Java Code Examples for org.springframework.security.web.authentication.www.BasicAuthenticationFilter

The following examples show how to use org.springframework.security.web.authentication.www.BasicAuthenticationFilter. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: WeBASE-Node-Manager   Source File: SecurityConfig.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.exceptionHandling().accessDeniedHandler(jsonAccessDeniedHandler); // 无权访问 JSON 格式的数据
    http.formLogin().loginPage("/login") // login page
        .loginProcessingUrl("/account/login") // login request uri
        .usernameParameter("account").passwordParameter("accountPwd").permitAll()
        .successHandler(loginSuccessHandler) // if login success
        .failureHandler(loginfailHandler) // if login fail
        .and().authorizeRequests()
        .antMatchers("/account/login", "/account/pictureCheckCode",
            "/login","/user/privateKey/**", "/encrypt")
        .permitAll()
        .anyRequest().authenticated().and().csrf()
        .disable() // close csrf
        .addFilterBefore(new TokenAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class)
        .httpBasic().authenticationEntryPoint(jsonAuthenticationEntryPoint).and().logout()
        .logoutUrl("/account/logout")
        .logoutSuccessHandler(jsonLogoutSuccessHandler)
        .permitAll();
}
 
Example 2
Source Project: XS2A-Sandbox   Source File: TppWebSecurityConfig.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests().antMatchers(INDEX_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(APP_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(ACTUATOR_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(SWAGGER_WHITELIST).permitAll()
        .and()
        .cors()
        .and()
        .authorizeRequests().anyRequest().authenticated();

    http.headers().frameOptions().disable();
    http.httpBasic().disable();
    http.addFilterBefore(new DisableEndpointFilter(environment), BasicAuthenticationFilter.class);
    http.addFilterBefore(new LoginAuthenticationFilter(userMgmtStaffRestClient), BasicAuthenticationFilter.class);
    http.addFilterBefore(new TokenAuthenticationFilter(ledgersUserMgmt, authInterceptor), BasicAuthenticationFilter.class);
}
 
Example 3
Source Project: XS2A-Sandbox   Source File: WebSecurityConfig.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/api/v1/**")
        .authorizeRequests()
        .antMatchers(APP_WHITELIST).permitAll()
            .and()
        .authorizeRequests().anyRequest()
        .authenticated()
            .and()
        .httpBasic()
        .disable();

    http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http.headers().frameOptions().disable();

    http.addFilterBefore(new LoginAuthenticationFilter(userMgmtRestClient), BasicAuthenticationFilter.class);
    http.addFilterBefore(new TokenAuthenticationFilter(userMgmtRestClient, authInterceptor), BasicAuthenticationFilter.class);
}
 
Example 4
Source Project: XS2A-Sandbox   Source File: WebSecurityConfig.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests().antMatchers(APP_INDEX_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(APP_SCA_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(APP_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(SWAGGER_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(ACTUATOR_WHITELIST).permitAll()
        .and()
        .cors()
        .and()
        .authorizeRequests().anyRequest().authenticated();

    http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http.headers().frameOptions().disable();

    http.addFilterBefore(new JWTAuthenticationFilter(tokenAuthenticationService), BasicAuthenticationFilter.class);
}
 
Example 5
Source Project: crnk-example   Source File: SpringSecurityConfiguration.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	// consider moving to stateless and handle token on Angular side
	if (properties.isSecurityEnabled()) {
		// @formatter:off
		http
			.antMatcher("/**").authorizeRequests()
				.antMatchers("/", "/favicon.ico",
						"/assets/**",
						"/login**", "/styles**", "/inline**", "/polyfills**",
						"/scripts***", "/main**" ).permitAll()
				.anyRequest().authenticated()

			.and().logout().logoutSuccessUrl("/").permitAll()
			.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
			.and().exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
			// .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
			.and().addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
		// @formatter:on
	}
	else {
		http.authorizeRequests().antMatchers("/**").permitAll();
		http.csrf().disable();
	}
}
 
Example 6
Source Project: movie-db-java-on-azure   Source File: SecurityConfig.java    License: MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    boolean usingFacebookAuthentication = facebook().getClientId() != null && !facebook().getClientId().isEmpty();
    if (usingFacebookAuthentication) {
        // @formatter:off
        http.antMatcher("/**").authorizeRequests().antMatchers("/**").permitAll().anyRequest()
                .authenticated().and().exceptionHandling()
                .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).and().logout()
                .logoutSuccessUrl("/").permitAll().and().csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
                .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
        // @formatter:on
    } else {
        http.antMatcher("/**").authorizeRequests().anyRequest().permitAll();
    }
}
 
