Java Code Examples for org.springframework.security.config.annotation.web.builders.httpsecurity#anonymous()

The following examples show how to use org.springframework.security.config.annotation.web.builders.httpsecurity#anonymous() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
     * HTTP Security configuration
     *
     * <pre><http auto-config="true"></pre> is equivalent to:
     * <pre>
     *  <http>
     *      <form-login />
     *      <http-basic />
     *      <logout />
     *  </http>
     * </pre>
     *
     * Which is equivalent to the following JavaConfig:
     *
     * <pre>
     *     http.formLogin()
     *          .and().httpBasic()
     *          .and().logout();
     * </pre>
     *
     * @param http HttpSecurity configuration.
     * @throws Exception Authentication configuration exception
     *
     * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
     *     Spring Security 3 to 4 migration</a>
     */
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        // Matching
        http.authorizeRequests()
                // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
                .antMatchers("/admin/h2/**").permitAll()

                .antMatchers("/").permitAll()
                .antMatchers("/login/*").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers("/signup/*").permitAll()
                .antMatchers("/errors/**").permitAll()
                .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
//                .antMatchers("/events/").hasRole("ADMIN")
                .antMatchers("/**").hasRole("USER");

        // Login
        http.formLogin()
                .loginPage("/login/form")
                .loginProcessingUrl("/login")
                .failureUrl("/login/form?error")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/default", true)
                .permitAll();

        // Logout
        http.logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
                .permitAll();

        // Anonymous
        http.anonymous();

        // CSRF is enabled by default, with Java Config
        http.csrf().disable();

        // Exception Handling
        http.exceptionHandling()
                .accessDeniedPage("/errors/403")
        ;

        // SSL / TLS x509 support
        /*http.x509()
                .userDetailsService(calendarUserDetailsService)
//                .x509AuthenticationFilter(x509Filter())
        ;*/

        // Enable <frameset> in order to use H2 web console
        http.headers().frameOptions().disable();
    }
 
Example 2
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
 * HTTP Security configuration
 *
 * <pre><http auto-config="true"></pre> is equivalent to:
 * <pre>
 *  <http>
 *      <form-login />
 *      <http-basic />
 *      <logout />
 *  </http>
 * </pre>
 *
 * Which is equivalent to the following JavaConfig:
 *
 * <pre>
 *     http.formLogin()
 *          .and().httpBasic()
 *          .and().logout();
 * </pre>
 *
 * @param http HttpSecurity configuration.
 * @throws Exception Authentication configuration exception
 *
 * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
 *     Spring Security 3 to 4 migration</a>
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // Matching
    http.authorizeRequests()
            // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
            .antMatchers("/admin/h2/**").permitAll()

            .antMatchers("/").permitAll()
            .antMatchers("/login/*").permitAll()
            .antMatchers("/logout").permitAll()
            .antMatchers("/signup/*").permitAll()
            .antMatchers("/errors/**").permitAll()
            .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
            .antMatchers("/events/").hasRole("ADMIN")
            .antMatchers("/**").hasRole("USER");

    http.addFilterAt(casFilter, CasAuthenticationFilter.class);

    http.addFilterBefore(singleSignOutFilter, LogoutFilter.class);

    // Logout
    http.logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl(casServerLogout)
            .permitAll();

    // Anonymous
    http.anonymous();

    // CSRF is enabled by default, with Java Config
    http.csrf().disable();


    // Exception Handling
    http.exceptionHandling()
            .authenticationEntryPoint(casAuthenticationEntryPoint)
            .accessDeniedPage("/errors/403")
    ;


    // Enable <frameset> in order to use H2 web console
    http.headers().frameOptions().disable();
}
 
Example 3
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
     * HTTP Security configuration
     *
     * <pre><http auto-config="true"></pre> is equivalent to:
     * <pre>
     *  <http>
     *      <form-login />
     *      <http-basic />
     *      <logout />
     *  </http>
     * </pre>
     *
     * Which is equivalent to the following JavaConfig:
     *
     * <pre>
     *     http.formLogin()
     *          .and().httpBasic()
     *          .and().logout();
     * </pre>
     *
     * @param http HttpSecurity configuration.
     * @throws Exception Authentication configuration exception
     *
     * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
     *     Spring Security 3 to 4 migration</a>
     */
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.authorizeRequests()
                // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
                .antMatchers("/admin/h2/**").permitAll()

                .antMatchers("/").permitAll()
                .antMatchers("/login/*").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers("/signup/*").permitAll()
                .antMatchers("/errors/**").permitAll()
                .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
                .antMatchers("/events/").hasRole("ADMIN")
                .antMatchers("/**").hasRole("USER");

        http.formLogin()
                .loginPage("/login/form")
                .loginProcessingUrl("/login")
                .failureUrl("/login/form?error")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/default", true)
                .permitAll();


