org.springframework.security.web.authentication.www.BasicAuthenticationFilter Java Examples

The following examples show how to use org.springframework.security.web.authentication.www.BasicAuthenticationFilter. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TokenAuthFilterConfigurer.java    From haven-platform with Apache License 2.0 6 votes vote down vote up
@Override
public void configure(H http) throws Exception {

    AuthenticationTokenFilter af = getAuthenticationFilter();
    if(authenticationDetailsSource != null) {
        af.setAuthenticationDetailsSource(authenticationDetailsSource);
    }
    af.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
    af.setAuthenticationSuccessHandler(new AuthenticationStubSuccessHandler());
    SessionAuthenticationStrategy sessionAuthenticationStrategy = http.getSharedObject(SessionAuthenticationStrategy.class);
    if(sessionAuthenticationStrategy != null) {
        af.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);
    }
    AuthenticationTokenFilter filter = postProcess(af);
    filter.setContinueChainAfterSuccessfulAuthentication(true);
    http.addFilterBefore(filter, BasicAuthenticationFilter.class);
}
 
Example #2
Source File: WebSecurityConfig.java    From devicehive-java-server with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers("/css/**", "/server/**", "/scripts/**", "/webjars/**", "/templates/**").permitAll()
            .antMatchers("/*/swagger.json", "/*/swagger.yaml").permitAll()
            .and()
            .anonymous().disable()
            .exceptionHandling()
            .authenticationEntryPoint(unauthorizedEntryPoint());

    http
            .addFilterBefore(new SimpleCORSFilter(), BasicAuthenticationFilter.class)
            .addFilterAfter(new HttpAuthenticationFilter(authenticationManager()), SimpleCORSFilter.class);
}
 
Example #3
Source File: WebSecurityConfig.java    From devicehive-java-server with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers("/css/**", "/server/**", "/scripts/**", "/webjars/**", "/templates/**").permitAll()
            .antMatchers("/*/swagger.json", "/*/swagger.yaml").permitAll()
            .and()
            .anonymous().disable()
            .exceptionHandling()
            .authenticationEntryPoint(unauthorizedEntryPoint());

    http
            .addFilterBefore(new SimpleCORSFilter(), BasicAuthenticationFilter.class)
            .addFilterAfter(new HttpAuthenticationFilter(authenticationManager()), SimpleCORSFilter.class);
}
 
Example #4
Source File: WebSecurityConfig.java    From devicehive-java-server with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers("/css/**", "/server/**", "/scripts/**", "/webjars/**", "/templates/**").permitAll()
            .antMatchers("/*/swagger.json", "/*/swagger.yaml").permitAll()
            .and()
            .anonymous().disable()
            .exceptionHandling()
            .authenticationEntryPoint(unauthorizedEntryPoint());

    http
            .addFilterBefore(new SimpleCORSFilter(), BasicAuthenticationFilter.class)
            .addFilterAfter(new HttpAuthenticationFilter(authenticationManager()), SimpleCORSFilter.class);
}
 
Example #5
Source File: SecurityConfig.java    From spring-boot-security-example with MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.
            csrf().disable().
            sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).
            and().
            authorizeRequests().
            antMatchers(actuatorEndpoints()).hasRole(backendAdminRole).
            anyRequest().authenticated().
            and().
            anonymous().disable().
            exceptionHandling().authenticationEntryPoint(unauthorizedEntryPoint());

    http.addFilterBefore(new AuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class).
            addFilterBefore(new ManagementEndpointAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class);
}
 
Example #6
Source File: WebSecurityConfig.java    From spring-boot-security-saml-sample with Apache License 2.0 6 votes vote down vote up
/**
 * Defines the web based security configuration.
 * 
 * @param   http It allows configuring web based security for specific http requests.
 * @throws  Exception 
 */
@Override  
protected void configure(HttpSecurity http) throws Exception {
    http
        .httpBasic()
            .authenticationEntryPoint(samlEntryPoint());      
    http
    		.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
    		.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class)
    		.addFilterBefore(samlFilter(), CsrfFilter.class);
    http        
        .authorizeRequests()
       		.antMatchers("/").permitAll()
       		.antMatchers("/saml/**").permitAll()
       		.antMatchers("/css/**").permitAll()
       		.antMatchers("/img/**").permitAll()
       		.antMatchers("/js/**").permitAll()
       		.anyRequest().authenticated();
    http
    		.logout()
    			.disable();	// The logout procedure is already handled by SAML filters.
}
 
