org.springframework.security.config.http.SessionCreationPolicy Java Examples

The following examples show how to use org.springframework.security.config.http.SessionCreationPolicy. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: DefaultResourceServerConf.java    From microservices-platform with Apache License 2.0 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.AuthorizedUrl authorizedUrl = setHttp(http)
            .authorizeRequests()
            .antMatchers(securityProperties.getIgnore().getUrls()).permitAll()
            .antMatchers(HttpMethod.OPTIONS).permitAll()
            .anyRequest();
    setAuthenticate(authorizedUrl);

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .and()
                .httpBasic().disable()
                .headers()
                .frameOptions().disable()
            .and()
                .csrf().disable();
}
 
Example #2
Source File: WebSecurityConfig.java    From XS2A-Sandbox with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/api/v1/**")
        .authorizeRequests()
        .antMatchers(APP_WHITELIST).permitAll()
            .and()
        .authorizeRequests().anyRequest()
        .authenticated()
            .and()
        .httpBasic()
        .disable();

    http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http.headers().frameOptions().disable();

    http.addFilterBefore(new LoginAuthenticationFilter(userMgmtRestClient), BasicAuthenticationFilter.class);
    http.addFilterBefore(new TokenAuthenticationFilter(userMgmtRestClient, authInterceptor), BasicAuthenticationFilter.class);
}
 
Example #3
Source File: WebSecurityConfig.java    From Blog with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {

    //禁用csrf
    //options全部放行
    //post put delete get 全部拦截校验
    httpSecurity.csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            .antMatchers(HttpMethod.POST).authenticated()
            .antMatchers(HttpMethod.PUT).authenticated()
            .antMatchers(HttpMethod.DELETE).authenticated()
            .antMatchers(HttpMethod.GET).authenticated();

    httpSecurity
            .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
    httpSecurity.headers().cacheControl();
}
 
Example #4
Source File: BrowerSecurityConfig.java    From WeEvent with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {

    http.exceptionHandling().accessDeniedHandler(jsonAccessDeniedHandler);

    http.formLogin() // define user login page
            .loginPage("/user/require")
            .loginProcessingUrl("/user/login")
            .usernameParameter("username")
            .passwordParameter("password")
            .permitAll()
            .successHandler(authenticationSuccessHandler) // if login success
            .failureHandler(loginfailHandler) // if login fail
            .and()
            .addFilterAfter(new UserFilter(), LoginFilter.class)
            .addFilter(new LoginFilter(authenticationManagerBean(), authenticationSuccessHandler,loginfailHandler))
            .authorizeRequests()
            .antMatchers("/user/**", "/", "/static/**", "/weevent-governance/user/**").permitAll()
            .anyRequest().authenticated()
            .and().csrf()
            .disable().httpBasic().authenticationEntryPoint(jsonAuthenticationEntryPoint)
            .disable().cors().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and().logout().logoutUrl("/user/logout")
            .logoutSuccessHandler(jsonLogoutSuccessHandler)
            .permitAll();
}
 
Example #5
Source File: MicroserviceSecurityConfiguration.java    From cubeai with Apache License 2.0 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .csrf()
        .ignoringAntMatchers("/h2-console/**")
        .ignoringAntMatchers("/umu/api/ueditor")
        .ignoringAntMatchers("/ability/model/**")
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
    .and()
        .addFilterBefore(corsFilter, CsrfFilter.class)
        .headers()
        .frameOptions()
        .disable()
    .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
        .authorizeRequests()
        .antMatchers("/api/profile-info").permitAll()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
        .antMatchers("/swagger-resources/configuration/ui").permitAll();
}
 
Example #6
Source File: WebSecurityConfiguration.java    From MyShopPlus with Apache License 2.0 6 votes vote down vote up
@Override
    protected void configure(HttpSecurity http) throws Exception {
        /**
         * 将授权访问配置改为注解方式
         * @see LoginController#info()
         */
        http.exceptionHandling()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

//        http.exceptionHandling()
//                .and()
//                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
//                .and()
//                .authorizeRequests()
//                // 授权访问
//                .antMatchers("/user/info").hasAuthority("USER")
//                .antMatchers("/user/logout").hasAuthority("USER");
    }
 
