/** * Allows specifying the names of cookies to be removed on logout success. This is a * shortcut to easily invoke {@link #addLogoutHandler(LogoutHandler)} with a * {@link CookieClearingLogoutHandler}. * * @param cookieNamesToClear the names of cookies to be removed on logout success. * @return the {@link LogoutConfigurer} for further customization */ public LogoutConfigurer<H> deleteCookies(String... cookieNamesToClear) { return addLogoutHandler(new CookieClearingLogoutHandler(cookieNamesToClear)); }
@SuppressWarnings("unchecked") @Override public void init(H http) throws Exception { validateInput(); String key = getKey(); RememberMeServices rememberMeServices = getRememberMeServices(http, key); http.setSharedObject(RememberMeServices.class, rememberMeServices); LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class); if (logoutConfigurer != null && this.logoutHandler != null) { logoutConfigurer.addLogoutHandler(this.logoutHandler); } RememberMeAuthenticationProvider authenticationProvider = new RememberMeAuthenticationProvider( key); authenticationProvider = postProcess(authenticationProvider); http.authenticationProvider(authenticationProvider); initDefaultLoginFilter(http); }
@SuppressWarnings("unchecked") @Override public void configure(H http) throws Exception { CsrfFilter filter = new CsrfFilter(this.csrfTokenRepository); RequestMatcher requireCsrfProtectionMatcher = getRequireCsrfProtectionMatcher(); if (requireCsrfProtectionMatcher != null) { filter.setRequireCsrfProtectionMatcher(requireCsrfProtectionMatcher); } AccessDeniedHandler accessDeniedHandler = createAccessDeniedHandler(http); if (accessDeniedHandler != null) { filter.setAccessDeniedHandler(accessDeniedHandler); } LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class); if (logoutConfigurer != null) { logoutConfigurer .addLogoutHandler(new CsrfLogoutHandler(this.csrfTokenRepository)); } SessionManagementConfigurer<H> sessionConfigurer = http .getConfigurer(SessionManagementConfigurer.class); if (sessionConfigurer != null) { sessionConfigurer.addSessionAuthenticationStrategy( new CsrfAuthenticationStrategy(this.csrfTokenRepository)); } filter = postProcess(filter); http.addFilter(filter); }
/** * Allows specifying the names of cookies to be removed on logout success. This is a * shortcut to easily invoke {@link #addLogoutHandler(LogoutHandler)} with a * {@link CookieClearingLogoutHandler}. * * @param cookieNamesToClear the names of cookies to be removed on logout success. * @return the {@link LogoutConfigurer} for further customization */ public LogoutConfigurer<H> deleteCookies(String... cookieNamesToClear) { return addLogoutHandler(new CookieClearingLogoutHandler(cookieNamesToClear)); }
@SuppressWarnings("unchecked") @Override public void init(H http) throws Exception { validateInput(); String key = getKey(); RememberMeServices rememberMeServices = getRememberMeServices(http, key); http.setSharedObject(RememberMeServices.class, rememberMeServices); LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class); if (logoutConfigurer != null && this.logoutHandler != null) { logoutConfigurer.addLogoutHandler(this.logoutHandler); } RememberMeAuthenticationProvider authenticationProvider = new RememberMeAuthenticationProvider( key); authenticationProvider = postProcess(authenticationProvider); http.authenticationProvider(authenticationProvider); initDefaultLoginFilter(http); }
@SuppressWarnings("unchecked") @Override public void configure(H http) throws Exception { CsrfFilter filter = new CsrfFilter(this.csrfTokenRepository); RequestMatcher requireCsrfProtectionMatcher = getRequireCsrfProtectionMatcher(); if (requireCsrfProtectionMatcher != null) { filter.setRequireCsrfProtectionMatcher(requireCsrfProtectionMatcher); } AccessDeniedHandler accessDeniedHandler = createAccessDeniedHandler(http); if (accessDeniedHandler != null) { filter.setAccessDeniedHandler(accessDeniedHandler); } LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class); if (logoutConfigurer != null) { logoutConfigurer .addLogoutHandler(new CsrfLogoutHandler(this.csrfTokenRepository)); } SessionManagementConfigurer<H> sessionConfigurer = http .getConfigurer(SessionManagementConfigurer.class); if (sessionConfigurer != null) { sessionConfigurer.addSessionAuthenticationStrategy( new CsrfAuthenticationStrategy(this.csrfTokenRepository)); } filter = postProcess(filter); http.addFilter(filter); }
