org.springframework.security.web.session.SessionManagementFilter Java Examples

The following examples show how to use org.springframework.security.web.session.SessionManagementFilter. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: PlatformSecurityConfiguration.java    From abixen-platform with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .httpBasic()
            .and()
            .authorizeRequests()
            .antMatchers("/turbine.stream").permitAll()
            .antMatchers("/test").permitAll()
            .antMatchers("/service/**").permitAll()
            .antMatchers("/api/user").permitAll()
            .antMatchers("/api/user-activation/activate/*/").permitAll()
            .anyRequest().authenticated()
            .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login?logout")
            .and()
            .addFilterAfter(new CsrfHeaderFilter(), SessionManagementFilter.class)
            .csrf()
            .csrfTokenRepository(csrfTokenRepository());
}
 
Example #2
Source File: WebAuthnLoginConfigurer.java    From webauthn4j-spring-security with Apache License 2.0 5 votes vote down vote up
private void configure(H http) {
    OptionsEndpointFilter optionsEndpointFilter;
    ApplicationContext applicationContext = http.getSharedObject(ApplicationContext.class);
    String[] beanNames = applicationContext.getBeanNamesForType(OptionsEndpointFilter.class);
    if (beanNames.length == 0) {
        optionsEndpointFilter = new OptionsEndpointFilter(optionsProvider, objectConverter);
        optionsEndpointFilter.setFilterProcessesUrl(processingUrl);
    } else {
        optionsEndpointFilter = applicationContext.getBean(OptionsEndpointFilter.class);
    }

    http.addFilterAfter(optionsEndpointFilter, SessionManagementFilter.class);
}
 
Example #3
Source File: FidoServerConfigurer.java    From webauthn4j-spring-security with Apache License 2.0 5 votes vote down vote up
void configure(H http) {
    F serverEndpointFilter;
    ApplicationContext applicationContext = http.getSharedObject(ApplicationContext.class);
    String[] beanNames = applicationContext.getBeanNamesForType(filterClass);
    if (beanNames.length == 0) {
        serverEndpointFilter = createInstance();
        if (filterProcessingUrl != null) {
            serverEndpointFilter.setFilterProcessesUrl(filterProcessingUrl);
        }
    } else {
        serverEndpointFilter = applicationContext.getBean(filterClass);
    }
    http.setSharedObject(filterClass, serverEndpointFilter);
    http.addFilterAfter(serverEndpointFilter, SessionManagementFilter.class);
}
 
Example #4
Source File: SessionConfig.java    From Spring-Security-Third-Edition with MIT License 4 votes vote down vote up
@Bean
public SessionManagementFilter sessionManagementFilter(SecurityContextRepository securityContextRepository,
                                                       SessionAuthenticationStrategy sessionAuthenticationStrategy){
    return new SessionManagementFilter(securityContextRepository, sessionAuthenticationStrategy);
}
 
Example #5
Source File: SecurityManagedConfiguration.java    From hawkbit with Eclipse Public License 1.0 4 votes vote down vote up
@Override
protected void configure(final HttpSecurity http) throws Exception {

    HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system/admin.*").csrf().disable();

    if (securityProperties.getCors().isEnabled()) {
        httpSec = httpSec.cors().and();
    }

    if (securityProperties.isRequireSsl()) {
        httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
    }

    httpSec.authorizeRequests().anyRequest().authenticated()
            .antMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**")
            .hasAnyAuthority(SpPermission.SYSTEM_ADMIN);

    if (oidcBearerTokenAuthenticationFilter != null) {

        // Only get the first client registration. Testing against every
        // client could increase the
        // attack vector
        ClientRegistration clientRegistration = null;
        for (final ClientRegistration cr : clientRegistrationRepository) {
            clientRegistration = cr;
            break;
        }

        Assert.notNull(clientRegistration, "There must be a valid client registration");
        httpSec.oauth2ResourceServer().jwt().jwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri());

        oidcBearerTokenAuthenticationFilter.setClientRegistration(clientRegistration);

        httpSec.addFilterAfter(oidcBearerTokenAuthenticationFilter, BearerTokenAuthenticationFilter.class);
    } else {
        final BasicAuthenticationEntryPoint basicAuthEntryPoint = new BasicAuthenticationEntryPoint();
        basicAuthEntryPoint.setRealmName(securityProperties.getBasicRealm());

        httpSec.addFilterBefore(new Filter() {
            @Override
            public void init(final FilterConfig filterConfig) throws ServletException {
                userAuthenticationFilter.init(filterConfig);
            }

            @Override
            public void doFilter(final ServletRequest request, final ServletResponse response,
                    final FilterChain chain) throws IOException, ServletException {
                userAuthenticationFilter.doFilter(request, response, chain);
            }

            @Override
            public void destroy() {
                userAuthenticationFilter.destroy();
            }
        }, RequestHeaderAuthenticationFilter.class);
        httpSec.httpBasic().and().exceptionHandling().authenticationEntryPoint(basicAuthEntryPoint);
    }

    httpSec.addFilterAfter(
            new AuthenticationSuccessTenantMetadataCreationFilter(systemManagement, systemSecurityContext),
            SessionManagementFilter.class);

    httpSec.anonymous().disable();
    httpSec.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}