        // Session Management
        http.sessionManagement().sessionFixation().none();

        // Logout:
        http.logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
                .permitAll();

        http.anonymous();

        // CSRF is enabled by default, with Java Config
        http.csrf().disable();

        // Exception Handling
        http.exceptionHandling().accessDeniedPage("/errors/403");

        // remember me configuration
        http.rememberMe()
                .key("jbcpCalendar")
//                .rememberMeParameter("obscure-remember-me")
//                .rememberMeCookieName("obscure-remember-me")
//                .rememberMeServices(rememberMeServices)
        ;

        // Enable <frameset> in order to use H2 web console
        http.headers().frameOptions().disable();
    }
 
Example 4
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
 * HTTP Security configuration
 *
 * <pre><http auto-config="true"></pre> is equivalent to:
 * <pre>
 *  <http>
 *      <form-login />
 *      <http-basic />
 *      <logout />
 *  </http>
 * </pre>
 *
 * Which is equivalent to the following JavaConfig:
 *
 * <pre>
 *     http.formLogin()
 *          .and().httpBasic()
 *          .and().logout();
 * </pre>
 *
 * @param http HttpSecurity configuration.
 * @throws Exception Authentication configuration exception
 *
 * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
 *     Spring Security 3 to 4 migration</a>
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // Matching
    http.authorizeRequests()
            // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
            .antMatchers("/admin/h2/**").permitAll()

            .antMatchers("/").permitAll()
            .antMatchers("/login/*").permitAll()
            .antMatchers("/logout").permitAll()
            .antMatchers("/signup/*").permitAll()
            .antMatchers("/errors/**").permitAll()
            .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
            .antMatchers("/events/").hasRole("ADMIN")
            .antMatchers("/**").hasRole("USER");

    http.addFilterAt(casFilter, CasAuthenticationFilter.class);

    http.addFilterBefore(singleSignOutFilter, LogoutFilter.class);

    // Logout
    http.logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl(casServerLogout)
            .permitAll();

    // Anonymous
    http.anonymous();

    // CSRF is enabled by default, with Java Config
    http.csrf().disable();


    // Exception Handling
    http.exceptionHandling()
            .authenticationEntryPoint(casAuthenticationEntryPoint)
            .accessDeniedPage("/errors/403")
    ;


    // Enable <frameset> in order to use H2 web console
    http.headers().frameOptions().disable();
}
 
Example 5
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
 * HTTP Security configuration
 *
 * <pre><http auto-config="true"></pre> is equivalent to:
 * <pre>
 *  <http>
 *      <form-login />
 *      <http-basic />
 *      <logout />
 *  </http>
 * </pre>
 *
 * Which is equivalent to the following JavaConfig:
 *
 * <pre>
 *     http.formLogin()
 *          .and().httpBasic()
 *          .and().logout();
 * </pre>
 *
 * @param http HttpSecurity configuration.
 * @throws Exception Authentication configuration exception
 *
 * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
 *     Spring Security 3 to 4 migration</a>
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // Matching
    http.authorizeRequests()
            // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
            .antMatchers("/admin/h2/**").permitAll()

            .antMatchers("/").permitAll()
            .antMatchers("/login/*").permitAll()
            .antMatchers("/logout").permitAll()
            .antMatchers("/signup/*").permitAll()
            .antMatchers("/errors/**").permitAll()
            .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
            .antMatchers("/events/").hasRole("ADMIN")
            .antMatchers("/**").hasRole("USER");

    // Login
    /*http.formLogin()
            .loginPage("/login/form")
            .loginProcessingUrl("/login")
            .failureUrl("/login/form?error")
            .usernameParameter("username")
            .passwordParameter("password")
            .defaultSuccessUrl("/default", true)
            .permitAll();*/

    // Logout
    http.logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login/form?logout")
            .deleteCookies("JSESSIONID").invalidateHttpSession(true)
            .permitAll();

    // Anonymous
    http.anonymous();

    // CSRF is enabled by default, with Java Config
    http.csrf().disable();

    http.addFilterAt(casFilter, CasAuthenticationFilter.class);

    // Exception Handling
    http.exceptionHandling()
            .authenticationEntryPoint(casAuthenticationEntryPoint)
            .accessDeniedPage("/errors/403")
    ;


    // Enable <frameset> in order to use H2 web console
    http.headers().frameOptions().disable();
}
 