Example 7
@Override
protected void configure(HttpSecurity http) throws Exception {
	LOG.debug("message Inside InsightsSecurityConfigurationAdapter ,HttpSecurity **** {} ",
			ApplicationConfigProvider.getInstance().getAutheticationProtocol());
	if (AUTH_TYPE.equalsIgnoreCase(ApplicationConfigProvider.getInstance().getAutheticationProtocol())) {
		LOG.debug("message Inside InsightsSecurityConfigurationAdapter,HttpSecurity check **** ");

		http.cors().and().authorizeRequests().antMatchers("/datasources/**").permitAll().antMatchers("/admin/**")
				.access("hasAuthority('Admin')").antMatchers("/traceability/**").access("hasAuthority('Admin')")
				.antMatchers("/configure/loadConfigFromResources").permitAll().antMatchers("/**").authenticated() // .permitAll()
				.and().exceptionHandling().accessDeniedHandler(springAccessDeniedHandler).and().httpBasic()
				.disable()

				.csrf().ignoringAntMatchers(AuthenticationUtils.CSRF_IGNORE)
				.csrfTokenRepository(authenticationUtils.csrfTokenRepository()).and()
				.addFilterBefore(insightsFilter(), BasicAuthenticationFilter.class)

				.headers().frameOptions().sameOrigin().and().sessionManagement().maximumSessions(1).and()
				.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
	}
}
 
Example 8
@Override
protected void configure(HttpSecurity http) throws Exception {
	LOG.debug("message Inside InsightsSecurityConfigurationAdapterSAML,HttpSecurity **** {} ",
			ApplicationConfigProvider.getInstance().getAutheticationProtocol());
	if (AUTH_TYPE.equalsIgnoreCase(ApplicationConfigProvider.getInstance().getAutheticationProtocol())) {
		LOG.debug("message Inside SAMLAuthConfig, check http security **** ");

		http.cors();
		http.csrf().ignoringAntMatchers(AuthenticationUtils.CSRF_IGNORE)
				.csrfTokenRepository(authenticationUtils.csrfTokenRepository())
				.and().addFilterAfter(new InsightsCustomCsrfFilter(), CsrfFilter.class);

		http.exceptionHandling().authenticationEntryPoint(samlEntryPoint());
		http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(),
				BasicAuthenticationFilter.class);

		http.anonymous().disable().authorizeRequests().antMatchers("/error").permitAll().antMatchers("/admin/**")
				.access("hasAuthority('Admin')").antMatchers("/saml/**").permitAll()
				// .antMatchers("/user/insightsso/**").permitAll() ///logout
				.anyRequest().authenticated();

		http.logout().logoutSuccessUrl("/");
	}
}
 
Example 9
@Override
protected void configure(HttpSecurity http) throws Exception {
	LOG.debug("message Inside InsightsSecurityConfigurationAdapterKerberos,HttpSecurity **** {} ",
			ApplicationConfigProvider.getInstance().getAutheticationProtocol());
	if (AUTH_TYPE.equalsIgnoreCase(ApplicationConfigProvider.getInstance().getAutheticationProtocol())) {
		LOG.debug("message Inside SAMLAuthConfig, check http security **** ");

		http.cors();
		http.csrf().ignoringAntMatchers(AuthenticationUtils.CSRF_IGNORE)
				.csrfTokenRepository(authenticationUtils.csrfTokenRepository())
				.and().addFilterAfter(new InsightsCustomCsrfFilter(), CsrfFilter.class);

		http.exceptionHandling().authenticationEntryPoint(spnegoEntryPoint());
		http.addFilterAfter(kerberosFilter(),
				BasicAuthenticationFilter.class);

		http.anonymous().disable().authorizeRequests().antMatchers("/error").permitAll().antMatchers("/admin/**")
				.access("hasAuthority('Admin')").antMatchers("/saml/**").permitAll()
				//.antMatchers("/user/insightsso/**").permitAll() ///logout
				.anyRequest().authenticated();

		http.logout().logoutSuccessUrl("/");
	}
}
 
Example 10
Source Project: haven-platform   Source File: TokenAuthFilterConfigurer.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void configure(H http) throws Exception {

