Java Code Examples for org.springframework.security.config.annotation.web.builders.httpsecurity#addFilterAfter()
The following examples show how to use
org.springframework.security.config.annotation.web.builders.httpsecurity#addFilterAfter() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: JwtSecurityConfiguration.java From cola with MIT License | 6 votes |
@Override public void configure(HttpSecurity http) throws Exception { http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.authorizeRequests() .antMatchers("/login", "/logout", "/error").permitAll() .and() .formLogin() .loginProcessingUrl("/login") .failureHandler(this.failureHandler()) .successHandler(this.successHandler()) .and() .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .logoutSuccessHandler(new JwtLogoutSuccessHandler()) .and() .exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint()) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.addFilterAfter(this.jwtAuthenticationFilter, SecurityContextPersistenceFilter.class); }
Example 2
Source File: SecurityConfig.java From Spring with Apache License 2.0 | 6 votes |
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .regexMatchers("/chief/.*").hasRole("CHIEF") .regexMatchers("/agent/.*").access("hasRole('USER') and principal.name='James Bond'") .anyRequest().authenticated() .and().httpBasic() .and().requiresChannel().anyRequest().requiresSecure(); http.exceptionHandling().accessDeniedPage("/accessDenied"); http.formLogin().loginPage("/login").permitAll(); http.logout().logoutUrl("/customlogout"); http.addFilterBefore(securityContextPersistenceFilter(), SecurityContextPersistenceFilter.class); http.addFilterAt(exceptionTranslationFilter(), ExceptionTranslationFilter.class); http.addFilter(filterSecurityInterceptor()); // This ensures filter ordering by default http.addFilterAfter(new CustomFilter(), FilterSecurityInterceptor.class); }
Example 3
Source File: ResourceServerConfiguration.java From open-cloud with MIT License | 6 votes |
@Override public void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() .authorizeRequests() .antMatchers("/").permitAll() .anyRequest().authenticated() // 动态权限验证 .anyRequest().access("@accessManager.check(request,authentication)") .and() //认证鉴权错误处理,为了统一异常处理。每个资源服务器都应该加上。 .exceptionHandling() .accessDeniedHandler(new JsonAccessDeniedHandler(accessLogService)) .authenticationEntryPoint(new JsonAuthenticationEntryPoint(accessLogService)) .and() .csrf().disable(); // 日志前置过滤器 http.addFilterBefore(new PreRequestFilter(), AbstractPreAuthenticatedProcessingFilter.class); // 签名验证过滤器 http.addFilterAfter(new PreSignatureFilter(baseAppServiceClient, apiProperties,new JsonSignatureDeniedHandler(accessLogService)), AbstractPreAuthenticatedProcessingFilter.class); // 访问验证前置过滤器 http.addFilterAfter(new PreCheckFilter(accessManager, new JsonAccessDeniedHandler(accessLogService)), AbstractPreAuthenticatedProcessingFilter.class); }
Example 4
Source File: InsightsSecurityConfigurationAdapterKerberos.java From Insights with Apache License 2.0 | 6 votes |
@Override protected void configure(HttpSecurity http) throws Exception { LOG.debug("message Inside InsightsSecurityConfigurationAdapterKerberos,HttpSecurity **** {} ", ApplicationConfigProvider.getInstance().getAutheticationProtocol()); if (AUTH_TYPE.equalsIgnoreCase(ApplicationConfigProvider.getInstance().getAutheticationProtocol())) { LOG.debug("message Inside SAMLAuthConfig, check http security **** "); http.cors(); http.csrf().ignoringAntMatchers(AuthenticationUtils.CSRF_IGNORE) .csrfTokenRepository(authenticationUtils.csrfTokenRepository()) .and().addFilterAfter(new InsightsCustomCsrfFilter(), CsrfFilter.class); http.exceptionHandling().authenticationEntryPoint(spnegoEntryPoint()); http.addFilterAfter(kerberosFilter(), BasicAuthenticationFilter.class); http.anonymous().disable().authorizeRequests().antMatchers("/error").permitAll().antMatchers("/admin/**") .access("hasAuthority('Admin')").antMatchers("/saml/**").permitAll() //.antMatchers("/user/insightsso/**").permitAll() ///logout .anyRequest().authenticated(); http.logout().logoutSuccessUrl("/"); } }