Example 6
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
 * HTTP Security configuration
 *
 * <pre><http auto-config="true"></pre> is equivalent to:
 * <pre>
 *  <http>
 *      <form-login />
 *      <http-basic />
 *      <logout />
 *  </http>
 * </pre>
 *
 * Which is equivalent to the following JavaConfig:
 *
 * <pre>
 *     http.formLogin()
 *          .and().httpBasic()
 *          .and().logout();
 * </pre>
 *
 * @param http HttpSecurity configuration.
 * @throws Exception Authentication configuration exception
 *
 * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
 *     Spring Security 3 to 4 migration</a>
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // Matching
    http.authorizeRequests()
            // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
            .antMatchers("/admin/h2/**").permitAll()

            .antMatchers("/").permitAll()
            .antMatchers("/login/*").permitAll()
            .antMatchers("/logout").permitAll()
            .antMatchers("/signup/*").permitAll()
            .antMatchers("/errors/**").permitAll()
            .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
            .antMatchers("/events/").hasRole("ADMIN")
            .antMatchers("/**").hasRole("USER");

    // Login
    http.formLogin()
            .loginPage("/login/form")
            .loginProcessingUrl("/login")
            .failureUrl("/login/form?error")
            .usernameParameter("username")
            .passwordParameter("password")
            .defaultSuccessUrl("/default", true)
            .permitAll();

    // Logout
    http.logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login/form?logout")
            .deleteCookies("JSESSIONID").invalidateHttpSession(true)
            .permitAll();

    // Anonymous
    http.anonymous();

    // CSRF is enabled by default, with Java Config
    http.csrf().disable();

    // Exception Handling
    http.exceptionHandling()
            .accessDeniedPage("/errors/403")
    ;


    // Enable <frameset> in order to use H2 web console
    http.headers().frameOptions().disable();
}
 
Example 7
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
 * HTTP Security configuration
 *
 * <pre><http auto-config="true"></pre> is equivalent to:
 * <pre>
 *  <http>
 *      <form-login />
 *      <http-basic />
 *      <logout />
 *  </http>
 * </pre>
 *
 * Which is equivalent to the following JavaConfig:
 *
 * <pre>
 *     http.formLogin()
 *          .and().httpBasic()
 *          .and().logout();
 * </pre>
 *
 * @param http HttpSecurity configuration.
 * @throws Exception Authentication configuration exception
 *
 * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
 *     Spring Security 3 to 4 migration</a>
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // Matching
    http.authorizeRequests()
            // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
            .antMatchers("/admin/h2/**").permitAll()

            .antMatchers("/").permitAll()
            .antMatchers("/login/*").permitAll()
            .antMatchers("/logout").permitAll()
            .antMatchers("/signup/*").permitAll()
            .antMatchers("/errors/**").permitAll()
            .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
            .antMatchers("/events/").hasRole("ADMIN")
            .antMatchers("/**").hasRole("USER");

    http.addFilterAt(casFilter, CasAuthenticationFilter.class);

    http.addFilterBefore(singleSignOutFilter, LogoutFilter.class);

    // Logout
    http.logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl(casServerLogout)
            .permitAll();

    // Anonymous
    http.anonymous();

    // CSRF is enabled by default, with Java Config
    http.csrf().disable();


    // Exception Handling
    http.exceptionHandling()
            .authenticationEntryPoint(casAuthenticationEntryPoint)
            .accessDeniedPage("/errors/403")
    ;


    // Enable <frameset> in order to use H2 web console
    http.headers().frameOptions().disable();
}
 
Example 8
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
 * HTTP Security configuration
 *
 * <pre><http auto-config="true"></pre> is equivalent to:
 * <pre>
 *  <http>
 *      <form-login />
 *      <http-basic />
 *      <logout />
 *  </http>
 * </pre>
 *
 * Which is equivalent to the following JavaConfig:
 *
 * <pre>
 *     http.formLogin()
 *          .and().httpBasic()
 *          .and().logout();
 * </pre>
 *
 * @param http HttpSecurity configuration.
 * @throws Exception Authentication configuration exception
 *
 * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
 *     Spring Security 3 to 4 migration</a>
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {

    // Access Decision Manager
    http.authorizeRequests()
            .anyRequest()
            .authenticated()
            .accessDecisionManager(accessDecisionManager)
    ;

    // Matching
    /*http.authorizeRequests()
            // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
            .antMatchers("/admin/h2/**").permitAll()

            .antMatchers("/").permitAll()
            .antMatchers("/login/*").permitAll()
            .antMatchers("/logout").permitAll()
            .antMatchers("/signup/*").permitAll()
            .antMatchers("/errors/**").permitAll()
            .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
            .antMatchers("/events/").hasRole("ADMIN")
            .antMatchers("/**").hasRole("USER");*/

