The concrete configuration of the SecurityFilterChain will of course depend heavily on your SSO provider, but there are also some mandatory and recommended Studio-specific settings. The following example has been created for an OAuth2 provider, and we will go through it step-by-step.

        @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http,
      SessionFixationProtectionStrategy sessionFixationProtectionStrategy,
      SimpleLogoutAccessDeniedHandler accessDeniedHandler,
      SimpleUrlLogoutSuccessHandler logoutSuccessHandler,
      CapLogoutHandler capLogoutHandler,
      RequestMatcher csrfRequestMatcher) throws Exception {
  return http
        .oauth2Login()
        .and()
        .authorizeHttpRequests()
        .requestMatchers(
                antMatcher("/api/connection"),
                antMatcher("/api/loginService/**"),
                antMatcher("/api/accept-language-header.js"),
                antMatcher("/api/supported-locales.js"),
                antMatcher("/api/themeImporter/**"),
                antMatcher("/api/dynamicpackages/remote")).permitAll()
        .requestMatchers(antMatcher("/api/**")).authenticated()
        .and()
        .sessionManagement()
        .sessionAuthenticationStrategy(sessionFixationProtectionStrategy)
        .and()
        .csrf()
        .requireCsrfProtectionMatcher(csrfRequestMatcher)
        .and()
        .exceptionHandling()
        .accessDeniedHandler(accessDeniedHandler)
        .and()
        .logout()
        .addLogoutHandler(capLogoutHandler)
        .logoutSuccessHandler(logoutSuccessHandler)
        .and()
        .headers()
        .and()
        .build();
}

      

There are different styles of writing such a configuration. In this example we create several Configurers on the HttpSecurity bean like e.g. logout(), customize their behavior by calling methods on them and then get back to the HttpSecurity bean with and() to continue with the next Configurer.

The first configurer oauth2Login() adds support for authentication using OAuth2 and is just an example. Your SSO provider might require different configuration.

authorizeHttpRequests() and the following requestMatchers configure which requests require authentication in the first place. Generally only the requests to /api/** are protected, but there are also some paths below that need to be accessible without authentication.

sessionManagement() and csrf() are used to configure protection against session fixation attacks and CSRF with predefined strategies for Studio.

exceptionHandling(): The accessDeniedHandler is configured to a predefined handler which takes care of either redirecting or returning an error code on unauthenticated access depending on the request.

logout(): The predefined capLogoutHandler and logoutSuccessHandler take care of closing a user's CapSession and correct redirection on logout.

headers() adds some recommended security headers to the response.