Java Code Examples for org.springframework.security.config.annotation.web.builders.httpsecurity#addFilterAfter()

The following examples show how to use org.springframework.security.config.annotation.web.builders.httpsecurity#addFilterAfter() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: JwtSecurityConfiguration.java    From cola with MIT License 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {

	http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
	http.authorizeRequests()
			.antMatchers("/login", "/logout", "/error").permitAll()
			.and()
			.formLogin()
			.loginProcessingUrl("/login")
			.failureHandler(this.failureHandler())
			.successHandler(this.successHandler())
			.and()
			.logout()
			.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
			.logoutSuccessHandler(new JwtLogoutSuccessHandler())
			.and()
			.exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint())
			.and()
			.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
	http.addFilterAfter(this.jwtAuthenticationFilter, SecurityContextPersistenceFilter.class);
}
 
Example 2
Source File: SecurityConfig.java    From Spring with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .regexMatchers("/chief/.*").hasRole("CHIEF")
            .regexMatchers("/agent/.*").access("hasRole('USER') and principal.name='James Bond'")
            .anyRequest().authenticated()
            .and().httpBasic()
            .and().requiresChannel().anyRequest().requiresSecure();

    http.exceptionHandling().accessDeniedPage("/accessDenied");

    http.formLogin().loginPage("/login").permitAll();

    http.logout().logoutUrl("/customlogout");

    http.addFilterBefore(securityContextPersistenceFilter(), SecurityContextPersistenceFilter.class);
    http.addFilterAt(exceptionTranslationFilter(), ExceptionTranslationFilter.class);
    http.addFilter(filterSecurityInterceptor()); // This ensures filter ordering by default
    http.addFilterAfter(new CustomFilter(), FilterSecurityInterceptor.class);
}
 
Example 3
Source File: ResourceServerConfiguration.java    From open-cloud with MIT License 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .and()
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .anyRequest().authenticated()
            // 动态权限验证
            .anyRequest().access("@accessManager.check(request,authentication)")
            .and()
            //认证鉴权错误处理,为了统一异常处理。每个资源服务器都应该加上。
            .exceptionHandling()
            .accessDeniedHandler(new JsonAccessDeniedHandler(accessLogService))
            .authenticationEntryPoint(new JsonAuthenticationEntryPoint(accessLogService))
            .and()
            .csrf().disable();
    // 日志前置过滤器
    http.addFilterBefore(new PreRequestFilter(), AbstractPreAuthenticatedProcessingFilter.class);
    // 签名验证过滤器
    http.addFilterAfter(new PreSignatureFilter(baseAppServiceClient, apiProperties,new JsonSignatureDeniedHandler(accessLogService)), AbstractPreAuthenticatedProcessingFilter.class);
    // 访问验证前置过滤器
    http.addFilterAfter(new PreCheckFilter(accessManager, new JsonAccessDeniedHandler(accessLogService)), AbstractPreAuthenticatedProcessingFilter.class);
}
 
Example 4
Source File: InsightsSecurityConfigurationAdapterKerberos.java    From Insights with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	LOG.debug("message Inside InsightsSecurityConfigurationAdapterKerberos,HttpSecurity **** {} ",
			ApplicationConfigProvider.getInstance().getAutheticationProtocol());
	if (AUTH_TYPE.equalsIgnoreCase(ApplicationConfigProvider.getInstance().getAutheticationProtocol())) {
		LOG.debug("message Inside SAMLAuthConfig, check http security **** ");

		http.cors();
		http.csrf().ignoringAntMatchers(AuthenticationUtils.CSRF_IGNORE)
				.csrfTokenRepository(authenticationUtils.csrfTokenRepository())
				.and().addFilterAfter(new InsightsCustomCsrfFilter(), CsrfFilter.class);

		http.exceptionHandling().authenticationEntryPoint(spnegoEntryPoint());
		http.addFilterAfter(kerberosFilter(),
				BasicAuthenticationFilter.class);

		http.anonymous().disable().authorizeRequests().antMatchers("/error").permitAll().antMatchers("/admin/**")
				.access("hasAuthority('Admin')").antMatchers("/saml/**").permitAll()
				//.antMatchers("/user/insightsso/**").permitAll() ///logout
				.anyRequest().authenticated();