    //<expression-handler ref="customWebSecurityExpressionHandler"/>

    // Login
    http.formLogin()
            .loginPage("/login/form")
            .loginProcessingUrl("/login")
            .failureUrl("/login/form?error")
            .usernameParameter("username")
            .passwordParameter("password")
            .defaultSuccessUrl("/default", true)
            .permitAll();

    // Logout
    http.logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
            .permitAll();

    // Anonymous
    http.anonymous();

    // CSRF is enabled by default, with Java Config
    http.csrf().disable();

    // Exception Handling
    http.exceptionHandling()
            .accessDeniedPage("/errors/403")
    ;

    // Enable <frameset> in order to use H2 web console
    http.headers().frameOptions().disable();
}
 
Example 9
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
     * HTTP Security configuration
     *
     * <pre><http auto-config="true"></pre> is equivalent to:
     * <pre>
     *  <http>
     *      <form-login />
     *      <http-basic />
     *      <logout />
     *  </http>
     * </pre>
     *
     * Which is equivalent to the following JavaConfig:
     *
     * <pre>
     *     http.formLogin()
     *          .and().httpBasic()
     *          .and().logout();
     * </pre>
     *
     * @param http HttpSecurity configuration.
     * @throws Exception Authentication configuration exception
     *
     * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
     *     Spring Security 3 to 4 migration</a>
     */
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        // Matching
        http.authorizeRequests()
                // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
                .antMatchers("/admin/h2/**").permitAll()

                .antMatchers("/").permitAll()
                .antMatchers("/login/*").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers("/signup/*").permitAll()
                .antMatchers("/errors/**").permitAll()
                .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
                .antMatchers("/events/").hasRole("ADMIN")
                .antMatchers("/**").hasRole("USER");

        // Login
        http.formLogin()
                .loginPage("/login/form")
                .loginProcessingUrl("/login")
                .failureUrl("/login/form?error")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/default", true)
                .permitAll();

        // Logout
        http.logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
                .permitAll();

        // Anonymous
        http.anonymous();

        // CSRF is enabled by default, with Java Config
        http.csrf().disable();

        // Exception Handling
        http.exceptionHandling()
                .accessDeniedPage("/errors/403")
        ;

        // SSL / TLS x509 support
        /*http.x509()
                .userDetailsService(calendarUserDetailsService)
//                .x509AuthenticationFilter(x509Filter())
        ;*/

        // Enable <frameset> in order to use H2 web console
        http.headers().frameOptions().disable();
    }
 
Example 10
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
     * HTTP Security configuration
     *
     * <pre><http auto-config="true"></pre> is equivalent to:
     * <pre>
     *  <http>
     *      <form-login />
     *      <http-basic />
     *      <logout />
     *  </http>
     * </pre>
     *
     * Which is equivalent to the following JavaConfig:
     *
     * <pre>
     *     http.formLogin()
     *          .and().httpBasic()
     *          .and().logout();
     * </pre>
     *
     * @param http HttpSecurity configuration.
     * @throws Exception Authentication configuration exception
     *
     * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
     *     Spring Security 3 to 4 migration</a>
     */
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        // Matching
        http.authorizeRequests()
                // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
                .antMatchers("/admin/h2/**").permitAll()

                .antMatchers("/").permitAll()
                .antMatchers("/login/*").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers("/signup/*").permitAll()
                .antMatchers("/errors/**").permitAll()
                .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
                .antMatchers("/events/").hasRole("ADMIN")
                .antMatchers("/**").hasRole("USER");

        // Login
        http.formLogin()
                .loginPage("/login/form")
                .loginProcessingUrl("/login")
                .failureUrl("/login/form?error")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/default", true)
                .permitAll();

        // Logout
        http.logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login/form?logout")
                .permitAll();

        // Anonymous
        http.anonymous();

        // CSRF is enabled by default, with Java Config
        http.csrf().disable();

        // Exception Handling
        http.exceptionHandling().accessDeniedPage("/errors/403");

        // remember me configuration
        http.rememberMe()
                .key("jbcpCalendar")
//                .rememberMeParameter("obscure-remember-me")
//                .rememberMeCookieName("obscure-remember-me")
                .rememberMeServices(rememberMeServices);

        // SSL / TLS x509 support
        http.x509().userDetailsService(userDetailsService);

        // Enable <frameset> in order to use H2 web console
        http.headers().frameOptions().disable();
    }
 
