org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter Java Examples

The following examples show how to use org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: SecurityConfiguration.java    From syndesis with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("PMD.SignatureDeclareThrowsException")
private RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() throws Exception {
    RequestHeaderAuthenticationFilter f = new RequestHeaderAuthenticationFilter();
    f.setPrincipalRequestHeader("X-Forwarded-User");
    f.setCredentialsRequestHeader("X-Forwarded-Access-Token");
    f.setAuthenticationManager(authenticationManager());
    f.setAuthenticationDetailsSource(
        (AuthenticationDetailsSource<HttpServletRequest, PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails>)
            (request) ->new PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails(
                request,
                AuthorityUtils.createAuthorityList("ROLE_AUTHENTICATED")
            )
    );
    f.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler());
    f.setExceptionIfHeaderMissing(false);
    return f;
}
 
Example #2
Source File: InceptionSecurity.java    From inception with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity aHttp) throws Exception
{
    aHttp
        .rememberMe()
        .and()
        .csrf().disable()
        .addFilterBefore(preAuthFilter(), RequestHeaderAuthenticationFilter.class)
        .authorizeRequests()
            // Resources need to be publicly accessible so they don't trigger the login
            // page. Otherwise it could happen that the user is redirected to a resource
            // upon login instead of being forwarded to a proper application page.
            .antMatchers("/favicon.ico").permitAll()
            .antMatchers("/favicon.png").permitAll()
            .antMatchers("/assets/**").permitAll()
            .antMatchers("/images/**").permitAll()
            .antMatchers("/resources/**").permitAll()
            .antMatchers("/wicket/resource/**").permitAll()
            .antMatchers("/swagger-ui.html").access("hasAnyRole('ROLE_REMOTE')")
            .antMatchers("/admin/**").access("hasAnyRole('ROLE_ADMIN')")
            .antMatchers("/doc/**").access("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
            .antMatchers("/**").access("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
            .anyRequest().denyAll()
        .and()
        .exceptionHandling()
            .authenticationEntryPoint(new Http403ForbiddenEntryPoint())
        .and()
            .headers().frameOptions().sameOrigin();
}
 
Example #3
Source File: WebAnnoSecurity.java    From webanno with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity aHttp) throws Exception
{
    aHttp
        .rememberMe()
        .and()
        .csrf().disable()
        .addFilterBefore(preAuthFilter(), RequestHeaderAuthenticationFilter.class)
        .authorizeRequests()
            // Resources need to be publicly accessible so they don't trigger the login
            // page. Otherwise it could happen that the user is redirected to a resource
            // upon login instead of being forwarded to a proper application page.
            .antMatchers("/favicon.ico").permitAll()
            .antMatchers("/favicon.png").permitAll()
            .antMatchers("/assets/**").permitAll()
            .antMatchers("/images/**").permitAll()
            .antMatchers("/resources/**").permitAll()
            .antMatchers("/wicket/resource/**").permitAll()
            .antMatchers("/swagger-ui.html").access("hasAnyRole('ROLE_REMOTE')")
            .antMatchers("/admin/**").access("hasAnyRole('ROLE_ADMIN')")
            .antMatchers("/doc/**").access("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
            .antMatchers("/**").access("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
            .anyRequest().denyAll()
        .and()
        .exceptionHandling()
            .authenticationEntryPoint(new Http403ForbiddenEntryPoint())
        .and()
            .headers().frameOptions().sameOrigin();
}
 
Example #4
Source File: SecurityConfig.java    From cloudbreak with Apache License 2.0 5 votes vote down vote up
@Bean
public RequestHeaderAuthenticationFilter headerAuthenticationFilter() throws Exception {
    RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter = new RequestHeaderAuthenticationFilter();
    requestHeaderAuthenticationFilter.setPrincipalRequestHeader("x-cdp-actor-crn");
    requestHeaderAuthenticationFilter.setAuthenticationManager(authenticationManager());
    requestHeaderAuthenticationFilter.setExceptionIfHeaderMissing(false);
    requestHeaderAuthenticationFilter.setContinueFilterChainOnUnsuccessfulAuthentication(true);
    return requestHeaderAuthenticationFilter;
}
 
Example #5
Source File: SecurityConfig.java    From cloudbreak with Apache License 2.0 5 votes vote down vote up
@Bean
public RequestHeaderAuthenticationFilter headerAuthenticationFilter() throws Exception {
    RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter = new RequestHeaderAuthenticationFilter();
    requestHeaderAuthenticationFilter.setPrincipalRequestHeader("x-cdp-actor-crn");
    requestHeaderAuthenticationFilter.setAuthenticationManager(authenticationManager());
    requestHeaderAuthenticationFilter.setExceptionIfHeaderMissing(false);
    requestHeaderAuthenticationFilter.setContinueFilterChainOnUnsuccessfulAuthentication(true);
    return requestHeaderAuthenticationFilter;
}
 
Example #6
Source File: SecurityManagedConfiguration.java    From hawkbit with Eclipse Public License 1.0 4 votes vote down vote up
@Override
protected void configure(final HttpSecurity http) throws Exception {

    HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system/admin.*").csrf().disable();

    if (securityProperties.getCors().isEnabled()) {
        httpSec = httpSec.cors().and();
    }

    if (securityProperties.isRequireSsl()) {
        httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
    }

    httpSec.authorizeRequests().anyRequest().authenticated()
            .antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**")
            .hasAnyAuthority(SpPermission.SYSTEM_ADMIN);

    if (oidcBearerTokenAuthenticationFilter != null) {

        // Only get the first client registration. Testing against every
        // client could increase the
        // attack vector
        ClientRegistration clientRegistration = null;
        for (final ClientRegistration cr : clientRegistrationRepository) {
            clientRegistration = cr;
            break;
        }

        Assert.notNull(clientRegistration, "There must be a valid client registration");
        httpSec.oauth2ResourceServer().jwt().jwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri());

        oidcBearerTokenAuthenticationFilter.setClientRegistration(clientRegistration);

        httpSec.addFilterAfter(oidcBearerTokenAuthenticationFilter, BearerTokenAuthenticationFilter.class);
    } else {
        final BasicAuthenticationEntryPoint basicAuthEntryPoint = new BasicAuthenticationEntryPoint();
        basicAuthEntryPoint.setRealmName(securityProperties.getBasicRealm());

        httpSec.addFilterBefore(new Filter() {
            @Override
            public void init(final FilterConfig filterConfig) throws ServletException {
                userAuthenticationFilter.init(filterConfig);
            }

            @Override
            public void doFilter(final ServletRequest request, final ServletResponse response,
                    final FilterChain chain) throws IOException, ServletException {
                userAuthenticationFilter.doFilter(request, response, chain);
            }

            @Override
            public void destroy() {
                userAuthenticationFilter.destroy();
            }
        }, RequestHeaderAuthenticationFilter.class);
        httpSec.httpBasic().and().exceptionHandling().authenticationEntryPoint(basicAuthEntryPoint);
    }

    httpSec.addFilterAfter(
            new AuthenticationSuccessTenantMetadataCreationFilter(systemManagement, systemSecurityContext),
            SessionManagementFilter.class);

    httpSec.anonymous().disable();
    httpSec.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}