Example 1 with ProtocolEndpointWebSecurityConfigurer
use of org.apereo.cas.web.ProtocolEndpointWebSecurityConfigurer in project cas by apereo.
the class CasWebSecurityConfigurerAdapter method configure.
/**
* Disable Spring Security configuration for protocol endpoints
* allowing CAS' own security configuration to handle protection
* of endpoints where necessary.
*
* @param http http security
*/
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().disable().headers().disable().logout().disable().requiresChannel().requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null).requiresSecure();
val requests = http.authorizeRequests().expressionHandler(casWebSecurityExpressionHandler);
val patterns = protocolEndpointWebSecurityConfigurers.stream().filter(BeanSupplier::isNotProxy).map(ProtocolEndpointWebSecurityConfigurer::getIgnoredEndpoints).flatMap(List<String>::stream).map(endpoint -> StringUtils.prependIfMissing(endpoint, "/").concat("/**")).collect(Collectors.toList());
patterns.add("/webjars/**");
patterns.add("/js/**");
patterns.add("/css/**");
patterns.add("/images/**");
patterns.add("/static/**");
patterns.add("/error");
patterns.add("/favicon.ico");
LOGGER.debug("Configuring protocol endpoints [{}] to exclude/ignore from web security", patterns);
requests.antMatchers(patterns.toArray(String[]::new)).permitAll();
val endpoints = casProperties.getMonitor().getEndpoints().getEndpoint();
endpoints.forEach(Unchecked.biConsumer((k, v) -> {
val endpoint = EndpointRequest.to(k);
v.getAccess().forEach(Unchecked.consumer(access -> configureEndpointAccess(http, requests, access, v, endpoint)));
}));
configureEndpointAccessToDenyUndefined(http, requests);
configureEndpointAccessForStaticResources(requests);
protocolEndpointWebSecurityConfigurers.forEach(cfg -> cfg.configure(http));
}
Also used :
CasConfigurationProperties(org.apereo.cas.configuration.CasConfigurationProperties)
JaasSecurityActuatorEndpointsMonitorProperties(org.apereo.cas.configuration.model.core.monitor.JaasSecurityActuatorEndpointsMonitorProperties)
EndpointLdapAuthenticationProvider(org.apereo.cas.web.security.authentication.EndpointLdapAuthenticationProvider)
SneakyThrows(lombok.SneakyThrows)
RequiredArgsConstructor(lombok.RequiredArgsConstructor)
ArrayUtils(org.apache.commons.lang3.ArrayUtils)
HttpSecurity(org.springframework.security.config.annotation.web.builders.HttpSecurity)
StringUtils(org.apache.commons.lang3.StringUtils)
BeanSupplier(org.apereo.cas.util.spring.beans.BeanSupplier)
WebSecurityConfigurerAdapter(org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter)
ObjectProvider(org.springframework.beans.factory.ObjectProvider)
AuthenticationManagerBuilder(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder)
ProtocolEndpointWebSecurityConfigurer(org.apereo.cas.web.ProtocolEndpointWebSecurityConfigurer)
JaasAuthenticationProvider(org.springframework.security.authentication.jaas.JaasAuthenticationProvider)
SecurityExpressionHandler(org.springframework.security.access.expression.SecurityExpressionHandler)
SecurityProperties(org.springframework.boot.autoconfigure.security.SecurityProperties)
Order(org.springframework.core.annotation.Order)
PathRequest(org.springframework.boot.autoconfigure.security.servlet.PathRequest)
Unchecked(org.jooq.lambda.Unchecked)
ExpressionUrlAuthorizationConfigurer(org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer)
lombok.val(lombok.val)
EndpointRequest(org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest)
Collectors(java.util.stream.Collectors)
LdapSecurityActuatorEndpointsMonitorProperties(org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
CasWebSecurityConstants(org.apereo.cas.web.CasWebSecurityConstants)
ActuatorEndpointProperties(org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties)
DisposableBean(org.springframework.beans.factory.DisposableBean)
FilterInvocation(org.springframework.security.web.FilterInvocation)
PathMappedEndpoints(org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints)
LdapUtils(org.apereo.cas.util.LdapUtils)
lombok.val(lombok.val)
BeanSupplier(org.apereo.cas.util.spring.beans.BeanSupplier)
List(java.util.List)
Aggregations
List (java.util.List)1
Collectors (java.util.stream.Collectors)1
RequiredArgsConstructor (lombok.RequiredArgsConstructor)1
SneakyThrows (lombok.SneakyThrows)1
Slf4j (lombok.extern.slf4j.Slf4j)1
lombok.val (lombok.val)1
ArrayUtils (org.apache.commons.lang3.ArrayUtils)1
StringUtils (org.apache.commons.lang3.StringUtils)1
CasConfigurationProperties (org.apereo.cas.configuration.CasConfigurationProperties)1
ActuatorEndpointProperties (org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties)1
JaasSecurityActuatorEndpointsMonitorProperties (org.apereo.cas.configuration.model.core.monitor.JaasSecurityActuatorEndpointsMonitorProperties)1
LdapSecurityActuatorEndpointsMonitorProperties (org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties)1
LdapUtils (org.apereo.cas.util.LdapUtils)1
BeanSupplier (org.apereo.cas.util.spring.beans.BeanSupplier)1
CasWebSecurityConstants (org.apereo.cas.web.CasWebSecurityConstants)1
ProtocolEndpointWebSecurityConfigurer (org.apereo.cas.web.ProtocolEndpointWebSecurityConfigurer)1
EndpointLdapAuthenticationProvider (org.apereo.cas.web.security.authentication.EndpointLdapAuthenticationProvider)1
Unchecked (org.jooq.lambda.Unchecked)1
DisposableBean (org.springframework.beans.factory.DisposableBean)1
ObjectProvider (org.springframework.beans.factory.ObjectProvider)1