Example 11
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
 * HTTP Security configuration
 *
 * <pre><http auto-config="true"></pre> is equivalent to:
 * <pre>
 *  <http>
 *      <form-login />
 *      <http-basic />
 *      <logout />
 *  </http>
 * </pre>
 *
 * Which is equivalent to the following JavaConfig:
 *
 * <pre>
 *     http.formLogin()
 *          .and().httpBasic()
 *          .and().logout();
 * </pre>
 *
 * @param http HttpSecurity configuration.
 * @throws Exception Authentication configuration exception
 *
 * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
 *     Spring Security 3 to 4 migration</a>
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // Matching
    http.authorizeRequests()
            // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
            .antMatchers("/admin/h2/**").permitAll()

            .antMatchers("/", "/favicon*").permitAll()
            .antMatchers("/login/*").permitAll()
            .antMatchers("/logout").permitAll()
            .antMatchers("/signin/**").permitAll()
            .antMatchers("/signup/*").permitAll()
            .antMatchers("/errors/**").permitAll()
            .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
            .antMatchers("/events/").hasRole("ADMIN")
            .antMatchers("/**").hasRole("USER");

    http.requestCache().requestCache(new NullRequestCache());

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);

    // Login
    http.formLogin()
            .loginPage("/login/form")
            .loginProcessingUrl("/login")
            .failureUrl("/login/form?error")
            .usernameParameter("username")
            .passwordParameter("password")
            .defaultSuccessUrl("/default", true)
            .permitAll();

    // Logout
    http.logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
            .permitAll();

    // Anonymous
    http.anonymous();

    // CSRF is enabled by default, with Java Config
    http.csrf().disable();

    // Exception Handling
    http.exceptionHandling()
            .accessDeniedPage("/errors/403")
    ;

    // Enable <frameset> in order to use H2 web console
    http.headers().frameOptions().disable();
}
 
Example 12
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
 * HTTP Security configuration
 *
 * <pre><http auto-config="true"></pre> is equivalent to:
 * <pre>
 *  <http>
 *      <form-login />
 *      <http-basic />
 *      <logout />
 *  </http>
 * </pre>
 *
 * Which is equivalent to the following JavaConfig:
 *
 * <pre>
 *     http.formLogin()
 *          .and().httpBasic()
 *          .and().logout();
 * </pre>
 *
 * @param http HttpSecurity configuration.
 * @throws Exception Authentication configuration exception
 *
 * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
 *     Spring Security 3 to 4 migration</a>
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // Matching
    http.authorizeRequests()
            // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
            .antMatchers("/admin/h2/**").permitAll()

            .antMatchers("/").permitAll()
            .antMatchers("/login/*").permitAll()
            .antMatchers("/logout").permitAll()
            .antMatchers("/signup/*").permitAll()
            .antMatchers("/errors/**").permitAll()
            .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
            .antMatchers("/events/").hasRole("ADMIN")
            .antMatchers("/**").hasRole("USER");

    // Login
    http.formLogin()
            .loginPage("/login/form")
            .loginProcessingUrl("/login")
            .failureUrl("/login/form?error")
            .usernameParameter("username")
            .passwordParameter("password")
            .defaultSuccessUrl("/default", true)
            .permitAll();

    // Logout
    http.logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
            .permitAll();

    // Anonymous
    http.anonymous();

    // CSRF is enabled by default, with Java Config
    http.csrf().disable();

    // Exception Handling
    http.exceptionHandling()
            .accessDeniedPage("/errors/403")
    ;

    // Enable <frameset> in order to use H2 web console
    http.headers().frameOptions().disable();
}
 
Example 13
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
     * HTTP Security configuration
     *
     * <pre><http auto-config="true"></pre> is equivalent to:
     * <pre>
     *  <http>
     *      <form-login />
     *      <http-basic />
     *      <logout />
     *  </http>
     * </pre>
     *
     * Which is equivalent to the following JavaConfig:
     *
     * <pre>
     *     http.formLogin()
     *          .and().httpBasic()
     *          .and().logout();
     * </pre>
     *
     * @param http HttpSecurity configuration.
     * @throws Exception Authentication configuration exception
     *
     * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
     *     Spring Security 3 to 4 migration</a>
     */
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .expressionHandler(webSecurityExpressionHandler);

        // Matching
        http.authorizeRequests()
                // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
//                .antMatchers("/admin/h2/**").permitAll()

                .antMatchers("/").permitAll()
                .antMatchers("/login/*").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers("/signup/*").permitAll()
                .antMatchers("/errors/**").permitAll()
                .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
                // NOTE: "/events/" is now protected by ACL:
//                .antMatchers("/events/").hasRole("ADMIN")
                .antMatchers("/**").hasRole("USER");

        // Login
        http.formLogin()
                .loginPage("/login/form")
                .loginProcessingUrl("/login")
                .failureUrl("/login/form?error")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/default", true)
                .permitAll();

        // Logout
        http.logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
                .permitAll();