/** * Allows specifying the names of cookies to be removed on logout success. * This is a shortcut to easily invoke * {@link #addLogoutHandler(LogoutHandler)} with a * {@link CookieClearingLogoutHandler}. * * @param cookieNamesToClear the names of cookies to be removed on logout success. * @return the {@link LogoutConfigurer} for further customization */ public LogoutConfigurer<H> deleteCookies(String... cookieNamesToClear) { return addLogoutHandler(new CookieClearingLogoutHandler(cookieNamesToClear)); }
/** * Allows specifying the names of cookies to be removed on logout success. This is a * shortcut to easily invoke {@link #addLogoutHandler(LogoutHandler)} with a * {@link CookieClearingLogoutHandler}. * * @param cookieNamesToClear the names of cookies to be removed on logout success. * @return the {@link LogoutConfigurer} for further customization */ public LogoutConfigurer<H> deleteCookies(String... cookieNamesToClear) { return addLogoutHandler(new CookieClearingLogoutHandler(cookieNamesToClear)); }
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() .requestMatchers().antMatchers("/**") .and().authorizeRequests() .antMatchers("/**").permitAll() .anyRequest().authenticated() .and().formLogin().permitAll() .and().logout() .logoutUrl("/logout") .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()) .addLogoutHandler(customLogoutHandler()); }
@Override public void configure(HttpSecurity http) throws Exception { http.csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .requestMatchers().antMatchers("/**") .and().authorizeRequests() .antMatchers("/**").permitAll() .anyRequest().authenticated() .and().logout() .logoutUrl("/logout") .clearAuthentication(true) .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()) .addLogoutHandler(customLogoutHandler()); //http.antMatcher("/api/**").addFilterAt(customSecurityFilter(), FilterSecurityInterceptor.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .addFilterBefore(flowableCookieFilterRegistrationBean.getFilter(), UsernamePasswordAuthenticationFilter.class) .logout() .logoutUrl("/app/logout") .logoutSuccessHandler(ajaxLogoutSuccessHandler) .addLogoutHandler(new ClearFlowableCookieLogoutHandler()) .deleteCookies(CookieConstants.COOKIE_NAME) .and() .csrf() .disable() .authorizeRequests() .antMatchers("/app/rest/**").hasAuthority(DefaultPrivileges.ACCESS_ADMIN); } }
@Override public void configure(HttpSecurity http) throws Exception { http // Configure session management to your needs. // I need this as a basis for a classic, server side rendered application .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and() // Depends on your taste. You can configure single paths here // or allow everything a I did and then use method based security // like in the controller below .authorizeRequests().anyRequest().permitAll().and() // Propagate logouts via /logout to Keycloak .logout().addLogoutHandler(keycloakLogoutHandler).and() // This is the point where OAuth2 login of Spring 5 gets enabled .oauth2Login().userInfoEndpoint().oidcUserService(keycloakOidcUserService).and() // I don't want a page with different clients as login options // So i use the constant from OAuth2AuthorizationRequestRedirectFilter // plus the configured realm as immediate redirect to Keycloak .loginPage(DEFAULT_AUTHORIZATION_REQUEST_BASE_URI + "/" + realm); } };
protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/api/admin/**").hasRole("ADMIN") .antMatchers("/api/basic/**").hasRole("BASIC") .antMatchers("/api/session").permitAll() .antMatchers(HttpMethod.GET).permitAll() .antMatchers("/api/**").hasRole("BASIC"); http.formLogin(); http.logout() .logoutUrl("/api/session/logout") .addLogoutHandler(customLogoutHandler) .logoutSuccessHandler(customLogoutHandler); http.exceptionHandling() .accessDeniedHandler(customAccessDeniedHandler) .authenticationEntryPoint(customAccessDeniedHandler); http.csrf() .ignoringAntMatchers("/api/session/**"); http.addFilterBefore(new AcceptHeaderLocaleFilter(), UsernamePasswordAuthenticationFilter.class); http.addFilterAt(customAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class); }
@Override public void init(HttpSecurity http) throws Exception { if (stormpathWebEnabled) { if (csrfTokenEnabled) { //Since our Spring Securoty integration is disabled and we are using our own CSRF tokens then we want //to avoid our own pages to be validated by Spring Security, otherwise they will fail disableCsrf(loginUri, loginEnabled, http); disableCsrf(logoutUri, logoutEnabled, http); disableCsrf(forgotUri, forgotEnabled, http); disableCsrf(changeUri, changeEnabled, http); disableCsrf(registerUri, registerEnabled, http); disableCsrf(verifyUri, verifyEnabled, http); } http.logout().addLogoutHandler(logoutHandler); } }
