org.springframework.security.web.access.channel.ChannelProcessingFilter Java Examples

The following examples show how to use org.springframework.security.web.access.channel.ChannelProcessingFilter. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: WebSecurityConfig.java    From framework with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {

    http
            .addFilterBefore(new InterfaceAccessKeyFilter(), ChannelProcessingFilter.class)
            .addFilterAfter(new CsrfFilter(), InterfaceAccessKeyFilter.class)
            .addFilterBefore(new TokenFilter(), UsernamePasswordAuthenticationFilter.class)
            .addFilterAfter(new TokenSessionFilter(), TokenFilter.class)
            .addFilterAfter(new PermissionFilter(), TokenSessionFilter.class)
            .csrf().disable()
            .headers().frameOptions().sameOrigin()
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
            .and()
                .authorizeRequests().antMatchers("/api/register", "/interface/**", "/api/login", "/api/logout").permitAll()
                .anyRequest().authenticated();

}
 
Example #2
Source File: InsightsSecurityConfigurationAdapterSAML.java    From Insights with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	LOG.debug("message Inside InsightsSecurityConfigurationAdapterSAML,HttpSecurity **** {} ",
			ApplicationConfigProvider.getInstance().getAutheticationProtocol());
	if (AUTH_TYPE.equalsIgnoreCase(ApplicationConfigProvider.getInstance().getAutheticationProtocol())) {
		LOG.debug("message Inside SAMLAuthConfig, check http security **** ");

		http.cors();
		http.csrf().ignoringAntMatchers(AuthenticationUtils.CSRF_IGNORE)
				.csrfTokenRepository(authenticationUtils.csrfTokenRepository())
				.and().addFilterAfter(new InsightsCustomCsrfFilter(), CsrfFilter.class);

		http.exceptionHandling().authenticationEntryPoint(samlEntryPoint());
		http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(),
				BasicAuthenticationFilter.class);

		http.anonymous().disable().authorizeRequests().antMatchers("/error").permitAll().antMatchers("/admin/**")
				.access("hasAuthority('Admin')").antMatchers("/saml/**").permitAll()
				// .antMatchers("/user/insightsso/**").permitAll() ///logout
				.anyRequest().authenticated();

		http.logout().logoutSuccessUrl("/");
	}
}
 
Example #3
Source File: WebSecurityConfig.java    From spring-boot-security-saml-sample with Apache License 2.0 6 votes vote down vote up
/**
 * Defines the web based security configuration.
 * 
 * @param   http It allows configuring web based security for specific http requests.
 * @throws  Exception 
 */
@Override  
protected void configure(HttpSecurity http) throws Exception {
    http
        .httpBasic()
            .authenticationEntryPoint(samlEntryPoint());      
    http
    		.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
    		.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class)
    		.addFilterBefore(samlFilter(), CsrfFilter.class);
    http        
        .authorizeRequests()
       		.antMatchers("/").permitAll()
       		.antMatchers("/saml/**").permitAll()
       		.antMatchers("/css/**").permitAll()
       		.antMatchers("/img/**").permitAll()
       		.antMatchers("/js/**").permitAll()
       		.anyRequest().authenticated();
    http
    		.logout()
    			.disable();	// The logout procedure is already handled by SAML filters.
}
 
Example #4
Source File: AuthenticationHandler.java    From blackduck-alert with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    configureActiveMQProvider();
    configureWithSSL(http);
    configureH2Console(http);
    http.authorizeRequests()
        .requestMatchers(createAllowedPathMatchers()).permitAll()
        .and().authorizeRequests().anyRequest().authenticated()
        .and().exceptionHandling().authenticationEntryPoint(samlEntryPoint())
        .and().csrf().csrfTokenRepository(csrfTokenRepository).ignoringRequestMatchers(createCsrfIgnoreMatchers())
        .and().addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
        .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class)
        .authorizeRequests().withObjectPostProcessor(createRoleProcessor())
        .and().logout().logoutSuccessUrl("/");
}
 