        // remember me configuration
        http.rememberMe().key("jbcpCalendar"); //.rememberMeParameter("_spring_security_remember_me");

        // Anonymous
        http.anonymous();

        // CSRF is enabled by default, with Java Config
        http.csrf().disable();

        // Exception Handling
        http.exceptionHandling()
//                .authenticationEntryPoint(forbiddenEntryPoint)
                .accessDeniedPage("/errors/403")
        ;

        // Enable <frameset> in order to use H2 web console
        http.headers().frameOptions().disable();
    }
 
Example 14
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
     * HTTP Security configuration
     *
     * <pre><http auto-config="true"></pre> is equivalent to:
     * <pre>
     *  <http>
     *      <form-login />
     *      <http-basic />
     *      <logout />
     *  </http>
     * </pre>
     *
     * Which is equivalent to the following JavaConfig:
     *
     * <pre>
     *     http.formLogin()
     *          .and().httpBasic()
     *          .and().logout();
     * </pre>
     *
     * @param http HttpSecurity configuration.
     * @throws Exception Authentication configuration exception
     *
     * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
     *     Spring Security 3 to 4 migration</a>
     */
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        // Matching
        http.authorizeRequests()
//                .expressionHandler(expressionHandler)

                // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
//                .antMatchers("/admin/h2/**").permitAll()

                .antMatchers("/").permitAll()
                .antMatchers("/login/*").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers("/signup/*").permitAll()
                .antMatchers("/errors/**").permitAll()
                .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
                // NOTE: "/events/" is now protected by ACL:
//                .antMatchers("/events/").hasRole("ADMIN")
                .antMatchers("/**").hasRole("USER");

        // Login
        http.formLogin()
                .loginPage("/login/form")
                .loginProcessingUrl("/login")
                .failureUrl("/login/form?error")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/default", true)
                .permitAll();

        // Logout
        http.logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
                .permitAll();

        // remember me configuration
        http.rememberMe().key("jbcpCalendar"); //.rememberMeParameter("_spring_security_remember_me");

        // Anonymous
        http.anonymous();

        // CSRF is enabled by default, with Java Config
        http.csrf().disable();

        // Exception Handling
        http.exceptionHandling()
//                .authenticationEntryPoint(forbiddenEntryPoint)
                .accessDeniedPage("/errors/403")
        ;

        // Enable <frameset> in order to use H2 web console
        http.headers().frameOptions().disable();
    }
 
Example 15
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
     * HTTP Security configuration
     *
     * <pre><http auto-config="true"></pre> is equivalent to:
     * <pre>
     *  <http>
     *      <form-login />
     *      <http-basic />
     *      <logout />
     *  </http>
     * </pre>
     *
     * Which is equivalent to the following JavaConfig:
     *
     * <pre>
     *     http.formLogin()
     *          .and().httpBasic()
     *          .and().logout();
     * </pre>
     *
     * @param http HttpSecurity configuration.
     * @throws Exception Authentication configuration exception
     *
     * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
     *     Spring Security 3 to 4 migration</a>
     */
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.authorizeRequests()
                // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
                .antMatchers("/admin/h2/**").permitAll()

                .antMatchers("/").permitAll()
                .antMatchers("/login/*").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers("/signup/*").permitAll()
                .antMatchers("/errors/**").permitAll()
                .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
                .antMatchers("/events/").hasRole("ADMIN")
                .antMatchers("/**").hasRole("USER");

        http.formLogin()
                .loginPage("/login/form")
                .loginProcessingUrl("/login")
                .failureUrl("/login/form?error")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/default", true)
                .permitAll();

        // Session Management
        http.sessionManagement()
                // FIXME: TODO: With running STATELESS, login token is not saved.
                .sessionCreationPolicy(SessionCreationPolicy.NEVER)
                .sessionAuthenticationStrategy(
                        sessionAuthenticationStrategy
                )
                .maximumSessions(-1).sessionRegistry(sessionRegistry)
                .expiredUrl("/login/form?expired")
                .maxSessionsPreventsLogin(true)
        ;

        // Logout:
        http.logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
                .permitAll();

        http.anonymous();

        // CSRF is enabled by default, with Java Config
        http.csrf().disable();

        // Exception Handling
        http.exceptionHandling().accessDeniedPage("/errors/403");

        // remember me configuration
//        http.rememberMe()
//                .key("jbcpCalendar")
//                .rememberMeParameter("obscure-remember-me")
//                .rememberMeCookieName("obscure-remember-me")
//                .rememberMeServices(rememberMeServices)
        ;

        // Enable <frameset> in order to use H2 web console
        http.headers().frameOptions().disable();
    }
 