Example #7
Source File: WebSecurityConfig.java    From XS2A-Sandbox with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests().antMatchers(APP_INDEX_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(APP_SCA_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(APP_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(SWAGGER_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(ACTUATOR_WHITELIST).permitAll()
        .and()
        .cors()
        .and()
        .authorizeRequests().anyRequest().authenticated();

    http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http.headers().frameOptions().disable();

    http.addFilterBefore(new JWTAuthenticationFilter(tokenAuthenticationService), BasicAuthenticationFilter.class);
}
 
Example #8
Source File: SecurityConfig.java    From spring-security-samples with MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	http
		.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
		.and()
		.authorizeRequests()

		// require the user to have the "dummy" role
		.antMatchers("/**").hasRole("dummy")

		.anyRequest().authenticated()
		.and()
		.oauth2ResourceServer()
		.jwt()
		.jwtAuthenticationConverter(jwtAuthenticationConverter());
}
 
Example #9
Source File: ResourceServerConfiguration.java    From open-cloud with MIT License 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .and()
            .authorizeRequests()
            // 监控端点内部放行
            .requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
            // fegin访问或无需身份认证
            .antMatchers(
                    "/generate/**"
            ).permitAll()
            .anyRequest().authenticated()
            .and()
            //认证鉴权错误处理,为了统一异常处理。每个资源服务器都应该加上。
            .exceptionHandling()
            .accessDeniedHandler(new OpenAccessDeniedHandler())
            .authenticationEntryPoint(new OpenAuthenticationEntryPoint())
            .and()
            .csrf().disable();
}
 
Example #10
Source File: JwtSecurityConfiguration.java    From cola with MIT License 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {

	http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
	http.authorizeRequests()
			.antMatchers("/login", "/logout", "/error").permitAll()
			.and()
			.formLogin()
			.loginProcessingUrl("/login")
			.failureHandler(this.failureHandler())
			.successHandler(this.successHandler())
			.and()
			.logout()
			.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
			.logoutSuccessHandler(new JwtLogoutSuccessHandler())
			.and()
			.exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint())
			.and()
			.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
	http.addFilterAfter(this.jwtAuthenticationFilter, SecurityContextPersistenceFilter.class);
}
 
Example #11
Source File: ResourceServerConfiguration.java    From open-cloud with MIT License 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .and()
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .anyRequest().authenticated()
            // 动态权限验证
            .anyRequest().access("@accessManager.check(request,authentication)")
            .and()
            //认证鉴权错误处理,为了统一异常处理。每个资源服务器都应该加上。
            .exceptionHandling()
            .accessDeniedHandler(new JsonAccessDeniedHandler(accessLogService))
            .authenticationEntryPoint(new JsonAuthenticationEntryPoint(accessLogService))
            .and()
            .csrf().disable();
    // 日志前置过滤器
    http.addFilterBefore(new PreRequestFilter(), AbstractPreAuthenticatedProcessingFilter.class);
    // 签名验证过滤器
    http.addFilterAfter(new PreSignatureFilter(baseAppServiceClient, apiProperties,new JsonSignatureDeniedHandler(accessLogService)), AbstractPreAuthenticatedProcessingFilter.class);
    // 访问验证前置过滤器
    http.addFilterAfter(new PreCheckFilter(accessManager, new JsonAccessDeniedHandler(accessLogService)), AbstractPreAuthenticatedProcessingFilter.class);
}
 
Example #12
Source File: GlobalSecurityConfig.java    From airsonic-advanced with GNU General Public License v3.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {

    http = http.addFilter(new WebAsyncManagerIntegrationFilter());
    http = http.addFilterBefore(jwtAuthFilter(), UsernamePasswordAuthenticationFilter.class);

    http
            .antMatcher("/ext/**")
            .csrf().requireCsrfProtectionMatcher(csrfSecurityRequestMatcher).and()
            .headers().frameOptions().sameOrigin().and()
            .authorizeRequests()
            .antMatchers(
                    "/ext/stream/**",
                    "/ext/coverArt*",
                    "/ext/share/**",
                    "/ext/hls/**")
            .hasAnyRole("TEMP", "USER").and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .exceptionHandling().and()
            .securityContext().and()
            .requestCache().and()
            .anonymous().and()
            .servletApi();
}
 