    AuthenticationTokenFilter af = getAuthenticationFilter();
    if(authenticationDetailsSource != null) {
        af.setAuthenticationDetailsSource(authenticationDetailsSource);
    }
    af.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
    af.setAuthenticationSuccessHandler(new AuthenticationStubSuccessHandler());
    SessionAuthenticationStrategy sessionAuthenticationStrategy = http.getSharedObject(SessionAuthenticationStrategy.class);
    if(sessionAuthenticationStrategy != null) {
        af.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);
    }
    AuthenticationTokenFilter filter = postProcess(af);
    filter.setContinueChainAfterSuccessfulAuthentication(true);
    http.addFilterBefore(filter, BasicAuthenticationFilter.class);
}
 
Example 11
Source Project: springboot-jwt-starter   Source File: WebSecurityConfig.java    License: MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS ).and()
            .exceptionHandling().authenticationEntryPoint( restAuthenticationEntryPoint ).and()
            .authorizeRequests()
            .antMatchers(
                    HttpMethod.GET,
                    "/",
                    "/auth/**",
                    "/webjars/**",
                    "/*.html",
                    "/favicon.ico",
                    "/**/*.html",
                    "/**/*.css",
                    "/**/*.js"
            ).permitAll()
            .antMatchers("/auth/**").permitAll()
            .anyRequest().authenticated().and()
            .addFilterBefore(new TokenAuthenticationFilter(tokenHelper, jwtUserDetailsService), BasicAuthenticationFilter.class);

    http.csrf().disable();
}
 
Example 12
Source Project: cosmo   Source File: SecurityFilterConfig.java    License: Apache License 2.0 6 votes vote down vote up
@Bean
public FilterRegistrationBean<?> securityFilterChain() {
    FilterSecurityInterceptor securityFilter = new FilterSecurityInterceptor();
    securityFilter.setAuthenticationManager(this.authManager);
    securityFilter.setAccessDecisionManager(this.davDecisionManager);
    LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> metadata = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>();
    metadata.put(AnyRequestMatcher.INSTANCE, SecurityConfig.createList(ROLES));
    securityFilter.setSecurityMetadataSource(new DefaultFilterInvocationSecurityMetadataSource(metadata));

    /*
     * Note that the order in which filters are defined is highly important.
     */
    SecurityFilterChain filterChain = new DefaultSecurityFilterChain(AnyRequestMatcher.INSTANCE,
            this.cosmoExceptionFilter, this.extraTicketFilter, this.ticketFilter,
            new BasicAuthenticationFilter(authManager, this.authEntryPoint), securityFilter);
    FilterChainProxy proxy = new FilterChainProxy(filterChain);
    proxy.setFirewall(this.httpFirewall);
    FilterRegistrationBean<?> filterBean = new FilterRegistrationBean<>(proxy);
    filterBean.addUrlPatterns(PATH_DAV);
    return filterBean;
}
 
Example 13
/**
 * Defines the web based security configuration.
 * 
 * @param   http It allows configuring web based security for specific http requests.
 * @throws  Exception 
 */
@Override  
protected void configure(HttpSecurity http) throws Exception {
    http
        .httpBasic()
            .authenticationEntryPoint(samlEntryPoint());      
    http
    		.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
    		.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class)
    		.addFilterBefore(samlFilter(), CsrfFilter.class);
    http        
        .authorizeRequests()
       		.antMatchers("/").permitAll()
       		.antMatchers("/saml/**").permitAll()
       		.antMatchers("/css/**").permitAll()
       		.antMatchers("/img/**").permitAll()
       		.antMatchers("/js/**").permitAll()
       		.anyRequest().authenticated();
    http
    		.logout()
    			.disable();	// The logout procedure is already handled by SAML filters.
}
 
Example 14
Source Project: spring-boot-security-example   Source File: SecurityConfig.java    License: MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.
            csrf().disable().
            sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).
            and().
            authorizeRequests().
            antMatchers(actuatorEndpoints()).hasRole(backendAdminRole).
            anyRequest().authenticated().
            and().
            anonymous().disable().
            exceptionHandling().authenticationEntryPoint(unauthorizedEntryPoint());

    http.addFilterBefore(new AuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class).
            addFilterBefore(new ManagementEndpointAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class);
}
 