		http.logout().logoutSuccessUrl("/");
	}
}
 
Example 5
Source File: NiFiRegistrySecurityConfig.java    From nifi-registry with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .rememberMe().disable()
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
            .exceptionHandling()
                .authenticationEntryPoint(http401AuthenticationEntryPoint())
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // Apply security headers for registry API. Security headers for docs and UI are applied with Jetty filters in registry-core.
    http.headers().xssProtection();
    http.headers().contentSecurityPolicy("frame-ancestors 'self'");
    http.headers().httpStrictTransportSecurity().maxAgeInSeconds(31540000);
    http.headers().frameOptions().sameOrigin();

    // x509
    http.addFilterBefore(x509AuthenticationFilter(), AnonymousAuthenticationFilter.class);

    // jwt
    http.addFilterBefore(jwtAuthenticationFilter(), AnonymousAuthenticationFilter.class);

    // otp
    // todo, if needed one-time password auth filter goes here

    // add an anonymous authentication filter that will populate the authenticated,
    // anonymous user if no other user identity is detected earlier in the Spring filter chain
    http.anonymous().authenticationFilter(anonymousAuthenticationFilter);

    // After Spring Security filter chain is complete (so authentication is done),
    // but before the Jersey application endpoints get the request,
    // insert the ResourceAuthorizationFilter to do its authorization checks
    http.addFilterAfter(resourceAuthorizationFilter(), FilterSecurityInterceptor.class);

}
 
Example 6
Source File: CustomWebSecurityConfigurerAdapter.java    From tutorials with MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeRequests()
      .antMatchers("/securityNone")
      .permitAll()
      .anyRequest()
      .authenticated()
      .and()
      .httpBasic()
      .authenticationEntryPoint(authenticationEntryPoint);

    http.addFilterAfter(new CustomFilter(), BasicAuthenticationFilter.class);
}
 
Example 7
Source File: CustomWebSecurityConfigurerAdapter.java    From tutorials with MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeRequests()
      .antMatchers("/securityNone")
      .permitAll()
      .anyRequest()
      .authenticated()
      .and()
      .httpBasic()
      .authenticationEntryPoint(authenticationEntryPoint);

    http.addFilterAfter(new CustomFilter(), BasicAuthenticationFilter.class);
}
 
Example 8
Source File: NiFiWebApiSecurityConfiguration.java    From nifi with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors().and()
            .rememberMe().disable()
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // x509
    http.addFilterBefore(x509FilterBean(), AnonymousAuthenticationFilter.class);

    // jwt
    http.addFilterBefore(jwtFilterBean(), AnonymousAuthenticationFilter.class);

    // otp
    http.addFilterBefore(otpFilterBean(), AnonymousAuthenticationFilter.class);

    // knox
    http.addFilterBefore(knoxFilterBean(), AnonymousAuthenticationFilter.class);

    // anonymous
    http.addFilterAfter(anonymousFilterBean(), AnonymousAuthenticationFilter.class);

    // disable default anonymous handling because it doesn't handle conditional authentication well
    http.anonymous().disable();
}
 
Example 9
Source File: ApplicationSecurity.java    From secure-rest-spring-tut with MIT License 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	http.authorizeRequests()
		.antMatchers(HttpMethod.OPTIONS, "/*/**").permitAll()
		.antMatchers("/login", "/rest/open/**").permitAll()
		.antMatchers("/logout", "/rest/**").authenticated();

	// Handlers and entry points
	http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
	http.formLogin().successHandler(authenticationSuccessHandler);
	http.formLogin().failureHandler(authenticationFailureHandler);

	// Logout
	http.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);

	// CORS
	http.addFilterBefore(corsFilter, ChannelProcessingFilter.class);

	// CSRF
	http.csrf().requireCsrfProtectionMatcher(
		new AndRequestMatcher(
			// Apply CSRF protection to all paths that do NOT match the ones below

			// We disable CSRF at login/logout, but only for OPTIONS methods
			new NegatedRequestMatcher(new AntPathRequestMatcher("/login*/**", HttpMethod.OPTIONS.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/logout*/**", HttpMethod.OPTIONS.toString())),