Example #5
Source File: WebSecurityConfig.java    From spring-tsers-auth with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {

    http
            .csrf()
            .disable();
    http
            .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
            .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/error").permitAll()
            .antMatchers("/saml/**").permitAll()
            .antMatchers("/css/**").permitAll()
            .anyRequest().authenticated();

    http
            .exceptionHandling().accessDeniedHandler(new AccessDeniedHandlerImpl())
            .authenticationEntryPoint(getAuthEntryPoint())
            .and()
            .formLogin()
            .loginProcessingUrl("/authenticate")
            .usernameParameter("username")
            .passwordParameter("password")
            .successHandler(new FormAuthSuccessHandler())
            .failureHandler(new SimpleUrlAuthenticationFailureHandler())
            .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/")
            .permitAll();
}
 
Example #6
Source File: ApplicationSecurity.java    From secure-rest-spring-tut with MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	http.authorizeRequests()
		.antMatchers(HttpMethod.OPTIONS, "/*/**").permitAll()
		.antMatchers("/login", "/rest/open/**").permitAll()
		.antMatchers("/logout", "/rest/**").authenticated();

	// Handlers and entry points
	http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
	http.formLogin().successHandler(authenticationSuccessHandler);
	http.formLogin().failureHandler(authenticationFailureHandler);

	// Logout
	http.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);

	// CORS
	http.addFilterBefore(corsFilter, ChannelProcessingFilter.class);

	// CSRF
	http.csrf().requireCsrfProtectionMatcher(
		new AndRequestMatcher(
			// Apply CSRF protection to all paths that do NOT match the ones below

			// We disable CSRF at login/logout, but only for OPTIONS methods
			new NegatedRequestMatcher(new AntPathRequestMatcher("/login*/**", HttpMethod.OPTIONS.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/logout*/**", HttpMethod.OPTIONS.toString())),

			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.GET.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.HEAD.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.OPTIONS.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.TRACE.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest/open*/**"))
		)
	);
	http.addFilterAfter(new CsrfTokenResponseCookieBindingFilter(), CsrfFilter.class); // CSRF tokens handling
}
 
Example #7
Source File: BasicAuthSecurityConfiguration.java    From spring-cloud-dashboard with Apache License 2.0 4 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	final RequestMatcher textHtmlMatcher = new MediaTypeRequestMatcher(
			contentNegotiationStrategy,
			MediaType.TEXT_HTML);

	final String loginPage = dashboard("/#/login");

	final BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
	basicAuthenticationEntryPoint.setRealmName(securityProperties.getBasic().getRealm());
	basicAuthenticationEntryPoint.afterPropertiesSet();

	http
		.csrf()
		.disable()
		.authorizeRequests()
		.antMatchers("/")
		.authenticated()
		.antMatchers(
				dashboard("/**"),
				"/authenticate",
				"/security/info",
				"/features",
				"/assets/**").permitAll()
	.and()
		.formLogin().loginPage(loginPage)
		.loginProcessingUrl(dashboard("/login"))
		.defaultSuccessUrl(dashboard("/")).permitAll()
	.and()
		.logout().logoutUrl(dashboard("/logout"))
			.logoutSuccessUrl(dashboard("/logout-success.html"))
		.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()).permitAll()
	.and().httpBasic()
		.and().exceptionHandling()
		.defaultAuthenticationEntryPointFor(
				new LoginUrlAuthenticationEntryPoint(loginPage),
				textHtmlMatcher)
		.defaultAuthenticationEntryPointFor(basicAuthenticationEntryPoint,
				AnyRequestMatcher.INSTANCE)
	.and()
		.authorizeRequests()
		.anyRequest().authenticated();

	final SessionRepositoryFilter<ExpiringSession> sessionRepositoryFilter = new SessionRepositoryFilter<ExpiringSession>(
			sessionRepository());
	sessionRepositoryFilter
			.setHttpSessionStrategy(new HeaderHttpSessionStrategy());

	http.addFilterBefore(sessionRepositoryFilter,
			ChannelProcessingFilter.class).csrf().disable();
	http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
}