Example 15
Source Project: devicehive-java-server   Source File: WebSecurityConfig.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers("/css/**", "/server/**", "/scripts/**", "/webjars/**", "/templates/**").permitAll()
            .antMatchers("/*/swagger.json", "/*/swagger.yaml").permitAll()
            .and()
            .anonymous().disable()
            .exceptionHandling()
            .authenticationEntryPoint(unauthorizedEntryPoint());

    http
            .addFilterBefore(new SimpleCORSFilter(), BasicAuthenticationFilter.class)
            .addFilterAfter(new HttpAuthenticationFilter(authenticationManager()), SimpleCORSFilter.class);
}
 
Example 16
Source Project: devicehive-java-server   Source File: WebSecurityConfig.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers("/css/**", "/server/**", "/scripts/**", "/webjars/**", "/templates/**").permitAll()
            .antMatchers("/*/swagger.json", "/*/swagger.yaml").permitAll()
            .and()
            .anonymous().disable()
            .exceptionHandling()
            .authenticationEntryPoint(unauthorizedEntryPoint());

    http
            .addFilterBefore(new SimpleCORSFilter(), BasicAuthenticationFilter.class)
            .addFilterAfter(new HttpAuthenticationFilter(authenticationManager()), SimpleCORSFilter.class);
}
 
Example 17
Source Project: devicehive-java-server   Source File: WebSecurityConfig.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers("/css/**", "/server/**", "/scripts/**", "/webjars/**", "/templates/**").permitAll()
            .antMatchers("/*/swagger.json", "/*/swagger.yaml").permitAll()
            .and()
            .anonymous().disable()
            .exceptionHandling()
            .authenticationEntryPoint(unauthorizedEntryPoint());

    http
            .addFilterBefore(new SimpleCORSFilter(), BasicAuthenticationFilter.class)
            .addFilterAfter(new HttpAuthenticationFilter(authenticationManager()), SimpleCORSFilter.class);
}
 
Example 18
Source Project: youkefu   Source File: WebSecurityConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.addFilterAfter(tokenInfoTokenFilterSecurityInterceptor() , BasicAuthenticationFilter.class)
     .antMatcher("*/*").authorizeRequests()
     .anyRequest().permitAll()
     .and().addFilterAfter(csrfHeaderFilter(), BasicAuthenticationFilter.class)
     .addFilterAfter(apiTokenFilterSecurityInterceptor(), BasicAuthenticationFilter.class);
}
 
Example 19
Source Project: Hacktoberfest2019   Source File: WebSecurityConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.exceptionHandling()
            .authenticationEntryPoint(spnegoEntryPoint())
            .and()
            .authorizeRequests().antMatchers("/", "/home").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin().loginPage("/login").permitAll()
            .and()
            .logout().permitAll()
            .and()
            .addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
                    BasicAuthenticationFilter.class);
}
 
Example 20
Source Project: springboot-security-wechat   Source File: SecurityConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .mvcMatchers("/**").permitAll()
            //任何访问都必须授权
            .anyRequest().fullyAuthenticated()
            //配置那些路径可以不用权限访问
            .mvcMatchers("/login", "/login/wechat").permitAll()
            .and()
            .formLogin()
            //登陆成功后的处理,因为是API的形式所以不用跳转页面
            .successHandler(new MyAuthenticationSuccessHandler())
            //登陆失败后的处理
            .failureHandler(new MySimpleUrlAuthenticationFailureHandler())
            .and()
            //登出后的处理
            .logout().logoutSuccessHandler(new RestLogoutSuccessHandler())
            .and()
            //认证不通过后的处理
            .exceptionHandling()
            .authenticationEntryPoint(new RestAuthenticationEntryPoint());
    http.addFilterAt(myFilterSecurityInterceptor, FilterSecurityInterceptor.class);
    http.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
    //http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    http.csrf().disable();
}
 
Example 21
Source Project: blackduck-alert   Source File: AuthenticationHandler.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    configureActiveMQProvider();
    configureWithSSL(http);
    configureH2Console(http);
    http.authorizeRequests()
        .requestMatchers(createAllowedPathMatchers()).permitAll()
        .and().authorizeRequests().anyRequest().authenticated()
        .and().exceptionHandling().authenticationEntryPoint(samlEntryPoint())
        .and().csrf().csrfTokenRepository(csrfTokenRepository).ignoringRequestMatchers(createCsrfIgnoreMatchers())
        .and().addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
        .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class)
        .authorizeRequests().withObjectPostProcessor(createRoleProcessor())
        .and().logout().logoutSuccessUrl("/");
}
 