Example #7
Source File: SecurityFilterConfig.java    From cosmo with Apache License 2.0 6 votes vote down vote up
@Bean
public FilterRegistrationBean<?> securityFilterChain() {
    FilterSecurityInterceptor securityFilter = new FilterSecurityInterceptor();
    securityFilter.setAuthenticationManager(this.authManager);
    securityFilter.setAccessDecisionManager(this.davDecisionManager);
    LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> metadata = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>();
    metadata.put(AnyRequestMatcher.INSTANCE, SecurityConfig.createList(ROLES));
    securityFilter.setSecurityMetadataSource(new DefaultFilterInvocationSecurityMetadataSource(metadata));

    /*
     * Note that the order in which filters are defined is highly important.
     */
    SecurityFilterChain filterChain = new DefaultSecurityFilterChain(AnyRequestMatcher.INSTANCE,
            this.cosmoExceptionFilter, this.extraTicketFilter, this.ticketFilter,
            new BasicAuthenticationFilter(authManager, this.authEntryPoint), securityFilter);
    FilterChainProxy proxy = new FilterChainProxy(filterChain);
    proxy.setFirewall(this.httpFirewall);
    FilterRegistrationBean<?> filterBean = new FilterRegistrationBean<>(proxy);
    filterBean.addUrlPatterns(PATH_DAV);
    return filterBean;
}
 
Example #8
Source File: WebSecurityConfig.java    From springboot-jwt-starter with MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS ).and()
            .exceptionHandling().authenticationEntryPoint( restAuthenticationEntryPoint ).and()
            .authorizeRequests()
            .antMatchers(
                    HttpMethod.GET,
                    "/",
                    "/auth/**",
                    "/webjars/**",
                    "/*.html",
                    "/favicon.ico",
                    "/**/*.html",
                    "/**/*.css",
                    "/**/*.js"
            ).permitAll()
            .antMatchers("/auth/**").permitAll()
            .anyRequest().authenticated().and()
            .addFilterBefore(new TokenAuthenticationFilter(tokenHelper, jwtUserDetailsService), BasicAuthenticationFilter.class);

    http.csrf().disable();
}
 
Example #9
Source File: SecurityConfig.java    From WeBASE-Node-Manager with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.exceptionHandling().accessDeniedHandler(jsonAccessDeniedHandler); // 无权访问 JSON 格式的数据
    http.formLogin().loginPage("/login") // login page
        .loginProcessingUrl("/account/login") // login request uri
        .usernameParameter("account").passwordParameter("accountPwd").permitAll()
        .successHandler(loginSuccessHandler) // if login success
        .failureHandler(loginfailHandler) // if login fail
        .and().authorizeRequests()
        .antMatchers("/account/login", "/account/pictureCheckCode",
            "/login","/user/privateKey/**", "/encrypt")
        .permitAll()
        .anyRequest().authenticated().and().csrf()
        .disable() // close csrf
        .addFilterBefore(new TokenAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class)
        .httpBasic().authenticationEntryPoint(jsonAuthenticationEntryPoint).and().logout()
        .logoutUrl("/account/logout")
        .logoutSuccessHandler(jsonLogoutSuccessHandler)
        .permitAll();
}
 