Example 16
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
     * HTTP Security configuration
     *
     * <pre><http auto-config="true"></pre> is equivalent to:
     * <pre>
     *  <http>
     *      <form-login />
     *      <http-basic />
     *      <logout />
     *  </http>
     * </pre>
     *
     * Which is equivalent to the following JavaConfig:
     *
     * <pre>
     *     http.formLogin()
     *          .and().httpBasic()
     *          .and().logout();
     * </pre>
     *
     * @param http HttpSecurity configuration.
     * @throws Exception Authentication configuration exception
     *
     * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
     *     Spring Security 3 to 4 migration</a>
     */
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        // Matching
        http.authorizeRequests()
                // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
//                .antMatchers("/admin/h2/**").permitAll()

                .antMatchers("/").permitAll()
                .antMatchers("/login/*").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers("/signup/*").permitAll()
                .antMatchers("/errors/**").permitAll()
                .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
                .antMatchers("/events/").hasRole("ADMIN")
                .antMatchers("/**").hasRole("USER");

        // Login
        http.formLogin()
                .loginPage("/login/form")
                .loginProcessingUrl("/login")
                .failureUrl("/login/form?error")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/default", true)
                .permitAll();

        // Logout
        http.logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
                .permitAll();

        // remember me configuration
        http.rememberMe().key("jbcpCalendar"); //.rememberMeParameter("_spring_security_remember_me");

        // Anonymous
        http.anonymous();

        // CSRF is enabled by default, with Java Config
        http.csrf().disable();

        // Exception Handling
        http.exceptionHandling()
//                .authenticationEntryPoint(forbiddenEntryPoint)
                .accessDeniedPage("/errors/403")
        ;

        // Enable <frameset> in order to use H2 web console
        http.headers().frameOptions().disable();
    }
 
Example 17
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
     * HTTP Security configuration
     *
     * <pre><http auto-config="true"></pre> is equivalent to:
     * <pre>
     *  <http>
     *      <form-login />
     *      <http-basic />
     *      <logout />
     *  </http>
     * </pre>
     *
     * Which is equivalent to the following JavaConfig:
     *
     * <pre>
     *     http.formLogin()
     *          .and().httpBasic()
     *          .and().logout();
     * </pre>
     *
     * @param http HttpSecurity configuration.
     * @throws Exception Authentication configuration exception
     *
     * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
     *     Spring Security 3 to 4 migration</a>
     */
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        // Matching
        http.authorizeRequests()
//                .expressionHandler(expressionHandler)

                // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
//                .antMatchers("/admin/h2/**").permitAll()

                .antMatchers("/").permitAll()
                .antMatchers("/login/*").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers("/signup/*").permitAll()
                .antMatchers("/errors/**").permitAll()
                .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
                // NOTE: "/events/" is now protected by ACL:
//                .antMatchers("/events/").hasRole("ADMIN")
                .antMatchers("/**").hasRole("USER");

        // Login
        http.formLogin()
                .loginPage("/login/form")
                .loginProcessingUrl("/login")
                .failureUrl("/login/form?error")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/default", true)
                .permitAll();

        // Logout
        http.logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
                .permitAll();

        // remember me configuration
        http.rememberMe().key("jbcpCalendar"); //.rememberMeParameter("_spring_security_remember_me");

        // Anonymous
        http.anonymous();

        // CSRF is enabled by default, with Java Config
        http.csrf().disable();

        // Exception Handling
        http.exceptionHandling()
//                .authenticationEntryPoint(forbiddenEntryPoint)
                .accessDeniedPage("/errors/403")
        ;

        // Enable <frameset> in order to use H2 web console
        http.headers().frameOptions().disable();
    }
 
Example 18
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
 * HTTP Security configuration
 *
 * <pre><http auto-config="true"></pre> is equivalent to:
 * <pre>
 *  <http>
 *      <form-login />
 *      <http-basic />
 *      <logout />
 *  </http>
 * </pre>
 *
 * Which is equivalent to the following JavaConfig:
 *
 * <pre>
 *     http.formLogin()
 *          .and().httpBasic()
 *          .and().logout();
 * </pre>
 *
 * @param http HttpSecurity configuration.
 * @throws Exception Authentication configuration exception
 *
 * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
 *     Spring Security 3 to 4 migration</a>
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // Matching
    http.authorizeRequests()
            // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
            .antMatchers("/admin/h2/**").permitAll()

            .antMatchers("/", "/favicon*").permitAll()
            .antMatchers("/login/*").permitAll()
            .antMatchers("/logout").permitAll()
            .antMatchers("/signin/**").permitAll()
            .antMatchers("/signup/*").permitAll()
            .antMatchers("/errors/**").permitAll()
            .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
            .antMatchers("/events/").hasRole("ADMIN")
            .antMatchers("/**").hasRole("USER");

    http.requestCache().requestCache(new NullRequestCache());