Example 22
Source Project: mojito   Source File: WebSecurityConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    logger.debug("Configuring web security");

    http.headers().cacheControl().disable();

    http.csrf().ignoringAntMatchers("/shutdown", "/api/rotation");

    http.authorizeRequests()
            .antMatchers("/intl/*", "/img/*", "/fonts/*", "/login/**", "/webjars/**", "/cli/**", "/health").permitAll()
            .antMatchers("/shutdown", "/api/rotation").hasIpAddress("127.0.0.1").anyRequest().permitAll()
            .anyRequest().fullyAuthenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .successHandler(new ShowPageAuthenticationSuccessHandler())
            .and()
            .logout().logoutSuccessUrl("/login?logout").permitAll();

    if (headerAuth) {
        http.addFilterBefore(requestHeaderAuthenticationFilter(), BasicAuthenticationFilter.class);
    }

    if (oauth2Enabled) {
        http.addFilterBefore(oauthFilter(), BasicAuthenticationFilter.class);
    }

    http.exceptionHandling().defaultAuthenticationEntryPointFor(new Http401AuthenticationEntryPoint("API_UNAUTHORIZED"), new AntPathRequestMatcher("/api/*"));
    http.exceptionHandling().defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint(oauth2Enabled ? "/login/oauth" : "/login"), new AntPathRequestMatcher("/*"));
}
 
Example 23
Source Project: spring-tsers-auth   Source File: WebSecurityConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {

    http
            .csrf()
            .disable();
    http
            .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
            .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/error").permitAll()
            .antMatchers("/saml/**").permitAll()
            .antMatchers("/css/**").permitAll()
            .anyRequest().authenticated();

    http
            .exceptionHandling().accessDeniedHandler(new AccessDeniedHandlerImpl())
            .authenticationEntryPoint(getAuthEntryPoint())
            .and()
            .formLogin()
            .loginProcessingUrl("/authenticate")
            .usernameParameter("username")
            .passwordParameter("password")
            .successHandler(new FormAuthSuccessHandler())
            .failureHandler(new SimpleUrlAuthenticationFailureHandler())
            .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/")
            .permitAll();
}
 
Example 24
Source Project: quartz-manager   Source File: WebSecurityConfigJWT.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
  http.csrf().disable() //
  .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() //
  .exceptionHandling().authenticationEntryPoint(restAuthEntryPoint()).and() //
  .addFilterBefore(jwtAuthenticationTokenFilter(), BasicAuthenticationFilter.class) //
  .authorizeRequests().anyRequest().authenticated();

  QuartzManagerHttpSecurity.from(http).withLoginConfigurer(loginConfigurer(), logoutConfigurer()) //
  .login(LOGIN_PATH, authenticationManager()).logout(LOGOUT_PATH);

  // temporary disabled csfr
  //    http.csrf().ignoringAntMatchers("/api/login", "/api/signup") //
  //    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) //
}
 
Example 25
/**
 * Defines the web based security configuration.
 *
 * @param http It allows configuring web based security for specific http requests.
 */
@Override
protected void configure(HttpSecurity http) throws Exception {
    HttpSessionSecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();
    securityContextRepository.setSpringSecurityContextKey("SPRING_SECURITY_CONTEXT_SAML");
    http
            .securityContext()
            .securityContextRepository(securityContextRepository);
    http
            .httpBasic()
            .disable();
    http
            .csrf()
            .disable();
    http
            .addFilterAfter(metadataGeneratorFilter, BasicAuthenticationFilter.class)
            .addFilterAfter(metadataDisplayFilter, MetadataGeneratorFilter.class)
            .addFilterAfter(samlEntryPoint, MetadataDisplayFilter.class)
            .addFilterAfter(samlWebSSOProcessingFilter, SAMLEntryPoint.class)
            .addFilterAfter(samlWebSSOHoKProcessingFilter, SAMLProcessingFilter.class)
            .addFilterAfter(samlLogoutProcessingFilter, SAMLWebSSOHoKProcessingFilter.class)
            .addFilterAfter(samlIDPDiscovery, SAMLLogoutProcessingFilter.class)
            .addFilterAfter(samlLogoutFilter, LogoutFilter.class);
    http
            .authorizeRequests()
            .antMatchers("/", "/error", "/saml/**", "/idpselection").permitAll()
            .anyRequest().authenticated();
    http
            .exceptionHandling()
            .authenticationEntryPoint(samlEntryPoint);
    http
            .logout()
            .disable();
}
 