Example #10
Source File: InsightsSecurityConfigurationAdapterKerberos.java    From Insights with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	LOG.debug("message Inside InsightsSecurityConfigurationAdapterKerberos,HttpSecurity **** {} ",
			ApplicationConfigProvider.getInstance().getAutheticationProtocol());
	if (AUTH_TYPE.equalsIgnoreCase(ApplicationConfigProvider.getInstance().getAutheticationProtocol())) {
		LOG.debug("message Inside SAMLAuthConfig, check http security **** ");

		http.cors();
		http.csrf().ignoringAntMatchers(AuthenticationUtils.CSRF_IGNORE)
				.csrfTokenRepository(authenticationUtils.csrfTokenRepository())
				.and().addFilterAfter(new InsightsCustomCsrfFilter(), CsrfFilter.class);

		http.exceptionHandling().authenticationEntryPoint(spnegoEntryPoint());
		http.addFilterAfter(kerberosFilter(),
				BasicAuthenticationFilter.class);

		http.anonymous().disable().authorizeRequests().antMatchers("/error").permitAll().antMatchers("/admin/**")
				.access("hasAuthority('Admin')").antMatchers("/saml/**").permitAll()
				//.antMatchers("/user/insightsso/**").permitAll() ///logout
				.anyRequest().authenticated();

		http.logout().logoutSuccessUrl("/");
	}
}
 
Example #11
Source File: InsightsSecurityConfigurationAdapterSAML.java    From Insights with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	LOG.debug("message Inside InsightsSecurityConfigurationAdapterSAML,HttpSecurity **** {} ",
			ApplicationConfigProvider.getInstance().getAutheticationProtocol());
	if (AUTH_TYPE.equalsIgnoreCase(ApplicationConfigProvider.getInstance().getAutheticationProtocol())) {
		LOG.debug("message Inside SAMLAuthConfig, check http security **** ");

		http.cors();
		http.csrf().ignoringAntMatchers(AuthenticationUtils.CSRF_IGNORE)
				.csrfTokenRepository(authenticationUtils.csrfTokenRepository())
				.and().addFilterAfter(new InsightsCustomCsrfFilter(), CsrfFilter.class);

		http.exceptionHandling().authenticationEntryPoint(samlEntryPoint());
		http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(),
				BasicAuthenticationFilter.class);

		http.anonymous().disable().authorizeRequests().antMatchers("/error").permitAll().antMatchers("/admin/**")
				.access("hasAuthority('Admin')").antMatchers("/saml/**").permitAll()
				// .antMatchers("/user/insightsso/**").permitAll() ///logout
				.anyRequest().authenticated();

		http.logout().logoutSuccessUrl("/");
	}
}
 
Example #12
Source File: InsightsSecurityConfigurationAdapter.java    From Insights with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	LOG.debug("message Inside InsightsSecurityConfigurationAdapter ,HttpSecurity **** {} ",
			ApplicationConfigProvider.getInstance().getAutheticationProtocol());
	if (AUTH_TYPE.equalsIgnoreCase(ApplicationConfigProvider.getInstance().getAutheticationProtocol())) {
		LOG.debug("message Inside InsightsSecurityConfigurationAdapter,HttpSecurity check **** ");

		http.cors().and().authorizeRequests().antMatchers("/datasources/**").permitAll().antMatchers("/admin/**")
				.access("hasAuthority('Admin')").antMatchers("/traceability/**").access("hasAuthority('Admin')")
				.antMatchers("/configure/loadConfigFromResources").permitAll().antMatchers("/**").authenticated() // .permitAll()
				.and().exceptionHandling().accessDeniedHandler(springAccessDeniedHandler).and().httpBasic()
				.disable()

				.csrf().ignoringAntMatchers(AuthenticationUtils.CSRF_IGNORE)
				.csrfTokenRepository(authenticationUtils.csrfTokenRepository()).and()
				.addFilterBefore(insightsFilter(), BasicAuthenticationFilter.class)

				.headers().frameOptions().sameOrigin().and().sessionManagement().maximumSessions(1).and()
				.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
	}
}
 
Example #13
Source File: SecurityConfig.java    From movie-db-java-on-azure with MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    boolean usingFacebookAuthentication = facebook().getClientId() != null && !facebook().getClientId().isEmpty();
    if (usingFacebookAuthentication) {
        // @formatter:off
        http.antMatcher("/**").authorizeRequests().antMatchers("/**").permitAll().anyRequest()
                .authenticated().and().exceptionHandling()
                .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).and().logout()
                .logoutSuccessUrl("/").permitAll().and().csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
                .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
        // @formatter:on
    } else {
        http.antMatcher("/**").authorizeRequests().anyRequest().permitAll();
    }
}
 
