org.springframework.security.web.header.writers.XXssProtectionHeaderWriter Java Examples
The following examples show how to use
org.springframework.security.web.header.writers.XXssProtectionHeaderWriter.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: SecurityConfiguration.java From flowable-engine with Apache License 2.0 | 6 votes |
|
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore(flowableCookieFilterRegistrationBean.getFilter(), UsernamePasswordAuthenticationFilter.class)
.logout()
.logoutUrl("/app/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.addLogoutHandler(new ClearFlowableCookieLogoutHandler())
.and()
.csrf()
.disable() // Disabled, cause enabling it will cause sessions
.headers()
.frameOptions()
.sameOrigin()
.addHeaderWriter(new XXssProtectionHeaderWriter())
.and()
.authorizeRequests()
.antMatchers(REST_ENDPOINTS_PREFIX + "/**").hasAuthority(DefaultPrivileges.ACCESS_MODELER);
}
Example #2
| Source File: SecurityConfiguration.java From flowable-engine with Apache License 2.0 | 6 votes |
|
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore(flowableCookieFilterRegistration.getFilter(), UsernamePasswordAuthenticationFilter.class)
.logout()
.logoutUrl("/app/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.addLogoutHandler(new ClearFlowableCookieLogoutHandler())
.and()
.csrf()
.disable() // Disabled, cause enabling it will cause sessions
.headers()
.frameOptions()
.sameOrigin()
.addHeaderWriter(new XXssProtectionHeaderWriter())
.and()
.authorizeRequests()
.antMatchers("/app/rest/**").hasAuthority(DefaultPrivileges.ACCESS_TASK)
.antMatchers("/rest/**").hasAuthority(DefaultPrivileges.ACCESS_TASK);
}
Example #3
| Source File: SecurityConfig.java From ambari-logsearch with Apache License 2.0 | 4 votes |
|
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.addHeaderWriter(
new LogSearchCompositeHeaderWriter("https".equals(logSearchHttpConfig.getProtocol()),
new XXssProtectionHeaderWriter(),
new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.DENY),
new XContentTypeOptionsHeaderWriter(),
new StaticHeadersWriter("Pragma", "no-cache"),
new StaticHeadersWriter("Cache-Control", "no-store")))
.and()
.csrf().disable()
.authorizeRequests()
.requestMatchers(requestMatcher())
.permitAll()
.antMatchers("/**")
.hasRole("USER")
.and()
.authenticationProvider(logsearchAuthenticationProvider())
.httpBasic()
.authenticationEntryPoint(logsearchAuthenticationEntryPoint())
.and()
.addFilterBefore(logsearchTrustedProxyFilter(), BasicAuthenticationFilter.class)
.addFilterAfter(logsearchKRBAuthenticationFilter(), LogsearchTrustedProxyFilter.class)
.addFilterBefore(logsearchUsernamePasswordAuthenticationFilter(), LogsearchKRBAuthenticationFilter.class)
.addFilterAfter(securityContextFormationFilter(), FilterSecurityInterceptor.class)
.addFilterAfter(logsearchMetadataFilter(), LogsearchSecurityContextFormationFilter.class)
.addFilterAfter(logsearchAuditLogFilter(), LogsearchSecurityContextFormationFilter.class)
.addFilterAfter(logsearchServiceLogFilter(), LogsearchSecurityContextFormationFilter.class)
.addFilterAfter(logSearchConfigStateFilter(), LogsearchSecurityContextFormationFilter.class)
.addFilterBefore(logsearchCorsFilter(), LogsearchSecurityContextFormationFilter.class)
.addFilterBefore(logsearchJwtFilter(), LogsearchSecurityContextFormationFilter.class)
.logout()
.logoutUrl("/logout")
.deleteCookies(getCookies())
.logoutSuccessHandler(new LogsearchLogoutSuccessHandler());
if ((logSearchConfigApiConfig.isSolrFilterStorage() || logSearchConfigApiConfig.isZkFilterStorage())
&& !logSearchConfigApiConfig.isConfigApiEnabled())
http.addFilterAfter(logSearchLogLevelFilterManagerFilter(), LogsearchSecurityContextFormationFilter.class);
}
Example #4
| Source File: SecurityConfiguration.java From activiti6-boot2 with Apache License 2.0 | 4 votes |
|
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) // stateless
.and()
.rememberMe()
.rememberMeServices(rememberMeServices())
.key(env.getProperty("appconf.security.rememberme.key"))
.and()
.logout()
.logoutUrl("/app/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.csrf()
.disable() // Disabled, cause enabling it will cause sessions
.headers()
.frameOptions()
.sameOrigin()
.addHeaderWriter(new XXssProtectionHeaderWriter())
.and()
.authorizeRequests()
.antMatchers("/*").permitAll()
.antMatchers("/app/rest/authenticate").permitAll()
.antMatchers("/app/rest/integration/login").permitAll()
.antMatchers("/app/rest/temporary/example-options").permitAll()
.antMatchers("/app/rest/idm/email-actions/*").permitAll()
.antMatchers("/app/rest/idm/signups").permitAll()
.antMatchers("/app/rest/idm/passwords").permitAll()
// .antMatchers("/druid/**").authenticated()
// .antMatchers("/actuator/**").authenticated()
// .antMatchers("/manage/**").authenticated()
.antMatchers("/app/**").authenticated();
// Custom login form configurer to allow for non-standard HTTP-methods (eg. LOCK)
CustomFormLoginConfig<HttpSecurity> loginConfig = new CustomFormLoginConfig<HttpSecurity>();
loginConfig.loginProcessingUrl("/app/authentication")
.successHandler(ajaxAuthenticationSuccessHandler)
.failureHandler(ajaxAuthenticationFailureHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll();
http.apply(loginConfig);
}
Example #5
| Source File: SecurityConfiguration.java From flowable-engine with Apache License 2.0 | 4 votes |
|
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.rememberMe()
.rememberMeServices(rememberMeServices)
.key(idmAppProperties.getSecurity().getRememberMeKey())
.and()
.logout()
.logoutUrl("/app/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.addLogoutHandler(new ClearFlowableCookieLogoutHandler())
.permitAll()
.and()
.csrf()
.disable() // Disabled, cause enabling it will cause sessions
.headers()
.frameOptions()
.sameOrigin()
.addHeaderWriter(new XXssProtectionHeaderWriter())
.and()
.authorizeRequests()
.antMatchers("/*").permitAll()
.antMatchers("/app/rest/authenticate").permitAll()
.antMatchers("/app/**").hasAuthority(DefaultPrivileges.ACCESS_IDM);
// Custom login form configurer to allow for non-standard HTTP-methods (eg. LOCK)
CustomFormLoginConfig<HttpSecurity> loginConfig = new CustomFormLoginConfig<>();
loginConfig.loginProcessingUrl("/app/authentication")
.successHandler(ajaxAuthenticationSuccessHandler)
.failureHandler(ajaxAuthenticationFailureHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll();
http.apply(loginConfig);
}
