The CAE security implementations are established using Spring Security.

The configuration classes for the CAE security are located in the package com.coremedia.cae.security. For customizations replace the CaeWebSecurityConfigurerAdapter by adding your own WebSecurityConfigurerAdapter implementation. Preferably extend your implementation from the CaeWebSecurityConfigurerAdapter and override its configure methods. For more detailed information see API documentation for com.coremedia.cae.security.CaeWebSecurityConfigurerAdapter.

With Spring-Security an HttpFirewall is configured.

For CoreMedia CAE, the StrictHttpFirewall is configured in com.coremedia.cae.security.CaeWebSecurityBeansAutoConfiguration.html#httpFirewall. It uses the com.coremedia.cae.security.CaeHttpFirewallConfigurationProperties to enable selective removal of its default rejections. In the default CAE (without any extensions), none of the default rejections are removed. If a rejection has to be removed for an extension, the regarding cae.http-firewall.allow-* property has to be set to true in the extensions component properties file.