@Override public void init(HttpSecurity http) throws Exception { if (stormpathWebEnabled) { if (csrfTokenEnabled) { //Since our Spring Securoty integration is disabled and we are using our own CSRF tokens then we want //to avoid our own pages to be validated by Spring Security, otherwise they will fail disableCsrf(loginUri, loginEnabled, http); disableCsrf(logoutUri, logoutEnabled, http); disableCsrf(forgotUri, forgotEnabled, http); disableCsrf(changeUri, changeEnabled, http); disableCsrf(registerUri, registerEnabled, http); disableCsrf(verifyUri, verifyEnabled, http); } http.logout().addLogoutHandler(logoutHandler); } }
@Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/authorize", "/login", "/login/callback", "/logout") .and() .authorizeRequests() .antMatchers("/login").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .successHandler(authenticationSuccessHandler()) .failureHandler(authenticationFailureHandler()) .permitAll() .and() .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .logoutSuccessHandler(new CustomLogoutSuccessHandler()) .invalidateHttpSession(true) .addLogoutHandler(cookieClearingLogoutHandler()) .and() .exceptionHandling() .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")) .and() .addFilterBefore(clientOAuth2Filter(), AbstractPreAuthenticatedProcessingFilter.class) .addFilterBefore(checkAuthCookieFilter(), AbstractPreAuthenticatedProcessingFilter.class); }
@SuppressWarnings("unchecked") @Override public void init(H http) throws Exception { String key = getKey(); RememberMeServices rememberMeServices = getRememberMeServices(http, key); http.setSharedObject(RememberMeServices.class, rememberMeServices); LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class); if(logoutConfigurer != null) { logoutConfigurer.addLogoutHandler(logoutHandler); } RememberMeAuthenticationProvider authenticationProvider = new RememberMeAuthenticationProvider( key); authenticationProvider = postProcess(authenticationProvider); http.authenticationProvider(authenticationProvider); initDefaultLoginFilter(http); }
@SuppressWarnings("unchecked") @Override public void init(H http) throws Exception { validateInput(); String key = getKey(); RememberMeServices rememberMeServices = getRememberMeServices(http, key); http.setSharedObject(RememberMeServices.class, rememberMeServices); LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class); if (logoutConfigurer != null && this.logoutHandler != null) { logoutConfigurer.addLogoutHandler(this.logoutHandler); } RememberMeAuthenticationProvider authenticationProvider = new RememberMeAuthenticationProvider( key); authenticationProvider = postProcess(authenticationProvider); http.authenticationProvider(authenticationProvider); initDefaultLoginFilter(http); }
@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().requireCsrfProtectionMatcher(keycloakCsrfRequestMatcher()) .and() .sessionManagement() .sessionAuthenticationStrategy(sessionAuthenticationStrategy()) .and() .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class) .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class) .addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class) .addFilterAfter(keycloakAuthenticatedActionsRequestFilter(), KeycloakSecurityContextRequestFilter.class) .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint()) .and() .logout() .addLogoutHandler(keycloakLogoutHandler()) .logoutUrl("/sso/logout").permitAll() .logoutSuccessUrl("/"); }
@SuppressWarnings("unchecked") @Override public void configure(H http) throws Exception { CsrfFilter filter = new CsrfFilter(this.csrfTokenRepository); RequestMatcher requireCsrfProtectionMatcher = getRequireCsrfProtectionMatcher(); if (requireCsrfProtectionMatcher != null) { filter.setRequireCsrfProtectionMatcher(requireCsrfProtectionMatcher); } AccessDeniedHandler accessDeniedHandler = createAccessDeniedHandler(http); if (accessDeniedHandler != null) { filter.setAccessDeniedHandler(accessDeniedHandler); } LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class); if (logoutConfigurer != null) { logoutConfigurer .addLogoutHandler(new CsrfLogoutHandler(this.csrfTokenRepository)); } SessionManagementConfigurer<H> sessionConfigurer = http .getConfigurer(SessionManagementConfigurer.class); if (sessionConfigurer != null) { sessionConfigurer.addSessionAuthenticationStrategy( new CsrfAuthenticationStrategy(this.csrfTokenRepository)); } filter = postProcess(filter); http.addFilter(filter); }