Java Code Examples for org.springframework.security.web.csrf.CookieCsrfTokenRepository

The following examples show how to use org.springframework.security.web.csrf.CookieCsrfTokenRepository. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: spring-microservice-exam   Source File: WebSecurityConfig.java    License: MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("redirectTo");
    successHandler.setAlwaysUseDefaultTargetUrl(true);
    successHandler.setDefaultTargetUrl(adminContextPath + "/");

    // 解决spring boot不允许加载iframe问题
    http.headers().frameOptions().disable();

    http.authorizeRequests()
            .antMatchers("/actuator/**", "/hystrix/**", "/hystrix", "*.sender").permitAll()
            .antMatchers(adminContextPath + "/assets/**").permitAll()
            .antMatchers(adminContextPath + "/login").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
            .logout().logoutUrl(adminContextPath + "/logout").and()
            .httpBasic().and()
            .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .ignoringAntMatchers(
                    adminContextPath + "/instances",
                    adminContextPath + "/actuator/**"
            );
}
 
Example 2
Source Project: spring-boot-plus   Source File: SecuritySecureConfig.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("redirectTo");
    successHandler.setDefaultTargetUrl(this.adminServer.path("/"));

    http.authorizeRequests(
            (authorizeRequests) -> authorizeRequests
                    .antMatchers(this.adminServer.path("/assets/**")).permitAll()
                    .antMatchers(this.adminServer.path("/static/**")).permitAll()
                    .antMatchers(this.adminServer.path("/login")).permitAll()
                    .anyRequest().authenticated()
    ).formLogin(
            (formLogin) -> formLogin.loginPage(this.adminServer.path("/login")).successHandler(successHandler).and()
    ).logout((logout) -> logout.logoutUrl(this.adminServer.path("/logout"))).httpBasic(Customizer.withDefaults())
            .csrf((csrf) -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                    .ignoringRequestMatchers(
                            new AntPathRequestMatcher(this.adminServer.path("/instances"),
                                    HttpMethod.POST.toString()),
                            new AntPathRequestMatcher(this.adminServer.path("/instances/*"),
                                    HttpMethod.DELETE.toString()),
                            new AntPathRequestMatcher(this.adminServer.path("/actuator/**"))
                    ))
            .rememberMe((rememberMe) -> rememberMe.key(UUID.randomUUID().toString()).tokenValiditySeconds(1209600));
}
 
Example 3
Source Project: mall-swarm   Source File: SecuritySecureConfig.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("redirectTo");
    successHandler.setDefaultTargetUrl(adminContextPath + "/");

    http.authorizeRequests()
            //1.配置所有静态资源和登录页可以公开访问
            .antMatchers(adminContextPath + "/assets/**").permitAll()
            .antMatchers(adminContextPath + "/login").permitAll()
            .anyRequest().authenticated()
            .and()
            //2.配置登录和登出路径
            .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
            .logout().logoutUrl(adminContextPath + "/logout").and()
            //3.开启http basic支持,admin-client注册时需要使用
            .httpBasic().and()
            .csrf()
            //4.开启基于cookie的csrf保护
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            //5.忽略这些路径的csrf保护以便admin-client注册
            .ignoringAntMatchers(
                    adminContextPath + "/instances",
                    adminContextPath + "/actuator/**"
            );
}
 
Example 4
Source Project: cubeai   Source File: MicroserviceSecurityConfiguration.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .csrf()
        .ignoringAntMatchers("/h2-console/**")
        .ignoringAntMatchers("/umu/api/ueditor")
        .ignoringAntMatchers("/ability/model/**")
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
    .and()
        .addFilterBefore(corsFilter, CsrfFilter.class)
        .headers()
        .frameOptions()
        .disable()
    .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
        .authorizeRequests()
        .antMatchers("/api/profile-info").permitAll()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
        .antMatchers("/swagger-resources/configuration/ui").permitAll();
}
 
Example 5
Source Project: spring-cloud-learning   Source File: SecuritySecureConfig.java    License: MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("redirectTo");
    successHandler.setDefaultTargetUrl(adminContextPath + "/");

    http.authorizeRequests()
            .antMatchers(adminContextPath + "/assets/**").permitAll()
            .antMatchers(adminContextPath + "/login").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
            .logout().logoutUrl(adminContextPath + "/logout").and()
            .httpBasic().and()
            .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .ignoringAntMatchers(
                    adminContextPath + "/instances",
                    adminContextPath + "/actuator/**"
            );
    // @formatter:on
}
 