Example #13
Source File: ResourceServerConfiguration.java    From open-cloud with MIT License 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .and()
            .authorizeRequests()
            .antMatchers("/login/**","/oauth/**").permitAll()
            // 监控端点内部放行
            .requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin().loginPage("/login").permitAll()
            .and()
            .logout().permitAll()
            // /logout退出清除cookie
            .addLogoutHandler(new CookieClearingLogoutHandler("token", "remember-me"))
            .logoutSuccessHandler(new LogoutSuccessHandler())
            .and()
            // 认证鉴权错误处理,为了统一异常处理。每个资源服务器都应该加上。
            .exceptionHandling()
            .accessDeniedHandler(new OpenAccessDeniedHandler())
            .authenticationEntryPoint(new OpenAuthenticationEntryPoint())
            .and()
            .csrf().disable()
            // 禁用httpBasic
            .httpBasic().disable();
}
 
Example #14
Source File: TppWebSecurityConfig.java    From XS2A-Sandbox with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests().antMatchers(INDEX_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(APP_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(ACTUATOR_WHITELIST).permitAll()
        .and()
        .authorizeRequests().antMatchers(SWAGGER_WHITELIST).permitAll()
        .and()
        .cors()
        .and()
        .authorizeRequests().anyRequest().authenticated();

    http.headers().frameOptions().disable();
    http.httpBasic().disable();
    http.addFilterBefore(new DisableEndpointFilter(environment), BasicAuthenticationFilter.class);
    http.addFilterBefore(new LoginAuthenticationFilter(userMgmtStaffRestClient), BasicAuthenticationFilter.class);
    http.addFilterBefore(new TokenAuthenticationFilter(ledgersUserMgmt, authInterceptor), BasicAuthenticationFilter.class);
}
 
Example #15
Source File: MicroserviceSecurityConfiguration.java    From cubeai with Apache License 2.0 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .csrf()
        .disable()
        .headers()
        .frameOptions()
        .disable()
    .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
        .authorizeRequests()
        .antMatchers("/api/profile-info").permitAll()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
        .antMatchers("/swagger-resources/configuration/ui").permitAll();
}
 
Example #16
Source File: MicroserviceSecurityConfiguration.java    From cubeai with Apache License 2.0 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .csrf()
        .disable()
        .headers()
        .frameOptions()
        .disable()
    .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
        .authorizeRequests()
        .antMatchers("/api/profile-info").permitAll()
        .antMatchers("/api/solutions").permitAll()
        .antMatchers("/model/ability").permitAll()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
        .antMatchers("/swagger-resources/configuration/ui").permitAll();
}
 
Example #17
Source File: WebSecurityConfig.java    From spring-security with Apache License 2.0 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http
            .cors()
            .and().csrf().disable();//开启跨域
    http
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            /*匿名请求:不需要进行登录拦截的url*/
            .authorizeRequests()
                .antMatchers("/getVerifyCode", "/auth/**").permitAll()
                .anyRequest().authenticated()//其他的路径都是登录后才可访问
                .and()
            .exceptionHandling()
                .authenticationEntryPoint(authenticationEntryPoint)
                .accessDeniedHandler(accessDeniedHandler);
     http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
     http.headers().cacheControl();
}
 
Example #18
Source File: MicroserviceSecurityConfiguration.java    From cubeai with Apache License 2.0 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .csrf()
        .disable()
        .headers()
        .frameOptions()
        .disable()
    .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
        .authorizeRequests()
        .antMatchers("/api/profile-info").permitAll()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
        .antMatchers("/swagger-resources/configuration/ui").permitAll();
}
 
