use of org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer in project molgenis by molgenis.
the class MolgenisWebAppSecurityConfig method configure.
@Override
protected void configure(HttpSecurity http) throws Exception {
// do not write cache control headers for static resources
RequestMatcher matcher = new NegatedRequestMatcher(new OrRequestMatcher(new AntPathRequestMatcher(PATTERN_CSS), new AntPathRequestMatcher(PATTERN_JS), new AntPathRequestMatcher(PATTERN_IMG), new AntPathRequestMatcher(PATTERN_FONTS)));
DelegatingRequestMatcherHeaderWriter cacheControlHeaderWriter = new DelegatingRequestMatcherHeaderWriter(matcher, new CacheControlHeadersWriter());
http.sessionManagement().invalidSessionStrategy(invalidSessionStrategy());
// add default header options but use custom cache control header writer
http.headers().contentTypeOptions().and().xssProtection().and().httpStrictTransportSecurity().and().frameOptions().and().addHeaderWriter(cacheControlHeaderWriter);
http.addFilterBefore(anonymousAuthFilter(), AnonymousAuthenticationFilter.class);
http.authenticationProvider(anonymousAuthenticationProvider());
http.authenticationProvider(tokenAuthenticationProvider());
http.authenticationProvider(runAsAuthenticationProvider());
http.addFilterBefore(tokenAuthenticationFilter(), AnonymousAuthenticationFilter.class);
http.addFilterBefore(googleAuthenticationProcessingFilter(), TokenAuthenticationFilter.class);
http.addFilterAfter(changePasswordFilter(), SwitchUserFilter.class);
http.addFilterAfter(twoFactorAuthenticationFilter(), MolgenisChangePasswordFilter.class);
http.authenticationProvider(twoFactorAuthenticationProvider());
http.authenticationProvider(recoveryAuthenticationProvider());
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry = http.authorizeRequests();
configureUrlAuthorization(expressionInterceptUrlRegistry);
expressionInterceptUrlRegistry.antMatchers(MolgenisLoginController.URI).permitAll().antMatchers(TwoFactorAuthenticationController.URI + "/**").permitAll().antMatchers(GOOGLE_AUTHENTICATION_URL).permitAll().antMatchers("/beacon/**").permitAll().antMatchers("/logo/**").permitAll().antMatchers("/molgenis.py").permitAll().antMatchers("/molgenis.R").permitAll().antMatchers(AccountController.CHANGE_PASSWORD_URI).authenticated().antMatchers("/account/**").permitAll().antMatchers(PATTERN_SWAGGER).permitAll().antMatchers(PATTERN_CSS).permitAll().antMatchers(PATTERN_IMG).permitAll().antMatchers(PATTERN_JS).permitAll().antMatchers(PATTERN_FONTS).permitAll().antMatchers("/html/**").permitAll().antMatchers("/plugin/void/**").permitAll().antMatchers("/api/**").permitAll().antMatchers("/webjars/**").permitAll().antMatchers("/search").permitAll().antMatchers("/captcha").permitAll().antMatchers("/dataindexerstatus").authenticated().antMatchers("/permission/**/read/**").permitAll().antMatchers("/permission/**/write/**").permitAll().antMatchers("/scripts/**/run").authenticated().antMatchers("/scripts/**/start").authenticated().antMatchers("/files/**").permitAll().antMatchers('/' + PATH_SEGMENT_APPS + "/**").permitAll().anyRequest().denyAll().and().httpBasic().authenticationEntryPoint(authenticationEntryPoint()).and().formLogin().loginPage(MolgenisLoginController.URI).failureUrl(MolgenisLoginController.URI + "?error").and().logout().deleteCookies("JSESSIONID").addLogoutHandler((req, res, auth) -> {
if (req.getSession(false) != null && req.getSession().getAttribute("continueWithUnsupportedBrowser") != null) {
req.setAttribute("continueWithUnsupportedBrowser", true);
}
}).logoutSuccessHandler((req, res, auth) -> {
StringBuilder logoutSuccessUrl = new StringBuilder("/");
if (req.getAttribute("continueWithUnsupportedBrowser") != null) {
logoutSuccessUrl.append("?continueWithUnsupportedBrowser=true");
}
SimpleUrlLogoutSuccessHandler logoutSuccessHandler = new SimpleUrlLogoutSuccessHandler();
logoutSuccessHandler.setDefaultTargetUrl(logoutSuccessUrl.toString());
logoutSuccessHandler.onLogoutSuccess(req, res, auth);
}).and().csrf().disable();
}
use of org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer in project cas by apereo.
the class CasWebSecurityConfigurerAdapter method configureEndpointAccessToDenyUndefined.
/**
* Configure endpoint access to deny undefined.
*
* @param http the http
* @param requests the requests
*/
protected void configureEndpointAccessToDenyUndefined(final HttpSecurity http, final ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry requests) {
val endpoints = casProperties.getMonitor().getEndpoints().getEndpoint().keySet();
val endpointDefaults = casProperties.getMonitor().getEndpoints().getDefaultEndpointProperties();
pathMappedEndpoints.getObject().forEach(endpoint -> {
val rootPath = endpoint.getRootPath();
if (endpoints.contains(rootPath)) {
LOGGER.trace("Endpoint security is defined for endpoint [{}]", rootPath);
} else {
val defaultAccessRules = endpointDefaults.getAccess();
LOGGER.trace("Endpoint security is NOT defined for endpoint [{}]. Using default security rules [{}]", rootPath, endpointDefaults);
val endpointRequest = EndpointRequest.to(rootPath).excludingLinks();
defaultAccessRules.forEach(Unchecked.consumer(access -> configureEndpointAccess(http, requests, access, endpointDefaults, endpointRequest)));
}
});
}
use of org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer in project cas by apereo.
the class CasWebSecurityConfigurerAdapter method configureEndpointAccessByIpAddress.
private void configureEndpointAccessByIpAddress(final ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry requests, final ActuatorEndpointProperties properties, final EndpointRequest.EndpointRequestMatcher endpoint) {
val addresses = properties.getRequiredIpAddresses().stream().map(address -> "hasIpAddress('" + address + "')").collect(Collectors.joining(" or "));
requests.requestMatchers(endpoint).access(addresses);
}
Aggregations