Example 6
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
        .and()
        .addFilterBefore(corsFilter, CsrfFilter.class)
        .headers()
        .frameOptions()
        .disable()
    .and()
        .logout()
        .logoutUrl("/api/logout")
        .logoutSuccessHandler(ajaxLogoutSuccessHandler())
    .and()
        .authorizeRequests()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
        .anyRequest().permitAll()
    .and()
        .requiresChannel()
        .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null)
        .requiresSecure();
}
 
Example 7
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors()
        .and()
            .csrf()
            .ignoringAntMatchers("/login")
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
        .and()
            .authorizeRequests()
            .antMatchers("/onlyforadmin/**").hasAuthority("ADMIN")
            .antMatchers("/secured/**").hasAnyAuthority("USER", "ADMIN")
            .antMatchers("/**").permitAll()
        .and()
            .addFilterBefore(new JWTLoginFilter("/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class)
            .addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
 
Example 8
Source Project: Spring-5.0-Cookbook   Source File: AppSecurityModelH.java    License: MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeRequests()
      .antMatchers("/login*", "/after**").permitAll()
      .anyRequest().authenticated()
      .and()
      .formLogin()
      .loginPage("/login.html")
      .defaultSuccessUrl("/deptform.html")
      .failureUrl("/login.html?error=true")
      .and().logout().logoutUrl("/logout.html")
      .logoutSuccessUrl("/after_logout.html");
   
    http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    http.sessionManagement().sessionFixation().newSession();
 }
 
Example 9
Source Project: Spring-5.0-Cookbook   Source File: AppSecurityModelH.java    License: MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeRequests()
      .antMatchers("/login*", "/after**").permitAll()
      .anyRequest().authenticated()
      .and()
      .formLogin()
      .loginPage("/login.html")
      .defaultSuccessUrl("/deptform.html")
      .failureUrl("/login.html?error=true")
      .and().logout().logoutUrl("/logout.html")
      .logoutSuccessUrl("/after_logout.html");
   
    http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    http.sessionManagement().sessionFixation().newSession();
 }
 
Example 10
Source Project: crnk-example   Source File: SpringSecurityConfiguration.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	// consider moving to stateless and handle token on Angular side
	if (properties.isSecurityEnabled()) {
		// @formatter:off
		http
			.antMatcher("/**").authorizeRequests()
				.antMatchers("/", "/favicon.ico",
						"/assets/**",
						"/login**", "/styles**", "/inline**", "/polyfills**",
						"/scripts***", "/main**" ).permitAll()
				.anyRequest().authenticated()

			.and().logout().logoutSuccessUrl("/").permitAll()
			.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
			.and().exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
			// .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
			.and().addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
		// @formatter:on
	}
	else {
		http.authorizeRequests().antMatchers("/**").permitAll();
		http.csrf().disable();
	}
}
 
Example 11
Source Project: movie-db-java-on-azure   Source File: SecurityConfig.java    License: MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    boolean usingFacebookAuthentication = facebook().getClientId() != null && !facebook().getClientId().isEmpty();
    if (usingFacebookAuthentication) {
        // @formatter:off
        http.antMatcher("/**").authorizeRequests().antMatchers("/**").permitAll().anyRequest()
                .authenticated().and().exceptionHandling()
                .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).and().logout()
                .logoutSuccessUrl("/").permitAll().and().csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
                .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
        // @formatter:on
    } else {
        http.antMatcher("/**").authorizeRequests().anyRequest().permitAll();
    }
}
 
Example 12
Source Project: micro-service   Source File: SecuritySecureConfig.java    License: MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {

    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("redirectTo");
    successHandler.setDefaultTargetUrl(path("/"));

    http.authorizeRequests()
            .antMatchers(path("/assets/**")).permitAll()
            .antMatchers(path("/login")).permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin().loginPage(path("/login")).successHandler(successHandler)
            .and()
            .logout().logoutUrl(path("/logout"))
            .and()
            .httpBasic().and()
            .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .ignoringAntMatchers(
                    path("/instances"),
                    path("/actuator/**")
            );
}
 