			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.GET.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.HEAD.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.OPTIONS.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.TRACE.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest/open*/**"))
		)
	);
	http.addFilterAfter(new CsrfTokenResponseCookieBindingFilter(), CsrfFilter.class); // CSRF tokens handling
}
 
Example 10
Source File: ServletContainerConfiguration.java    From haven-platform with Apache License 2.0 5 votes vote down vote up
@Override
        protected void configure(HttpSecurity http) throws Exception {
            final String uiPrefix = "/ui/";
            final String loginUrl = uiPrefix + "login.html";

            TokenAuthFilterConfigurer<HttpSecurity> tokenFilterConfigurer =
                    new TokenAuthFilterConfigurer<>(new RequestTokenHeaderRequestMatcher(),
                            new TokenAuthProvider(tokenValidator, userDetailsService, authProcessor));
            http.csrf().disable()
                    .authenticationProvider(provider).userDetailsService(userDetailsService)
                    .anonymous().principal(SecurityUtils.USER_ANONYMOUS).and()
                    .authorizeRequests().antMatchers(uiPrefix + "/token/login").permitAll()
                    .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()//allow CORS option calls
                    .antMatchers(uiPrefix + "**").authenticated()
                    .and().headers().cacheControl().disable()
                    .and().formLogin().loginPage(loginUrl).permitAll().defaultSuccessUrl(uiPrefix)
                    .and().logout().logoutUrl(uiPrefix + "logout").logoutSuccessUrl(loginUrl)
                    .and().apply(tokenFilterConfigurer);
//                enable after testing
//                        .and().sessionManagement()
//                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

            // X-Frame-Options
            http.headers()
              .frameOptions().sameOrigin();

            http.addFilterAfter(new AccessContextFilter(aclContextFactory), SwitchUserFilter.class);

            //we use basic in testing and scripts
            if (basicAuthEnable) {
                http.httpBasic();
            }

        }
 
Example 11
Source File: WebSecurityConfigurer.java    From bdf3 with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	
	http.csrf().disable();
	http.headers().frameOptions().disable();
	http.headers().xssProtection().disable();
	http.headers().disable();
	
	FilterSecurityInterceptor securityInterceptor = createFilterSecurityInterceptor();
	http.addFilterAfter(securityInterceptor, org.springframework.security.web.access.intercept.FilterSecurityInterceptor.class);
	http.setSharedObject(FilterSecurityInterceptor.class, securityInterceptor);
}
 
Example 12
Source File: SpringSecurityConfig.java    From springboot_security_restful_api with Apache License 2.0 5 votes vote down vote up
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/api/admin/**").hasRole("ADMIN")
        .antMatchers("/api/basic/**").hasRole("BASIC")
        .antMatchers("/api/session").permitAll()
        .antMatchers(HttpMethod.GET).permitAll()
        .antMatchers("/api/**").hasRole("BASIC");

    http.formLogin();

    http.logout()
        .logoutUrl("/api/session/logout")
        .addLogoutHandler(customLogoutHandler)
        .logoutSuccessHandler(customLogoutHandler);

    http.exceptionHandling()
        .accessDeniedHandler(customAccessDeniedHandler)
        .authenticationEntryPoint(customAccessDeniedHandler);

    http.csrf()
        .ignoringAntMatchers("/api/session/**");

    http.addFilterBefore(new AcceptHeaderLocaleFilter(), UsernamePasswordAuthenticationFilter.class);

    http.addFilterAt(customAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);

    http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);
}
 
Example 13
Source File: JwtUsernamePasswordFiterLoginConfig.java    From quartz-manager with Apache License 2.0 4 votes vote down vote up
@Override
public HttpSecurity login(String loginPath, HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
  log.debug("Configuring login through JwtAuthenticationFilter...");
  return http.addFilterAfter(authenticationProcessingFilter(loginPath, authenticationManager), AbstractPreAuthenticatedProcessingFilter.class);
}
 