Example 26
@Override
protected void configure(HttpSecurity http) throws Exception {
    final String jwtSecret = environment.getProperty("jwt.secret");
    if (jwtSecret == null || jwtSecret.isEmpty()) {
        throw new IllegalStateException("JWT secret is mandatory");
    }

    //Warning if the secret is still the default one
    if ("myJWT4Gr4v1t33_S3cr3t".equals(jwtSecret)) {
        LOGGER.warn("");
        LOGGER.warn("##############################################################");
        LOGGER.warn("#                      SECURITY WARNING                      #");
        LOGGER.warn("##############################################################");
        LOGGER.warn("");
        LOGGER.warn("You still use the default jwt secret.");
        LOGGER.warn("This known secret can be used to impersonate anyone.");
        LOGGER.warn("Please change this value, or ask your administrator to do it !");
        LOGGER.warn("");
        LOGGER.warn("##############################################################");
        LOGGER.warn("");
    }

    authentication(http);
    session(http);
    authorizations(http);
    hsts(http);
    csrf(http);
    cors(http);

    http.addFilterBefore(new TokenAuthenticationFilter(jwtSecret, cookieGenerator, userService, tokenService), BasicAuthenticationFilter.class);
    http.addFilterBefore(new RecaptchaFilter(reCaptchaService, objectMapper), TokenAuthenticationFilter.class);
}
 
Example 27
@Override
protected void configure(HttpSecurity http) throws Exception {
    final String jwtSecret = environment.getProperty("jwt.secret");
    if (jwtSecret == null || jwtSecret.isEmpty()) {
        throw new IllegalStateException("JWT secret is mandatory");
    }

    //Warning if the secret is still the default one
    if ("myJWT4Gr4v1t33_S3cr3t".equals(jwtSecret)) {
        LOGGER.warn("");
        LOGGER.warn("##############################################################");
        LOGGER.warn("#                      SECURITY WARNING                      #");
        LOGGER.warn("##############################################################");
        LOGGER.warn("");
        LOGGER.warn("You still use the default jwt secret.");
        LOGGER.warn("This known secret can be used to impersonate anyone.");
        LOGGER.warn("Please change this value, or ask your administrator to do it !");
        LOGGER.warn("");
        LOGGER.warn("##############################################################");
        LOGGER.warn("");
    }

    authentication(http);
    session(http);
    authorizations(http);
    hsts(http);
    csrf(http);
    cors(http);

    http.addFilterBefore(new TokenAuthenticationFilter(jwtSecret, cookieGenerator, null, null), BasicAuthenticationFilter.class);
    http.addFilterBefore(new RecaptchaFilter(reCaptchaService, objectMapper), TokenAuthenticationFilter.class);
}
 
Example 28
Source Project: training   Source File: WebSecurityConfig.java    License: MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/").permitAll()
            .anyRequest().authenticated()
            .and()
            .authenticationProvider(preAuthenticatedProvider())
        .addFilterBefore(jwtFilter(), BasicAuthenticationFilter.class)
        .logout().permitAll();

}
 
Example 29
Source Project: syncope   Source File: WebSecurityContext.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(final HttpSecurity http) throws Exception {
    SyncopeBasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new SyncopeBasicAuthenticationEntryPoint();
    basicAuthenticationEntryPoint.setRealmName("Apache Syncope authentication");

    SyncopeAuthenticationDetailsSource authenticationDetailsSource = new SyncopeAuthenticationDetailsSource();

    JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter(
            authenticationManager(),
            basicAuthenticationEntryPoint,
            authenticationDetailsSource,
            ctx.getBean(AuthDataAccessor.class),
            ctx.getBean(DefaultCredentialChecker.class));

    http.authorizeRequests().
            antMatchers("/**").permitAll().and().
            sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().
            securityContext().securityContextRepository(new NullSecurityContextRepository()).and().
            anonymous().principal(anonymousUser).and().
            httpBasic().authenticationEntryPoint(basicAuthenticationEntryPoint).
            authenticationDetailsSource(authenticationDetailsSource).and().
            exceptionHandling().accessDeniedHandler(accessDeniedHandler()).and().
            addFilterBefore(jwtAuthenticationFilter, BasicAuthenticationFilter.class).
            addFilterBefore(new MustChangePasswordFilter(), FilterSecurityInterceptor.class).
            headers().disable().
            csrf().disable();
}
 
Example 30
Source Project: tutorials   Source File: WebSecurityConfig.java    License: MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
      .anyRequest()
      .authenticated()
      .and()
      .addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()), BasicAuthenticationFilter.class);
}