Example #14
Source File: TppWebSecurityConfig.java    From XS2A-Sandbox with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests().antMatchers(INDEX_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(APP_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(ACTUATOR_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(SWAGGER_WHITELIST).permitAll()
        .and()
        .cors()
        .and()
        .authorizeRequests().anyRequest().authenticated();

    http.headers().frameOptions().disable();
    http.httpBasic().disable();
    http.addFilterBefore(new DisableEndpointFilter(environment), BasicAuthenticationFilter.class);
    http.addFilterBefore(new LoginAuthenticationFilter(userMgmtStaffRestClient), BasicAuthenticationFilter.class);
    http.addFilterBefore(new TokenAuthenticationFilter(ledgersUserMgmt, authInterceptor), BasicAuthenticationFilter.class);
}
 
Example #15
Source File: WebSecurityConfig.java    From XS2A-Sandbox with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/api/v1/**")
        .authorizeRequests()
        .antMatchers(APP_WHITELIST).permitAll()
            .and()
        .authorizeRequests().anyRequest()
        .authenticated()
            .and()
        .httpBasic()
        .disable();

    http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http.headers().frameOptions().disable();

    http.addFilterBefore(new LoginAuthenticationFilter(userMgmtRestClient), BasicAuthenticationFilter.class);
    http.addFilterBefore(new TokenAuthenticationFilter(userMgmtRestClient, authInterceptor), BasicAuthenticationFilter.class);
}
 
Example #16
Source File: SpringSecurityConfiguration.java    From crnk-example with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	// consider moving to stateless and handle token on Angular side
	if (properties.isSecurityEnabled()) {
		// @formatter:off
		http
			.antMatcher("/**").authorizeRequests()
				.antMatchers("/", "/favicon.ico",
						"/assets/**",
						"/login**", "/styles**", "/inline**", "/polyfills**",
						"/scripts***", "/main**" ).permitAll()
				.anyRequest().authenticated()

			.and().logout().logoutSuccessUrl("/").permitAll()
			.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
			.and().exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
			// .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
			.and().addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
		// @formatter:on
	}
	else {
		http.authorizeRequests().antMatchers("/**").permitAll();
		http.csrf().disable();
	}
}
 
Example #17
Source File: WebSecurityConfig.java    From XS2A-Sandbox with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests().antMatchers(APP_INDEX_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(APP_SCA_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(APP_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(SWAGGER_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(ACTUATOR_WHITELIST).permitAll()
        .and()
        .cors()
        .and()
        .authorizeRequests().anyRequest().authenticated();

    http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http.headers().frameOptions().disable();

    http.addFilterBefore(new JWTAuthenticationFilter(tokenAuthenticationService), BasicAuthenticationFilter.class);
}
 
Example #18
Source File: SecurityConfig.java    From springboot-security-wechat with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .mvcMatchers("/**").permitAll()
            //任何访问都必须授权
            .anyRequest().fullyAuthenticated()
            //配置那些路径可以不用权限访问
            .mvcMatchers("/login", "/login/wechat").permitAll()
            .and()
            .formLogin()
            //登陆成功后的处理,因为是API的形式所以不用跳转页面
            .successHandler(new MyAuthenticationSuccessHandler())
            //登陆失败后的处理
            .failureHandler(new MySimpleUrlAuthenticationFailureHandler())
            .and()
            //登出后的处理
            .logout().logoutSuccessHandler(new RestLogoutSuccessHandler())
            .and()
            //认证不通过后的处理
            .exceptionHandling()
            .authenticationEntryPoint(new RestAuthenticationEntryPoint());
    http.addFilterAt(myFilterSecurityInterceptor, FilterSecurityInterceptor.class);
    http.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
    //http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    http.csrf().disable();
}
 
Example #19
Source File: CustomWebSecurityConfigurer.java    From tutorials with MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) {
    http.addFilterBefore(
      authenticationFilter(),
      BasicAuthenticationFilter.class
    );
}
 