Example 14
Source File: AtlasSecurityConfig.java    From atlas with Apache License 2.0 4 votes vote down vote up
protected void configure(HttpSecurity httpSecurity) throws Exception {
    //@formatter:off
    httpSecurity
            .authorizeRequests().anyRequest().authenticated()
            .and()
                .headers()
            .addHeaderWriter(new StaticHeadersWriter(HeadersUtil.CONTENT_SEC_POLICY_KEY, HeadersUtil.headerMap.get(HeadersUtil.CONTENT_SEC_POLICY_KEY)))
            .addHeaderWriter(new StaticHeadersWriter(SERVER_KEY, HeadersUtil.headerMap.get(SERVER_KEY)))
                    .and()
                .servletApi()
            .and()
                .csrf().disable()
                .sessionManagement()
                .enableSessionUrlRewriting(false)
                .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
                .sessionFixation()
                .newSession()
            .and()
            .httpBasic()
            .authenticationEntryPoint(getDelegatingAuthenticationEntryPoint())
            .and()
                .formLogin()
                    .loginPage("/login.jsp")
                    .loginProcessingUrl("/j_spring_security_check")
                    .successHandler(successHandler)
                    .failureHandler(failureHandler)
                    .usernameParameter("j_username")
                    .passwordParameter("j_password")
            .and()
                .logout()
                    .logoutSuccessUrl("/login.jsp")
                    .deleteCookies("ATLASSESSIONID")
                    .logoutUrl("/logout.html");

    //@formatter:on

    boolean configMigrationEnabled = !StringUtils.isEmpty(configuration.getString(ATLAS_MIGRATION_MODE_FILENAME));
    if (configuration.getBoolean("atlas.server.ha.enabled", false) ||
            configMigrationEnabled) {
        if(configMigrationEnabled) {
            LOG.info("Atlas is in Migration Mode, enabling ActiveServerFilter");
        } else {
            LOG.info("Atlas is in HA Mode, enabling ActiveServerFilter");
        }
        httpSecurity.addFilterAfter(activeServerFilter, BasicAuthenticationFilter.class);
    }
    httpSecurity
            .addFilterAfter(staleTransactionCleanupFilter, BasicAuthenticationFilter.class)
            .addFilterBefore(ssoAuthenticationFilter, BasicAuthenticationFilter.class)
            .addFilterAfter(atlasAuthenticationFilter, SecurityContextHolderAwareRequestFilter.class)
            .addFilterAfter(csrfPreventionFilter, AtlasAuthenticationFilter.class);

    if (keycloakEnabled) {
        httpSecurity
          .logout().addLogoutHandler(keycloakLogoutHandler()).and()
          .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class)
          .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
          .addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class)
          .addFilterAfter(keycloakAuthenticatedActionsRequestFilter(), KeycloakSecurityContextRequestFilter.class);
    }
}
 
Example 15
Source File: SecurityManagedConfiguration.java    From hawkbit with Eclipse Public License 1.0 4 votes vote down vote up
@Override
protected void configure(final HttpSecurity http) throws Exception {

    HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system/admin.*").csrf().disable();

    if (securityProperties.getCors().isEnabled()) {
        httpSec = httpSec.cors().and();
    }

    if (securityProperties.isRequireSsl()) {
        httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
    }

    httpSec.authorizeRequests().anyRequest().authenticated()
            .antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**")
            .hasAnyAuthority(SpPermission.SYSTEM_ADMIN);

    if (oidcBearerTokenAuthenticationFilter != null) {

        // Only get the first client registration. Testing against every
        // client could increase the
        // attack vector
        ClientRegistration clientRegistration = null;
        for (final ClientRegistration cr : clientRegistrationRepository) {
            clientRegistration = cr;
            break;
        }

        Assert.notNull(clientRegistration, "There must be a valid client registration");
        httpSec.oauth2ResourceServer().jwt().jwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri());

        oidcBearerTokenAuthenticationFilter.setClientRegistration(clientRegistration);

        httpSec.addFilterAfter(oidcBearerTokenAuthenticationFilter, BearerTokenAuthenticationFilter.class);
    } else {
        final BasicAuthenticationEntryPoint basicAuthEntryPoint = new BasicAuthenticationEntryPoint();
        basicAuthEntryPoint.setRealmName(securityProperties.getBasicRealm());

        httpSec.addFilterBefore(new Filter() {
            @Override
            public void init(final FilterConfig filterConfig) throws ServletException {
                userAuthenticationFilter.init(filterConfig);
            }

