h2/**", "/H2/**").permitAll(); http.csrf().disable(); http.headers().frameOptions().disable(); /********************** Manejo de sesin y autenticacin *************************************** * Fin */ /* Inicio *********************** Hace que el request sea solo por HTTPS ************************************** http .requiresChannel().antMatchers("/escribe tu ruta aqu/**").requiresSecure(); http.csrf().disable(); /********************** Hace que el request sea solo por HTTPS *************************************** * Fin */ }
From source file:org.createnet.raptor.auth.service.JWTWebSecurityConfigurationAdapter.java
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity/*from w w w.jav a 2s.c om*/ // we don't need CSRF because our token is invulnerable .csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and() // don't create session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().cors().and() .authorizeRequests().antMatchers(authenticationPath).permitAll().antMatchers(authenticationRefresh) .permitAll().antMatchers("/v2/api-docs").permitAll() // keep this method private to allow sync beetween api and auth .antMatchers("/sync").hasIpAddress("127.0.0.1").anyRequest().authenticated(); // Custom JWT based security filter httpSecurity.addFilterBefore(authenticationTokenFilterBean(), JsonUsernamePasswordFilter.class); // disable page caching httpSecurity.headers().cacheControl(); }
From source file:ch.ge.ve.protopoc.config.WebSecurityConfigurer.java
@Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity// ww w .j a va 2 s . c o m // don't create session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and() // restrict access for some URLs .authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .antMatchers("/api/accounts/*").denyAll().antMatchers("/auth/login").permitAll().antMatchers("/") .permitAll().anyRequest().fullyAuthenticated().and() // JWT tokens are immune to CSRF, // see http://stackoverflow.com/questions/21357182/csrf-token-necessary-when-using-stateless-sessionless-authentication .csrf().disable(); // Custom JWT based security filter httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); // disable page caching httpSecurity.headers().cacheControl(); }