Example #19
Source File: ResourceServerConfiguration.java    From open-cloud with MIT License 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .and()
            .authorizeRequests()
            // 指定监控可访问权限
            .requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
            .anyRequest().authenticated()
            .and()
            //认证鉴权错误处理,为了统一异常处理。每个资源服务器都应该加上。
            .exceptionHandling()
            .accessDeniedHandler(new OpenAccessDeniedHandler())
            .authenticationEntryPoint(new OpenAuthenticationEntryPoint())
            .and()
            .csrf().disable();
}
 
Example #20
Source File: JWTWebSecurityConfig.java    From spring-boot-vuejs-fullstack-examples with MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .csrf().disable()
        .exceptionHandling().authenticationEntryPoint(jwtUnAuthorizedResponseAuthenticationEntryPoint).and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
        .authorizeRequests()
        .anyRequest().authenticated();

   httpSecurity
        .addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
    
    httpSecurity
        .headers()
        .frameOptions().sameOrigin()  //H2 Console Needs this setting
        .cacheControl(); //disable caching
}
 
Example #21
Source File: ResourceServerConfiguration.java    From open-cloud with MIT License 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .and()
            .authorizeRequests()
            // 指定监控访问权限
            .requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
            .anyRequest().authenticated()
            .and()
            //认证鉴权错误处理
            .exceptionHandling()
            .accessDeniedHandler(new OpenAccessDeniedHandler())
            .authenticationEntryPoint(new OpenAuthenticationEntryPoint())
            .and()
            .csrf().disable();
}
 
Example #22
Source File: ResourceServerConfiguration.java    From open-cloud with MIT License 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .and()
            .authorizeRequests()
            .antMatchers(
                    "/email/**",
                    "/sms/**",
                    "/webhook/**"
            ).permitAll()
            // 指定监控访问权限
            .requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
            .anyRequest().authenticated()
            .and()
            //认证鉴权错误处理
            .exceptionHandling()
            .accessDeniedHandler(new OpenAccessDeniedHandler())
            .authenticationEntryPoint(new OpenAuthenticationEntryPoint())
            .and()
            .csrf().disable();
}
 
Example #23
Source File: JWTWebSecurityConfig.java    From pcf-crash-course-with-spring-boot with MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .csrf().disable()
        .exceptionHandling().authenticationEntryPoint(jwtUnAuthorizedResponseAuthenticationEntryPoint).and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
        .authorizeRequests()
        .anyRequest().authenticated();

   httpSecurity
        .addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
    
    httpSecurity
        .headers()
        .frameOptions().sameOrigin()  //H2 Console Needs this setting
        .cacheControl(); //disable caching
}
 
Example #24
Source File: WebSecurityConfig.java    From spring-boot-study with MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    // 本示例不需要使用CSRF
    httpSecurity.csrf().disable()
            // 认证页面不需要权限
            .authorizeRequests().antMatchers("/authenticate").permitAll().
            //其他页面
                    anyRequest().authenticated().and().
            //登录页面 模拟客户端
            formLogin().loginPage("/login.html").permitAll().and().
            // store user's state.
             exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
            //不使用session
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    //验证请求是否正确
    httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
 
Example #25
Source File: MicroserviceSecurityConfiguration.java    From cubeai with Apache License 2.0 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .csrf()
        .disable()
        .headers()
        .frameOptions()
        .disable()
    .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
        .authorizeRequests()
        .antMatchers("/api/profile-info").permitAll()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
        .antMatchers("/swagger-resources/configuration/ui").permitAll();
}
 
Example #26
Source File: OAuth2SecurityConfiguration.java    From flair-registry with Apache License 2.0 6 votes vote down vote up
@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .csrf()
        .disable()
        .headers()
        .frameOptions()
        .disable()
    .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
        .requestMatcher(authorizationHeaderRequestMatcher())
        .authorizeRequests()
        .antMatchers("/services/**").authenticated()
        .antMatchers("/api/profile-info").permitAll()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);
}
 
Example #27
Source File: JWTWebSecurityConfig.java    From docker-crash-course with MIT License 6 votes vote down vote up
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .csrf().disable()
        .exceptionHandling().authenticationEntryPoint(jwtUnAuthorizedResponseAuthenticationEntryPoint).and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
        .authorizeRequests()
        .anyRequest().authenticated();

   httpSecurity
        .addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
    
    httpSecurity
        .headers()
        .frameOptions().sameOrigin()  //H2 Console Needs this setting
        .cacheControl(); //disable caching
}
 