            @Override
            public void doFilter(final ServletRequest request, final ServletResponse response,
                    final FilterChain chain) throws IOException, ServletException {
                userAuthenticationFilter.doFilter(request, response, chain);
            }

            @Override
            public void destroy() {
                userAuthenticationFilter.destroy();
            }
        }, RequestHeaderAuthenticationFilter.class);
        httpSec.httpBasic().and().exceptionHandling().authenticationEntryPoint(basicAuthEntryPoint);
    }

    httpSec.addFilterAfter(
            new AuthenticationSuccessTenantMetadataCreationFilter(systemManagement, systemSecurityContext),
            SessionManagementFilter.class);

    httpSec.anonymous().disable();
    httpSec.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
 
Example 16
Source File: AtlasSecurityConfig.java    From incubator-atlas with Apache License 2.0 4 votes vote down vote up
protected void configure(HttpSecurity httpSecurity) throws Exception {

        //@formatter:off
        httpSecurity
                .authorizeRequests().anyRequest().authenticated()
                .and()
                    .headers().disable()
                    .servletApi()
                .and()
                    .csrf().disable()
                    .sessionManagement()
                    .enableSessionUrlRewriting(false)
                    .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
                    .sessionFixation()
                    .newSession()
                .and()
                    .formLogin()
                        .loginPage("/login.jsp")
                        .loginProcessingUrl("/j_spring_security_check")
                        .successHandler(successHandler)
                        .failureHandler(failureHandler)
                        .usernameParameter("j_username")
                        .passwordParameter("j_password")
                .and()
                    .logout()
                        .logoutSuccessUrl("/login.jsp")
                        .deleteCookies("ATLASSESSIONID")
                        .logoutUrl("/logout.html")
                .and()
                    .httpBasic()
                    .authenticationEntryPoint(getDelegatingAuthenticationEntryPoint());
        //@formatter:on

        if (configuration.getBoolean("atlas.server.ha.enabled", false)) {
            LOG.info("Atlas is in HA Mode, enabling ActiveServerFilter");
            httpSecurity.addFilterAfter(activeServerFilter, BasicAuthenticationFilter.class);
        }
        httpSecurity
                .addFilterAfter(staleTransactionCleanupFilter, BasicAuthenticationFilter.class)
                .addFilterAfter(ssoAuthenticationFilter, BasicAuthenticationFilter.class)
                .addFilterAfter(atlasAuthenticationFilter, SecurityContextHolderAwareRequestFilter.class)
                .addFilterAfter(csrfPreventionFilter, AtlasAuthenticationFilter.class)
                .addFilterAfter(atlasAuthorizationFilter, FilterSecurityInterceptor.class);
    }
 
Example 17
Source File: ClientErrorLoggingConfigurer.java    From tutorials with MIT License 4 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http.addFilterAfter(new ClientErrorLoggingFilter(errorCodes), FilterSecurityInterceptor.class);
}
 
Example 18
Source File: SecurityConfig.java    From para with Apache License 2.0 4 votes vote down vote up
private void registerAuthFilters(HttpSecurity http) throws Exception {
	if (passwordFilter != null) {
		passwordFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(passwordFilter, BasicAuthenticationFilter.class);
	}

	if (passwordlessFilter != null) {
		passwordlessFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(passwordlessFilter, BasicAuthenticationFilter.class);
	}

	if (openidFilter != null) {
		openidFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(openidFilter, BasicAuthenticationFilter.class);
	}

	if (facebookFilter != null) {
		facebookFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(facebookFilter, BasicAuthenticationFilter.class);
	}

	if (googleFilter != null) {
		googleFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(googleFilter, BasicAuthenticationFilter.class);
	}

	if (linkedinFilter != null) {
		linkedinFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(linkedinFilter, BasicAuthenticationFilter.class);
	}