Example 5
Source File: NiFiRegistrySecurityConfig.java From nifi-registry with Apache License 2.0 | 6 votes |
@Override protected void configure(HttpSecurity http) throws Exception { http .rememberMe().disable() .authorizeRequests() .anyRequest().fullyAuthenticated() .and() .exceptionHandling() .authenticationEntryPoint(http401AuthenticationEntryPoint()) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); // Apply security headers for registry API. Security headers for docs and UI are applied with Jetty filters in registry-core. http.headers().xssProtection(); http.headers().contentSecurityPolicy("frame-ancestors 'self'"); http.headers().httpStrictTransportSecurity().maxAgeInSeconds(31540000); http.headers().frameOptions().sameOrigin(); // x509 http.addFilterBefore(x509AuthenticationFilter(), AnonymousAuthenticationFilter.class); // jwt http.addFilterBefore(jwtAuthenticationFilter(), AnonymousAuthenticationFilter.class); // otp // todo, if needed one-time password auth filter goes here // add an anonymous authentication filter that will populate the authenticated, // anonymous user if no other user identity is detected earlier in the Spring filter chain http.anonymous().authenticationFilter(anonymousAuthenticationFilter); // After Spring Security filter chain is complete (so authentication is done), // but before the Jersey application endpoints get the request, // insert the ResourceAuthorizationFilter to do its authorization checks http.addFilterAfter(resourceAuthorizationFilter(), FilterSecurityInterceptor.class); }
Example 6
Source File: CustomWebSecurityConfigurerAdapter.java From tutorials with MIT License | 5 votes |
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/securityNone") .permitAll() .anyRequest() .authenticated() .and() .httpBasic() .authenticationEntryPoint(authenticationEntryPoint); http.addFilterAfter(new CustomFilter(), BasicAuthenticationFilter.class); }
Example 7
Source File: CustomWebSecurityConfigurerAdapter.java From tutorials with MIT License | 5 votes |
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/securityNone") .permitAll() .anyRequest() .authenticated() .and() .httpBasic() .authenticationEntryPoint(authenticationEntryPoint); http.addFilterAfter(new CustomFilter(), BasicAuthenticationFilter.class); }
Example 8
Source File: NiFiWebApiSecurityConfiguration.java From nifi with Apache License 2.0 | 5 votes |
@Override protected void configure(HttpSecurity http) throws Exception { http .cors().and() .rememberMe().disable() .authorizeRequests() .anyRequest().fullyAuthenticated() .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); // x509 http.addFilterBefore(x509FilterBean(), AnonymousAuthenticationFilter.class); // jwt http.addFilterBefore(jwtFilterBean(), AnonymousAuthenticationFilter.class); // otp http.addFilterBefore(otpFilterBean(), AnonymousAuthenticationFilter.class); // knox http.addFilterBefore(knoxFilterBean(), AnonymousAuthenticationFilter.class); // anonymous http.addFilterAfter(anonymousFilterBean(), AnonymousAuthenticationFilter.class); // disable default anonymous handling because it doesn't handle conditional authentication well http.anonymous().disable(); }
Example 9
Source File: ApplicationSecurity.java From secure-rest-spring-tut with MIT License | 5 votes |