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);

    // Login
    http.formLogin()
            .loginPage("/login/form")
            .loginProcessingUrl("/login")
            .failureUrl("/login/form?error")
            .usernameParameter("username")
            .passwordParameter("password")
            .defaultSuccessUrl("/default", true)
            .permitAll();

    // Logout
    http.logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
            .permitAll();

    // Anonymous
    http.anonymous();

    // CSRF is enabled by default, with Java Config
    http.csrf().disable();

    // Exception Handling
    http.exceptionHandling()
            .accessDeniedPage("/errors/403")
    ;

    // Enable <frameset> in order to use H2 web console
    http.headers().frameOptions().disable();
}
 
Example 19
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
 * HTTP Security configuration
 *
 * <pre><http auto-config="true"></pre> is equivalent to:
 * <pre>
 *  <http>
 *      <form-login />
 *      <http-basic />
 *      <logout />
 *  </http>
 * </pre>
 *
 * Which is equivalent to the following JavaConfig:
 *
 * <pre>
 *     http.formLogin()
 *          .and().httpBasic()
 *          .and().logout();
 * </pre>
 *
 * @param http HttpSecurity configuration.
 * @throws Exception Authentication configuration exception
 *
 * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
 *     Spring Security 3 to 4 migration</a>
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // Matching
    http.authorizeRequests()
            // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
            .antMatchers("/admin/h2/**").permitAll()

            .antMatchers("/").permitAll()
            .antMatchers("/login/*").permitAll()
            .antMatchers("/logout").permitAll()
            .antMatchers("/signup/*").permitAll()
            .antMatchers("/errors/**").permitAll()
            .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
            .antMatchers("/events/").hasRole("ADMIN")
            .antMatchers("/**").hasRole("USER");

    // Login
    http.formLogin()
            .loginPage("/login/form")
            .loginProcessingUrl("/login")
            .failureUrl("/login/form?error")
            .usernameParameter("username")
            .passwordParameter("password")
            .defaultSuccessUrl("/default", true)
            .permitAll();

    // Logout
    http.logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login/form?logout")
            .deleteCookies("JSESSIONID").invalidateHttpSession(true)
            .permitAll();

    // Anonymous
    http.anonymous();

    // CSRF is enabled by default, with Java Config
    http.csrf().disable();

    // Exception Handling
    http.exceptionHandling()
            .accessDeniedPage("/errors/403")
    ;


    // Enable <frameset> in order to use H2 web console
    http.headers().frameOptions().disable();
}
 
Example 20
Source File: SecurityConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
/**
 * HTTP Security configuration
 *
 * <pre><http auto-config="true"></pre> is equivalent to:
 * <pre>
 *  <http>
 *      <form-login />
 *      <http-basic />
 *      <logout />
 *  </http>
 * </pre>
 *
 * Which is equivalent to the following JavaConfig:
 *
 * <pre>
 *     http.formLogin()
 *          .and().httpBasic()
 *          .and().logout();
 * </pre>
 *
 * @param http HttpSecurity configuration.
 * @throws Exception Authentication configuration exception
 *
 * @see <a href="http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html">
 *     Spring Security 3 to 4 migration</a>
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {
    // Matching
    http.authorizeRequests()
            // FIXME: TODO: Allow anyone to use H2 (NOTE: NOT FOR PRODUCTION USE EVER !!! )
            .antMatchers("/admin/h2/**").permitAll()

            .antMatchers("/").permitAll()
            .antMatchers("/login/*").permitAll()
            .antMatchers("/logout").permitAll()
            .antMatchers("/signup/*").permitAll()
            .antMatchers("/errors/**").permitAll()
            .antMatchers("/admin/*").access("hasRole('ADMIN') and isFullyAuthenticated()")
            .antMatchers("/events/").hasRole("ADMIN")
            .antMatchers("/**").hasRole("USER");

    // Login
    http.formLogin()
            .loginPage("/login/form")
            .loginProcessingUrl("/login")
            .failureUrl("/login/form?error")
            .usernameParameter("username")
            .passwordParameter("password")
            .defaultSuccessUrl("/default", true)
            .permitAll();

    // Logout
    http.logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login/form?logout").deleteCookies("JSESSIONID").invalidateHttpSession(true)
            .permitAll();

    // Anonymous
    http.anonymous();

    // CSRF is enabled by default, with Java Config
    http.csrf().disable();

    // Exception Handling
    http.exceptionHandling()
            .accessDeniedPage("/errors/403")
    ;


    // Enable <frameset> in order to use H2 web console
    http.headers().frameOptions().disable();
}