	if (twitterFilter != null) {
		twitterFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(twitterFilter, BasicAuthenticationFilter.class);
	}

	if (githubFilter != null) {
		githubFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(githubFilter, BasicAuthenticationFilter.class);
	}

	if (microsoftFilter != null) {
		microsoftFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(microsoftFilter, BasicAuthenticationFilter.class);
	}

	if (slackFilter != null) {
		slackFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(slackFilter, BasicAuthenticationFilter.class);
	}

	if (amazonFilter != null) {
		amazonFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(amazonFilter, BasicAuthenticationFilter.class);
	}

	if (oauth2Filter != null) {
		oauth2Filter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(oauth2Filter, BasicAuthenticationFilter.class);
	}

	if (ldapFilter != null) {
		ldapFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(ldapFilter, BasicAuthenticationFilter.class);
	}

	if (samlFilter != null) {
		samlFilter.setAuthenticationManager(authenticationManager());
		http.addFilterAfter(samlFilter, BasicAuthenticationFilter.class);
	}

	http.addFilterAfter(samlMetaFilter, BasicAuthenticationFilter.class);
}
 
Example 19
Source File: SsoSecurityConfigurer.java    From spring-security-oauth2-boot with Apache License 2.0 4 votes vote down vote up
@Override
public void configure(HttpSecurity builder) throws Exception {
	OAuth2ClientAuthenticationProcessingFilter ssoFilter = this.filter;
	ssoFilter.setSessionAuthenticationStrategy(builder.getSharedObject(SessionAuthenticationStrategy.class));
	builder.addFilterAfter(ssoFilter, AbstractPreAuthenticatedProcessingFilter.class);
}
 
Example 20
Source File: SecurityConfig.java    From ambari-logsearch with Apache License 2.0 4 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
  http
    .headers()
      .addHeaderWriter(
        new LogSearchCompositeHeaderWriter("https".equals(logSearchHttpConfig.getProtocol()),
          new XXssProtectionHeaderWriter(),
          new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.DENY),
          new XContentTypeOptionsHeaderWriter(),
          new StaticHeadersWriter("Pragma", "no-cache"),
          new StaticHeadersWriter("Cache-Control", "no-store")))
    .and()
    .csrf().disable()
    .authorizeRequests()
      .requestMatchers(requestMatcher())
        .permitAll()
      .antMatchers("/**")
        .hasRole("USER")
    .and()
    .authenticationProvider(logsearchAuthenticationProvider())
    .httpBasic()
      .authenticationEntryPoint(logsearchAuthenticationEntryPoint())
    .and()
    .addFilterBefore(logsearchTrustedProxyFilter(), BasicAuthenticationFilter.class)
    .addFilterAfter(logsearchKRBAuthenticationFilter(), LogsearchTrustedProxyFilter.class)
    .addFilterBefore(logsearchUsernamePasswordAuthenticationFilter(), LogsearchKRBAuthenticationFilter.class)
    .addFilterAfter(securityContextFormationFilter(), FilterSecurityInterceptor.class)
    .addFilterAfter(logsearchMetadataFilter(), LogsearchSecurityContextFormationFilter.class)
    .addFilterAfter(logsearchAuditLogFilter(), LogsearchSecurityContextFormationFilter.class)
    .addFilterAfter(logsearchServiceLogFilter(), LogsearchSecurityContextFormationFilter.class)
    .addFilterAfter(logSearchConfigStateFilter(), LogsearchSecurityContextFormationFilter.class)
    .addFilterBefore(logsearchCorsFilter(), LogsearchSecurityContextFormationFilter.class)
    .addFilterBefore(logsearchJwtFilter(), LogsearchSecurityContextFormationFilter.class)
    .logout()
      .logoutUrl("/logout")
      .deleteCookies(getCookies())
      .logoutSuccessHandler(new LogsearchLogoutSuccessHandler());

  if ((logSearchConfigApiConfig.isSolrFilterStorage() || logSearchConfigApiConfig.isZkFilterStorage())
          && !logSearchConfigApiConfig.isConfigApiEnabled())
    http.addFilterAfter(logSearchLogLevelFilterManagerFilter(), LogsearchSecurityContextFormationFilter.class);
}