Example #20
Source File: CustomWebSecurityConfigurerAdapter.java    From tutorials with MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeRequests()
      .antMatchers("/securityNone")
      .permitAll()
      .anyRequest()
      .authenticated()
      .and()
      .httpBasic()
      .authenticationEntryPoint(authenticationEntryPoint);

    http.addFilterAfter(new CustomFilter(), BasicAuthenticationFilter.class);
}
 
Example #21
Source File: CustomWebSecurityConfigurerAdapter.java    From tutorials with MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeRequests()
      .antMatchers("/securityNone")
      .permitAll()
      .anyRequest()
      .authenticated()
      .and()
      .httpBasic()
      .authenticationEntryPoint(authenticationEntryPoint);

    http.addFilterAfter(new CustomFilter(), BasicAuthenticationFilter.class);
}
 
Example #22
Source File: WebSecurityConfig.java    From tutorials with MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	http.exceptionHandling()
			.authenticationEntryPoint(spnegoEntryPoint())
			.and()
			.authorizeRequests().antMatchers("/", "/home").permitAll()
			.anyRequest().authenticated()
			.and()
			.formLogin().loginPage("/login").permitAll()
			.and()
			.logout().permitAll()
			.and()
			.addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
					BasicAuthenticationFilter.class);
}
 
Example #23
Source File: WebSecurityConfig.java    From tutorials with MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
      .anyRequest()
      .authenticated()
      .and()
      .addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()), BasicAuthenticationFilter.class);
}
 
Example #24
Source File: WebSecurityConfig.java    From youkefu with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.addFilterAfter(tokenInfoTokenFilterSecurityInterceptor() , BasicAuthenticationFilter.class)
     .antMatcher("*/*").authorizeRequests()
     .anyRequest().permitAll()
     .and().addFilterAfter(csrfHeaderFilter(), BasicAuthenticationFilter.class)
     .addFilterAfter(apiTokenFilterSecurityInterceptor(), BasicAuthenticationFilter.class);
}
 
Example #25
Source File: WebSecurityConfig.java    From Hacktoberfest2019 with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.exceptionHandling()
            .authenticationEntryPoint(spnegoEntryPoint())
            .and()
            .authorizeRequests().antMatchers("/", "/home").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin().loginPage("/login").permitAll()
            .and()
            .logout().permitAll()
            .and()
            .addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
                    BasicAuthenticationFilter.class);
}
 
Example #26
Source File: WebSecurityContext.java    From syncope with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(final HttpSecurity http) throws Exception {
    SyncopeBasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new SyncopeBasicAuthenticationEntryPoint();
    basicAuthenticationEntryPoint.setRealmName("Apache Syncope authentication");

    SyncopeAuthenticationDetailsSource authenticationDetailsSource = new SyncopeAuthenticationDetailsSource();

    JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter(
            authenticationManager(),
            basicAuthenticationEntryPoint,
            authenticationDetailsSource,
            ctx.getBean(AuthDataAccessor.class),
            ctx.getBean(DefaultCredentialChecker.class));

    http.authorizeRequests().
            antMatchers("/**").permitAll().and().
            sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().
            securityContext().securityContextRepository(new NullSecurityContextRepository()).and().
            anonymous().principal(anonymousUser).and().
            httpBasic().authenticationEntryPoint(basicAuthenticationEntryPoint).
            authenticationDetailsSource(authenticationDetailsSource).and().
            exceptionHandling().accessDeniedHandler(accessDeniedHandler()).and().
            addFilterBefore(jwtAuthenticationFilter, BasicAuthenticationFilter.class).
            addFilterBefore(new MustChangePasswordFilter(), FilterSecurityInterceptor.class).
            headers().disable().
            csrf().disable();
}
 
Example #27
Source File: WebSecurityConfig.java    From training with MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/").permitAll()
            .anyRequest().authenticated()
            .and()
            .authenticationProvider(preAuthenticatedProvider())
        .addFilterBefore(jwtFilter(), BasicAuthenticationFilter.class)
        .logout().permitAll();

}
 
Example #28
Source File: BasicSecurityConfigurerAdapter.java    From gravitee-management-rest-api with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    final String jwtSecret = environment.getProperty("jwt.secret");
    if (jwtSecret == null || jwtSecret.isEmpty()) {
        throw new IllegalStateException("JWT secret is mandatory");
    }

