Page History
...
In Blueriq the HTTP security configuration is implemented in Java using a Configurer bean, as shown below.
| Code Block | ||
|---|---|---|
| ||
package com.aquima.web.boot; import com.aquima.interactions.project.impl.XssSafeValueFormatter; import com.aquima.interactions.project.impl.xss.IXssBlacklist; import com.aquima.interactions.project.impl.xss.IXssWhitelist; import com.aquima.web.config.properties.SecurityConfigProperties; import com.aquima.web.security.headers.ClickJackingProtectionHeaderWriter; import com.aquima.web.security.headers.ContentTypeOptionsHeaderWriter; import com.aquima.web.security.headers.StrictTransportProtectionHeaderWriter; import com.aquima.web.security.headers.XssProtectionHeaderWriter; import com.aquima.web.util.MvcRedirectHelper; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; @Configuration @Order(50) @ConditionalOnProperty(name = "blueriq.security.http.interactions.enabled", havingValue = "true", matchIfMissing = true) // 1 public class RuntimeWebSecurityConfigurer extends WebSecurityConfigurerAdapter { public private static final Logger LOG = LoggerFactory.getLogger(RuntimeWebSecurityConfigurer.class Mappings { ); @Autowired @Qualifier("blueriqAuthenticationManager") private AuthenticationManager authManager; @Autowired private SecurityConfigProperties securityProperties; @Autowired private MvcRedirectHelper redirectHelper; @Autowired private SecurityContextRepository securityContextRepository; public static class Mappings { public static final String TRIGGER_SECURITY_CHECK = "/server/noaccess.html"; public static final String PERFORM_SECURITY_CHECK = "/server/securityCheck"; public static final String LOGIN_PAGE = "/server/session/login.html"; public static final String LOGOUT_PAGE = "/server/session/logout.html"; public static final String LOGIN_SUCCESS_URL = "/server/start?loginSuccess=true"; } @Autowired // 2 @Qualifier("blueriqAuthenticationManager") private AuthenticationManager authenticationManager; @Autowired // 3 private IConfiguration configuration; @Autowired private MvcRedirectHelper redirectHelper; // 4 @Override public static final String LOGIN_PAGE_ERROR = "/server/session/login.html?loginError=true"; } @Override protected AuthenticationManager authenticationManager() throws Exception { return authenticationManagerthis.authManager; // 2 } @Override protected void configure(HttpSecurity http) throws Exception { http http // .csrf().disable() // .headers() // .defaultsDisabled() // .addHeaderWriter(new ClickJackingProtectionHeaderWriter(this.securityProperties)) // .addHeaderWriter(new StrictTransportProtectionHeaderWriter(this.securityProperties)) // .addHeaderWriter(new ContentTypeOptionsHeaderWriter(this.securityProperties)) // 3 .addHeaderWriter(new XssProtectionHeaderWriter(this.securityProperties)) // .and() // .sessionManagement() // .sessionFixation() // .none() // .and() // .authorizeRequests() // 4 .antMatchers(this.redirectHelper.getNoAccessPath()) // .authenticated() .antMatchers("/h2-console/**").permitAll() // .and() // .formLogin() // .defaultSuccessUrl(Mappings.LOGIN_SUCCESS_URL, true) // .loginPage(Mappings.LOGIN_PAGE) // .loginProcessingUrl(Mappings.PERFORM_SECURITY_CHECK) // .permitAll() // .failureUrl(Mappings.LOGIN_PAGE_ERROR) // .and() // .anonymous() // .key("doesNotMatter"); if (configuration.isClickJackingProtectionEnabled()) { // 3 http.headers() .frameOptions().sameOrigin() .addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy","frame-ancestors 'self'")); } if (configuration.isStrictTransportProtectionEnabled()) { // 3 http.headers() .httpStrictTransportSecurity() .includeSubDomains(true) .maxAgeInSeconds(31536000); } if (configuration.isXContentTypeProtectionEnabled()) { // 3 http.headers().contentTypeOptions(); } else { http.headers().contentTypeOptions().disable(); } } }.and() // .securityContext() // .securityContextRepository(securityContextRepository); } @Bean @ConditionalOnMissingBean(SecurityContextRepository.class) public SecurityContextRepository defaultSecurityContextRepository() { if (LOG.isInfoEnabled()) { LOG.info("Using default security context repository"); } HttpSessionSecurityContextRepository repository = new HttpSessionSecurityContextRepository(); repository.setDisableUrlRewriting(true); return repository; } @Autowired(required = false) public void registerXssWhitelist(IXssWhitelist whitelist) { XssSafeValueFormatter.register(whitelist); } @Autowired(required = false) public void registerXssBlacklist(IXssBlacklist blacklist) { XssSafeValueFormatter.register(blacklist); } } |
| UI Text Box | ||
|---|---|---|
| ||
Before Blueriq 10, the HTTP security configuration was defined in XML configuration in the file |
...
Overview
Content Tools