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/*/**").permitAll() .antMatchers("/login", "/rest/open/**").permitAll() .antMatchers("/logout", "/rest/**").authenticated(); // Handlers and entry points http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint); http.formLogin().successHandler(authenticationSuccessHandler); http.formLogin().failureHandler(authenticationFailureHandler); // Logout http.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler); // CORS http.addFilterBefore(corsFilter, ChannelProcessingFilter.class); // CSRF http.csrf().requireCsrfProtectionMatcher( new AndRequestMatcher( // Apply CSRF protection to all paths that do NOT match the ones below // We disable CSRF at login/logout, but only for OPTIONS methods new NegatedRequestMatcher(new AntPathRequestMatcher("/login*/**", HttpMethod.OPTIONS.toString())), new NegatedRequestMatcher(new AntPathRequestMatcher("/logout*/**", HttpMethod.OPTIONS.toString())), new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.GET.toString())), new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.HEAD.toString())), new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.OPTIONS.toString())), new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.TRACE.toString())), new NegatedRequestMatcher(new AntPathRequestMatcher("/rest/open*/**")) ) ); http.addFilterAfter(new CsrfTokenResponseCookieBindingFilter(), CsrfFilter.class); // CSRF tokens handling }
Example 10
Source File: ServletContainerConfiguration.java From haven-platform with Apache License 2.0 | 5 votes |
@Override protected void configure(HttpSecurity http) throws Exception { final String uiPrefix = "/ui/"; final String loginUrl = uiPrefix + "login.html"; TokenAuthFilterConfigurer<HttpSecurity> tokenFilterConfigurer = new TokenAuthFilterConfigurer<>(new RequestTokenHeaderRequestMatcher(), new TokenAuthProvider(tokenValidator, userDetailsService, authProcessor)); http.csrf().disable() .authenticationProvider(provider).userDetailsService(userDetailsService) .anonymous().principal(SecurityUtils.USER_ANONYMOUS).and() .authorizeRequests().antMatchers(uiPrefix + "/token/login").permitAll() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()//allow CORS option calls .antMatchers(uiPrefix + "**").authenticated() .and().headers().cacheControl().disable() .and().formLogin().loginPage(loginUrl).permitAll().defaultSuccessUrl(uiPrefix) .and().logout().logoutUrl(uiPrefix + "logout").logoutSuccessUrl(loginUrl) .and().apply(tokenFilterConfigurer); // enable after testing // .and().sessionManagement() // .sessionCreationPolicy(SessionCreationPolicy.STATELESS); // X-Frame-Options http.headers() .frameOptions().sameOrigin(); http.addFilterAfter(new AccessContextFilter(aclContextFactory), SwitchUserFilter.class); //we use basic in testing and scripts if (basicAuthEnable) { http.httpBasic(); } }
Example 11
Source File: WebSecurityConfigurer.java From bdf3 with Apache License 2.0 | 5 votes |
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.headers().frameOptions().disable(); http.headers().xssProtection().disable(); http.headers().disable(); FilterSecurityInterceptor securityInterceptor = createFilterSecurityInterceptor(); http.addFilterAfter(securityInterceptor, org.springframework.security.web.access.intercept.FilterSecurityInterceptor.class); http.setSharedObject(FilterSecurityInterceptor.class, securityInterceptor); }
Example 12
Source File: SpringSecurityConfig.java From springboot_security_restful_api with Apache License 2.0 | 5 votes |
protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/api/admin/**").hasRole("ADMIN") .antMatchers("/api/basic/**").hasRole("BASIC") .antMatchers("/api/session").permitAll() .antMatchers(HttpMethod.GET).permitAll() .antMatchers("/api/**").hasRole("BASIC"); http.formLogin(); http.logout() .logoutUrl("/api/session/logout") .addLogoutHandler(customLogoutHandler) .logoutSuccessHandler(customLogoutHandler); http.exceptionHandling() .accessDeniedHandler(customAccessDeniedHandler) .authenticationEntryPoint(customAccessDeniedHandler); http.csrf() .ignoringAntMatchers("/api/session/**"); http.addFilterBefore(new AcceptHeaderLocaleFilter(), UsernamePasswordAuthenticationFilter.class); http.addFilterAt(customAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class); }