    //Warning if the secret is still the default one
    if ("myJWT4Gr4v1t33_S3cr3t".equals(jwtSecret)) {
        LOGGER.warn("");
        LOGGER.warn("##############################################################");
        LOGGER.warn("#                      SECURITY WARNING                      #");
        LOGGER.warn("##############################################################");
        LOGGER.warn("");
        LOGGER.warn("You still use the default jwt secret.");
        LOGGER.warn("This known secret can be used to impersonate anyone.");
        LOGGER.warn("Please change this value, or ask your administrator to do it !");
        LOGGER.warn("");
        LOGGER.warn("##############################################################");
        LOGGER.warn("");
    }

    authentication(http);
    session(http);
    authorizations(http);
    hsts(http);
    csrf(http);
    cors(http);

    http.addFilterBefore(new TokenAuthenticationFilter(jwtSecret, cookieGenerator, null, null), BasicAuthenticationFilter.class);
    http.addFilterBefore(new RecaptchaFilter(reCaptchaService, objectMapper), TokenAuthenticationFilter.class);
}
 
Example #29
Source File: BasicSecurityConfigurerAdapter.java    From gravitee-management-rest-api with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    final String jwtSecret = environment.getProperty("jwt.secret");
    if (jwtSecret == null || jwtSecret.isEmpty()) {
        throw new IllegalStateException("JWT secret is mandatory");
    }

    //Warning if the secret is still the default one
    if ("myJWT4Gr4v1t33_S3cr3t".equals(jwtSecret)) {
        LOGGER.warn("");
        LOGGER.warn("##############################################################");
        LOGGER.warn("#                      SECURITY WARNING                      #");
        LOGGER.warn("##############################################################");
        LOGGER.warn("");
        LOGGER.warn("You still use the default jwt secret.");
        LOGGER.warn("This known secret can be used to impersonate anyone.");
        LOGGER.warn("Please change this value, or ask your administrator to do it !");
        LOGGER.warn("");
        LOGGER.warn("##############################################################");
        LOGGER.warn("");
    }

    authentication(http);
    session(http);
    authorizations(http);
    hsts(http);
    csrf(http);
    cors(http);

    http.addFilterBefore(new TokenAuthenticationFilter(jwtSecret, cookieGenerator, userService, tokenService), BasicAuthenticationFilter.class);
    http.addFilterBefore(new RecaptchaFilter(reCaptchaService, objectMapper), TokenAuthenticationFilter.class);
}
 
Example #30
Source File: WebSecurityConfig.java    From spring-boot-security-saml-samples with MIT License 5 votes vote down vote up
/**
 * Defines the web based security configuration.
 *
 * @param http It allows configuring web based security for specific http requests.
 */
@Override
protected void configure(HttpSecurity http) throws Exception {
    HttpSessionSecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();
    securityContextRepository.setSpringSecurityContextKey("SPRING_SECURITY_CONTEXT_SAML");
    http
            .securityContext()
            .securityContextRepository(securityContextRepository);
    http
            .httpBasic()
            .disable();
    http
            .csrf()
            .disable();
    http
            .addFilterAfter(metadataGeneratorFilter, BasicAuthenticationFilter.class)
            .addFilterAfter(metadataDisplayFilter, MetadataGeneratorFilter.class)
            .addFilterAfter(samlEntryPoint, MetadataDisplayFilter.class)
            .addFilterAfter(samlWebSSOProcessingFilter, SAMLEntryPoint.class)
            .addFilterAfter(samlWebSSOHoKProcessingFilter, SAMLProcessingFilter.class)
            .addFilterAfter(samlLogoutProcessingFilter, SAMLWebSSOHoKProcessingFilter.class)
            .addFilterAfter(samlIDPDiscovery, SAMLLogoutProcessingFilter.class)
            .addFilterAfter(samlLogoutFilter, LogoutFilter.class);
    http
            .authorizeRequests()
            .antMatchers("/", "/error", "/saml/**", "/idpselection").permitAll()
            .anyRequest().authenticated();
    http
            .exceptionHandling()
            .authenticationEntryPoint(samlEntryPoint);
    http
            .logout()
            .disable();
}