Example 13
Source Project: Parrit   Source File: WebSecurityConfiguration.java    License: MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .formLogin()
            .loginPage("/login")
            .loginProcessingUrl("/api/login/project")
            .failureUrl("/error")
            .permitAll()
            .and()
        .logout()
            .logoutUrl("/api/logout")
            .logoutSuccessUrl("/")
            .and()
        .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/", "/login", "/error").permitAll()
            .antMatchers(HttpMethod.POST, "/api/login", "/api/login/project", "/api/project").permitAll()
            .anyRequest().authenticated()
            .and()
        .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
 
Example 14
@Override
protected void configure(HttpSecurity http) throws Exception {
	SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
	successHandler.setTargetUrlParameter("redirectTo");
	successHandler.setDefaultTargetUrl(this.adminServer.path("/"));

	http.authorizeRequests((authorizeRequests) -> authorizeRequests
			.antMatchers(this.adminServer.path("/assets/**")).permitAll()
			.antMatchers(this.adminServer.path("/login")).permitAll().anyRequest().authenticated())
			.formLogin((formLogin) -> formLogin.loginPage(this.adminServer.path("/login"))
					.successHandler(successHandler))
			.logout((logout) -> logout.logoutUrl(this.adminServer.path("/logout")))
			.httpBasic(Customizer.withDefaults())
			.csrf((csrf) -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
					.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringRequestMatchers(
							new AntPathRequestMatcher(this.adminServer.path("/instances"),
									HttpMethod.POST.toString()),
							new AntPathRequestMatcher(this.adminServer.path("/instances/*"),
									HttpMethod.DELETE.toString()),
							new AntPathRequestMatcher(this.adminServer.path("/actuator/**"))));
}
 
Example 15
@Override
protected void configure(HttpSecurity http) throws Exception {
	SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
	successHandler.setTargetUrlParameter("redirectTo");
	successHandler.setDefaultTargetUrl(this.adminServer.path("/"));

	http.authorizeRequests((authorizeRequests) -> authorizeRequests
			.antMatchers(this.adminServer.path("/assets/**")).permitAll()
			.antMatchers(this.adminServer.path("/login")).permitAll().anyRequest().authenticated())
			.formLogin((formLogin) -> formLogin.loginPage(this.adminServer.path("/login"))
					.successHandler(successHandler))
			.logout((logout) -> logout.logoutUrl(this.adminServer.path("/logout")))
			.httpBasic(Customizer.withDefaults())
			.csrf((csrf) -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
					.ignoringRequestMatchers(
							new AntPathRequestMatcher(this.adminServer.path("/instances"),
									HttpMethod.POST.toString()),
							new AntPathRequestMatcher(this.adminServer.path("/instances/*"),
									HttpMethod.DELETE.toString()),
							new AntPathRequestMatcher(this.adminServer.path("/actuator/**"))));
}
 
Example 16
@Override
protected void configure(HttpSecurity http) throws Exception {
	SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
	successHandler.setTargetUrlParameter("redirectTo");
	successHandler.setDefaultTargetUrl(this.adminContextPath + "/");

	http.authorizeRequests((authorizeRequests) -> authorizeRequests
			.antMatchers(this.adminContextPath + "/assets/**").permitAll()
			.antMatchers(this.adminContextPath + "/login").permitAll().anyRequest().authenticated())
			.formLogin((formLogin) -> formLogin.loginPage(this.adminContextPath + "/login")
					.successHandler(successHandler))
			.logout((logout) -> logout.logoutUrl(this.adminContextPath + "/logout"))
			.httpBasic(Customizer.withDefaults())
			.csrf((csrf) -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
					.ignoringRequestMatchers(
							new AntPathRequestMatcher(this.adminContextPath + "/instances",
									HttpMethod.POST.toString()),
							new AntPathRequestMatcher(this.adminContextPath + "/instances/*",
									HttpMethod.DELETE.toString()),
							new AntPathRequestMatcher(this.adminContextPath + "/actuator/**")));
}
 
Example 17
@Override
protected void configure(HttpSecurity http) throws Exception {
	SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
	successHandler.setTargetUrlParameter("redirectTo");
	successHandler.setDefaultTargetUrl(this.adminServer.path("/"));

	http.authorizeRequests((authorizeRequests) -> authorizeRequests
			.antMatchers(this.adminServer.path("/assets/**")).permitAll()
			.antMatchers(this.adminServer.path("/login")).permitAll().anyRequest().authenticated())