Example 13
Source File: JwtUsernamePasswordFiterLoginConfig.java From quartz-manager with Apache License 2.0 | 4 votes |
@Override public HttpSecurity login(String loginPath, HttpSecurity http, AuthenticationManager authenticationManager) throws Exception { log.debug("Configuring login through JwtAuthenticationFilter..."); return http.addFilterAfter(authenticationProcessingFilter(loginPath, authenticationManager), AbstractPreAuthenticatedProcessingFilter.class); }
Example 14
Source File: AtlasSecurityConfig.java From atlas with Apache License 2.0 | 4 votes |
protected void configure(HttpSecurity httpSecurity) throws Exception { //@formatter:off httpSecurity .authorizeRequests().anyRequest().authenticated() .and() .headers() .addHeaderWriter(new StaticHeadersWriter(HeadersUtil.CONTENT_SEC_POLICY_KEY, HeadersUtil.headerMap.get(HeadersUtil.CONTENT_SEC_POLICY_KEY))) .addHeaderWriter(new StaticHeadersWriter(SERVER_KEY, HeadersUtil.headerMap.get(SERVER_KEY))) .and() .servletApi() .and() .csrf().disable() .sessionManagement() .enableSessionUrlRewriting(false) .sessionCreationPolicy(SessionCreationPolicy.ALWAYS) .sessionFixation() .newSession() .and() .httpBasic() .authenticationEntryPoint(getDelegatingAuthenticationEntryPoint()) .and() .formLogin() .loginPage("/login.jsp") .loginProcessingUrl("/j_spring_security_check") .successHandler(successHandler) .failureHandler(failureHandler) .usernameParameter("j_username") .passwordParameter("j_password") .and() .logout() .logoutSuccessUrl("/login.jsp") .deleteCookies("ATLASSESSIONID") .logoutUrl("/logout.html"); //@formatter:on boolean configMigrationEnabled = !StringUtils.isEmpty(configuration.getString(ATLAS_MIGRATION_MODE_FILENAME)); if (configuration.getBoolean("atlas.server.ha.enabled", false) || configMigrationEnabled) { if(configMigrationEnabled) { LOG.info("Atlas is in Migration Mode, enabling ActiveServerFilter"); } else { LOG.info("Atlas is in HA Mode, enabling ActiveServerFilter"); } httpSecurity.addFilterAfter(activeServerFilter, BasicAuthenticationFilter.class); } httpSecurity .addFilterAfter(staleTransactionCleanupFilter, BasicAuthenticationFilter.class) .addFilterBefore(ssoAuthenticationFilter, BasicAuthenticationFilter.class) .addFilterAfter(atlasAuthenticationFilter, SecurityContextHolderAwareRequestFilter.class) .addFilterAfter(csrfPreventionFilter, AtlasAuthenticationFilter.class); if (keycloakEnabled) { httpSecurity .logout().addLogoutHandler(keycloakLogoutHandler()).and() .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class) .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class) .addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class) .addFilterAfter(keycloakAuthenticatedActionsRequestFilter(), KeycloakSecurityContextRequestFilter.class); } }
Example 15
Source File: SecurityManagedConfiguration.java From hawkbit with Eclipse Public License 1.0 | 4 votes |
@Override protected void configure(final HttpSecurity http) throws Exception { HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system/admin.*").csrf().disable(); if (securityProperties.getCors().isEnabled()) { httpSec = httpSec.cors().and(); } if (securityProperties.isRequireSsl()) { httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and(); } httpSec.authorizeRequests().anyRequest().authenticated() .antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**") .hasAnyAuthority(SpPermission.SYSTEM_ADMIN); if (oidcBearerTokenAuthenticationFilter != null) { // Only get the first client registration. Testing against every // client could increase the // attack vector ClientRegistration clientRegistration = null; for (final ClientRegistration cr : clientRegistrationRepository) { clientRegistration = cr; break; } Assert.notNull(clientRegistration, "There must be a valid client