Example #28
Source File: SecurityConfig.java    From HIS with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity.csrf()// 由于使用的是JWT,我们这里不需要csrf
            .disable()
            .sessionManagement()// 基于token,所以不需要session
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, // 允许对于网站静态资源的无授权访问
                    "/",
                    "/*.html",
                    "/favicon.ico",
                    "/**/*.html",
                    "/**/*.css",
                    "/**/*.js",
                    "/swagger-resources/**",
                    "/v2/api-docs/**",
                    "/app/**"
            )
            .permitAll()
            .antMatchers("/staff/login", "/staff/register")// 对登录注册要允许匿名访问
            .permitAll()
            .antMatchers(HttpMethod.OPTIONS)//跨域请求会先进行一次options请求
            .permitAll()
            .antMatchers("/**")//测试时全部运行访问
            .permitAll()
            .anyRequest()// 除上面外的所有请求全部需要鉴权认证
            .authenticated();
    // 禁用缓存
    httpSecurity.headers().frameOptions().disable().cacheControl();

    // 添加JWT filter
    httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
    //添加自定义未授权和未登录结果返回
    httpSecurity.exceptionHandling()
            .accessDeniedHandler(restfulAccessDeniedHandler)
            .authenticationEntryPoint(restAuthenticationEntryPoint);
}
 
Example #29
Source File: SecurityConfig.java    From mall-learning with Apache License 2.0 5 votes vote down vote up
@Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf()// 由于使用的是JWT,我们这里不需要csrf
                .disable()
                .sessionManagement()// 基于token,所以不需要session
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, // 允许对于网站静态资源的无授权访问
                        "/",
                        "/*.html",
                        "/favicon.ico",
                        "/**/*.html",
                        "/**/*.css",
                        "/**/*.js",
                        "/swagger-resources/**",
                        "/v2/api-docs/**"
                )
                .permitAll()
                .antMatchers("/admin/login", "/admin/register")// 对登录注册要允许匿名访问
                .permitAll()
                .antMatchers(HttpMethod.OPTIONS)//跨域请求会先进行一次options请求
                .permitAll()
//                .antMatchers("/**")//测试时全部运行访问
//                .permitAll()
                .anyRequest()// 除上面外的所有请求全部需要鉴权认证
                .authenticated();
        // 禁用缓存
        httpSecurity.headers().cacheControl();
        // 添加JWT filter
        httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
        //添加自定义未授权和未登录结果返回
        httpSecurity.exceptionHandling()
                .accessDeniedHandler(restfulAccessDeniedHandler)
                .authenticationEntryPoint(restAuthenticationEntryPoint);
    }
 
Example #30
Source File: SecurityConfig.java    From HIS with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity.csrf()// 由于使用的是JWT,我们这里不需要csrf
            .disable()
            .sessionManagement()// 基于token,所以不需要session
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, // 允许对于网站静态资源的无授权访问
                    "/",
                    "/*.html",
                    "/favicon.ico",
                    "/**/*.html",
                    "/**/*.css",
                    "/**/*.js",
                    "/swagger-resources/**",
                    "/v2/api-docs/**"
            )
            .permitAll()
            .antMatchers("/staff/login", "/staff/register")// 对登录注册要允许匿名访问
            .permitAll()
            .antMatchers(HttpMethod.OPTIONS)//跨域请求会先进行一次options请求
            .permitAll()
            .antMatchers("/**")//测试时全部运行访问
            .permitAll()
            .anyRequest()// 除上面外的所有请求全部需要鉴权认证
            .authenticated();
    // 禁用缓存
    httpSecurity.headers().frameOptions().disable().cacheControl();
    // 添加JWT filter
    httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
    //添加自定义未授权和未登录结果返回
    httpSecurity.exceptionHandling()
            .accessDeniedHandler(restfulAccessDeniedHandler)
            .authenticationEntryPoint(restAuthenticationEntryPoint);
}