			.formLogin((formLogin) -> formLogin.loginPage(this.adminServer.path("/login"))
					.successHandler(successHandler))
			.logout((logout) -> logout.logoutUrl(this.adminServer.path("/logout")))
			.httpBasic(Customizer.withDefaults())
			.csrf((csrf) -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
					.ignoringRequestMatchers(
							new AntPathRequestMatcher(this.adminServer.path("/instances"),
									HttpMethod.POST.toString()),
							new AntPathRequestMatcher(this.adminServer.path("/instances/*"),
									HttpMethod.DELETE.toString()),
							new AntPathRequestMatcher(this.adminServer.path("/actuator/**"))));
}
 
Example 18
@Override
protected void configure(HttpSecurity http) throws Exception {
	SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
	successHandler.setTargetUrlParameter("redirectTo");
	successHandler.setDefaultTargetUrl(this.adminContextPath + "/");

	http.authorizeRequests((authorizeRequests) -> authorizeRequests
			.antMatchers(this.adminContextPath + "/assets/**").permitAll()
			.antMatchers(this.adminContextPath + "/login").permitAll().anyRequest().authenticated())
			.formLogin((formLogin) -> formLogin.loginPage(this.adminContextPath + "/login")
					.successHandler(successHandler))
			.logout((logout) -> logout.logoutUrl(this.adminContextPath + "/logout"))
			.httpBasic(Customizer.withDefaults())
			.csrf((csrf) -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
					.ignoringRequestMatchers(
							new AntPathRequestMatcher(this.adminContextPath + "/instances",
									HttpMethod.POST.toString()),
							new AntPathRequestMatcher(this.adminContextPath + "/instances/*",
									HttpMethod.DELETE.toString()),
							new AntPathRequestMatcher(this.adminContextPath + "/actuator/**")));
}
 
Example 19
Source Project: spring-boot-admin   Source File: SecuritySecureConfig.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
	successHandler.setTargetUrlParameter("redirectTo");
	successHandler.setDefaultTargetUrl(this.adminServer.path("/"));

	http.authorizeRequests(
			(authorizeRequests) -> authorizeRequests.antMatchers(this.adminServer.path("/assets/**")).permitAll() // <1>
					.antMatchers(this.adminServer.path("/login")).permitAll().anyRequest().authenticated() // <2>
	).formLogin(
			(formLogin) -> formLogin.loginPage(this.adminServer.path("/login")).successHandler(successHandler).and() // <3>
	).logout((logout) -> logout.logoutUrl(this.adminServer.path("/logout"))).httpBasic(Customizer.withDefaults()) // <4>
			.csrf((csrf) -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) // <5>
					.ignoringRequestMatchers(
							new AntPathRequestMatcher(this.adminServer.path("/instances"),
									HttpMethod.POST.toString()), // <6>
							new AntPathRequestMatcher(this.adminServer.path("/instances/*"),
									HttpMethod.DELETE.toString()), // <6>
							new AntPathRequestMatcher(this.adminServer.path("/actuator/**")) // <7>
					))
			.rememberMe((rememberMe) -> rememberMe.key(UUID.randomUUID().toString()).tokenValiditySeconds(1209600));
}
 
Example 20
Source Project: tutorials   Source File: SiteSecurityConfigurer.java    License: MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http)
    throws Exception {
    http.antMatcher("/**")
        .authorizeRequests()
        .antMatchers("/", "/webjars/**")
        .permitAll()
        .anyRequest()
        .authenticated()
        .and()
        .logout()
        .logoutSuccessUrl("/")
        .permitAll()
        .and()
        .csrf()
        .csrfTokenRepository(
            CookieCsrfTokenRepository
                .withHttpOnlyFalse());
}
 
Example 21
Source Project: tutorials   Source File: SecurityConfiguration.java    License: MIT License 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .csrf()
        .ignoringAntMatchers("/h2-console/**")
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
    .and()
        .addFilterBefore(corsFilter, CsrfFilter.class)
        .headers()
        .frameOptions()
        .disable()
    .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
        .authorizeRequests()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/info").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);
}
 
Example 22
Source Project: SpringSecurity-JWT-Vue-Deom   Source File: WebSecurityConfig.java    License: MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers(PERMIT_ALL_MAPPING)
            .permitAll()
            .antMatchers("/api/user/**", "/api/data", "/api/logout")
            // USER 和 ADMIN 都可以访问
            .hasAnyAuthority(USER, ADMIN)
            .antMatchers("/api/admin/**")
            // 只有 ADMIN 才可以访问
            .hasAnyAuthority(ADMIN)
            .anyRequest()
            .authenticated()
            .and()
            // 添加过滤器链,前一个参数过滤器, 后一个参数过滤器添加的地方
            // 登陆过滤器
            .addFilterBefore(new JwtLoginFilter("/api/login", authenticationManager(), verifyCodeService, loginCountService), UsernamePasswordAuthenticationFilter.class)
            // 请求过滤器
            .addFilterBefore(new JwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
            // 开启跨域
            .cors()
            .and()
            // 开启 csrf
            .csrf()
            // .disable();
            .ignoringAntMatchers(PERMIT_ALL_MAPPING)
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
 