registration"); httpSec.oauth2ResourceServer().jwt().jwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri()); oidcBearerTokenAuthenticationFilter.setClientRegistration(clientRegistration); httpSec.addFilterAfter(oidcBearerTokenAuthenticationFilter, BearerTokenAuthenticationFilter.class); } else { final BasicAuthenticationEntryPoint basicAuthEntryPoint = new BasicAuthenticationEntryPoint(); basicAuthEntryPoint.setRealmName(securityProperties.getBasicRealm()); httpSec.addFilterBefore(new Filter() { @Override public void init(final FilterConfig filterConfig) throws ServletException { userAuthenticationFilter.init(filterConfig); } @Override public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { userAuthenticationFilter.doFilter(request, response, chain); } @Override public void destroy() { userAuthenticationFilter.destroy(); } }, RequestHeaderAuthenticationFilter.class); httpSec.httpBasic().and().exceptionHandling().authenticationEntryPoint(basicAuthEntryPoint); } httpSec.addFilterAfter( new AuthenticationSuccessTenantMetadataCreationFilter(systemManagement, systemSecurityContext), SessionManagementFilter.class); httpSec.anonymous().disable(); httpSec.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); }
Example 16
Source File: AtlasSecurityConfig.java From incubator-atlas with Apache License 2.0 | 4 votes |
protected void configure(HttpSecurity httpSecurity) throws Exception { //@formatter:off httpSecurity .authorizeRequests().anyRequest().authenticated() .and() .headers().disable() .servletApi() .and() .csrf().disable() .sessionManagement() .enableSessionUrlRewriting(false) .sessionCreationPolicy(SessionCreationPolicy.ALWAYS) .sessionFixation() .newSession() .and() .formLogin() .loginPage("/login.jsp") .loginProcessingUrl("/j_spring_security_check") .successHandler(successHandler) .failureHandler(failureHandler) .usernameParameter("j_username") .passwordParameter("j_password") .and() .logout() .logoutSuccessUrl("/login.jsp") .deleteCookies("ATLASSESSIONID") .logoutUrl("/logout.html") .and() .httpBasic() .authenticationEntryPoint(getDelegatingAuthenticationEntryPoint()); //@formatter:on if (configuration.getBoolean("atlas.server.ha.enabled", false)) { LOG.info("Atlas is in HA Mode, enabling ActiveServerFilter"); httpSecurity.addFilterAfter(activeServerFilter, BasicAuthenticationFilter.class); } httpSecurity .addFilterAfter(staleTransactionCleanupFilter, BasicAuthenticationFilter.class) .addFilterAfter(ssoAuthenticationFilter, BasicAuthenticationFilter.class) .addFilterAfter(atlasAuthenticationFilter, SecurityContextHolderAwareRequestFilter.class) .addFilterAfter(csrfPreventionFilter, AtlasAuthenticationFilter.class) .addFilterAfter(atlasAuthorizationFilter, FilterSecurityInterceptor.class); }
Example 17
Source File: ClientErrorLoggingConfigurer.java From tutorials with MIT License | 4 votes |
@Override public void configure(HttpSecurity http) throws Exception { http.addFilterAfter(new ClientErrorLoggingFilter(errorCodes), FilterSecurityInterceptor.class); }
Example 18
Source File: SecurityConfig.java From para with Apache License 2.0 | 4 votes |
private void registerAuthFilters(HttpSecurity http) throws Exception { if (passwordFilter != null) { passwordFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(passwordFilter, BasicAuthenticationFilter.class); } if (passwordlessFilter != null) { passwordlessFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(passwordlessFilter, BasicAuthenticationFilter.class); } if (openidFilter != null) { openidFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(openidFilter, BasicAuthenticationFilter.class); } if (facebookFilter != null) { facebookFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(facebookFilter, BasicAuthenticationFilter.class); } if (googleFilter != null) { googleFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(googleFilter, BasicAuthenticationFilter.class); } if (linkedinFilter != null) { linkedinFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(linkedinFilter, BasicAuthenticationFilter.class); } if (twitterFilter != null) { twitterFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(twitterFilter, BasicAuthenticationFilter.class); } if (githubFilter != null) { githubFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(githubFilter, BasicAuthenticationFilter.class); } if (microsoftFilter != null) { microsoftFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(microsoftFilter, BasicAuthenticationFilter.class); } if (slackFilter != null) { slackFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(slackFilter, BasicAuthenticationFilter.class); } if (amazonFilter != null) { amazonFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(amazonFilter, BasicAuthenticationFilter.class); } if (oauth2Filter != null) { oauth2Filter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(oauth2Filter, BasicAuthenticationFilter.class); } if (ldapFilter != null) { ldapFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(ldapFilter, BasicAuthenticationFilter.class); } if (samlFilter != null) { samlFilter.setAuthenticationManager(authenticationManager()); http.addFilterAfter(samlFilter, BasicAuthenticationFilter.class); } http.addFilterAfter(samlMetaFilter, BasicAuthenticationFilter.class); }
Example 19
Source File: SsoSecurityConfigurer.java From spring-security-oauth2-boot with Apache License 2.0 | 4 votes |
@Override public void configure(HttpSecurity builder) throws Exception { OAuth2ClientAuthenticationProcessingFilter ssoFilter = this.filter; ssoFilter.setSessionAuthenticationStrategy(builder.getSharedObject(SessionAuthenticationStrategy.class)); builder.addFilterAfter(ssoFilter, AbstractPreAuthenticatedProcessingFilter.class); }
Example 20
Source File: SecurityConfig.java From ambari-logsearch with Apache License 2.0 | 4 votes |
@Override protected void configure(HttpSecurity http) throws Exception { http .headers() .addHeaderWriter( new LogSearchCompositeHeaderWriter("https".equals(logSearchHttpConfig.getProtocol()), new XXssProtectionHeaderWriter(), new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.DENY), new XContentTypeOptionsHeaderWriter(), new StaticHeadersWriter("Pragma", "no-cache"), new StaticHeadersWriter("Cache-Control", "no-store"))) .and() .csrf().disable() .authorizeRequests() .requestMatchers(requestMatcher()) .permitAll() .antMatchers("/**") .hasRole("USER") .and() .authenticationProvider(logsearchAuthenticationProvider()) .httpBasic() .authenticationEntryPoint(logsearchAuthenticationEntryPoint()) .and() .addFilterBefore(logsearchTrustedProxyFilter(), BasicAuthenticationFilter.class) .addFilterAfter(logsearchKRBAuthenticationFilter(), LogsearchTrustedProxyFilter.class) .addFilterBefore(logsearchUsernamePasswordAuthenticationFilter(), LogsearchKRBAuthenticationFilter.class) .addFilterAfter(securityContextFormationFilter(), FilterSecurityInterceptor.class) .addFilterAfter(logsearchMetadataFilter(), LogsearchSecurityContextFormationFilter.class) .addFilterAfter(logsearchAuditLogFilter(), LogsearchSecurityContextFormationFilter.class) .addFilterAfter(logsearchServiceLogFilter(), LogsearchSecurityContextFormationFilter.class) .addFilterAfter(logSearchConfigStateFilter(), LogsearchSecurityContextFormationFilter.class) .addFilterBefore(logsearchCorsFilter(), LogsearchSecurityContextFormationFilter.class) .addFilterBefore(logsearchJwtFilter(), LogsearchSecurityContextFormationFilter.class) .logout() .logoutUrl("/logout") .deleteCookies(getCookies()) .logoutSuccessHandler(new LogsearchLogoutSuccessHandler()); if ((logSearchConfigApiConfig.isSolrFilterStorage() || logSearchConfigApiConfig.isZkFilterStorage()) && !logSearchConfigApiConfig.isConfigApiEnabled()) http.addFilterAfter(logSearchLogLevelFilterManagerFilter(), LogsearchSecurityContextFormationFilter.class); }