Example 23
Source Project: mogu_blog_v2   Source File: WebSecurityConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("redirectTo");
    successHandler.setDefaultTargetUrl(adminContextPath + "/");

    //原因是因为springSecurty使用X-Frame-Options防止网页被Frame。所以需要关闭为了让后端的接口管理的swagger页面正常显示
    http.headers().frameOptions().disable();
    http.authorizeRequests().antMatchers(adminContextPath + "/assets/**").permitAll()
            .antMatchers(adminContextPath + "/login").permitAll().anyRequest().authenticated().and().formLogin()
            .loginPage(adminContextPath + "/login").successHandler(successHandler).and().logout()
            .logoutUrl(adminContextPath + "/logout").and().httpBasic().and().csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .ignoringAntMatchers(adminContextPath + "/instances", adminContextPath + "/actuator/**");
}
 
Example 24
Source Project: jeecg-cloud   Source File: SecuritySecureConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    // 登录成功处理类
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("redirectTo");
    successHandler.setDefaultTargetUrl(adminContextPath + "/");

    http.authorizeRequests()
            //静态文件允许访问
            .antMatchers(adminContextPath + "/assets/**").permitAll()
            //登录页面允许访问
            .antMatchers(adminContextPath + "/login", "/css/**", "/js/**", "/image/*").permitAll()
            //其他所有请求需要登录
            .anyRequest().authenticated()
            .and()
            //登录页面配置,用于替换security默认页面
            .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
            //登出页面配置,用于替换security默认页面
            .logout().logoutUrl(adminContextPath + "/logout").and()
            .httpBasic().and()
            .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .ignoringAntMatchers(
                    "/instances",
                    "/actuator/**"
            );

}
 
Example 25
@Override
public void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http
        .csrf()
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
    .and()
        .addFilterBefore(corsFilter, CsrfFilter.class)
        .exceptionHandling()
        .accessDeniedHandler(problemSupport)
    .and()
        .headers()
        .frameOptions()
        .disable()
    .and()
        .authorizeRequests()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/api/auth-info").permitAll()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/info").permitAll()
        .antMatchers("/management/prometheus").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
    .and()
        .oauth2Login()
    .and()
        .oauth2ResourceServer().jwt();
    // @formatter:on
}
 
Example 26
Source Project: pacbot   Source File: SpringSecurityConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
	http.anonymous().and().antMatcher("/user").authorizeRequests()
	.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll().
        antMatchers(AUTH_WHITELIST).permitAll().
        anyRequest().authenticated()
	.and()
       .csrf()
       .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
 
Example 27
Source Project: pacbot   Source File: SpringSecurityConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
	http.anonymous().and().antMatcher("/user").authorizeRequests()
	.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll().
        antMatchers(AUTH_WHITELIST).permitAll().
        anyRequest().authenticated()
	.and()
       .csrf()
       .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
 
Example 28
Source Project: pacbot   Source File: AuthConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
	http.anonymous().and().antMatcher("/user").authorizeRequests()
	
	.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll().
        antMatchers(AUTH_WHITELIST).permitAll().
        antMatchers("/actuator/**").permitAll().
        anyRequest().authenticated()
	.and()
       .csrf()
       .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
       .ignoringAntMatchers("/instances", "/actuator/**");
}
 
Example 29
Source Project: pacbot   Source File: AuthConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
	http.anonymous().and().antMatcher("/user").authorizeRequests()
	.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll().
        antMatchers(AUTH_WHITELIST).permitAll().
        anyRequest().authenticated()
	.and()
       .csrf()
       .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
 
Example 30
Source Project: pacbot   Source File: SpringSecurityConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
	http.anonymous().and().antMatcher("/user").authorizeRequests()
	.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll().
        antMatchers(AUTH_WHITELIST).permitAll().
        anyRequest().authenticated()
	.and()
       .csrf()
       .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}