Content Application Developer Manual / Version 2304
Table Of ContentsThe CAE security implementations are established using Spring Security.
The configuration classes for the CAE security are located in the package com.coremedia.cae.security. All beans for the CAE security are created by the com.coremedia.cae.security.CaeWebSecurityAutoConfiguration. For customizations, each of these beans can be replaced by an equally named bean in a custom configuration class.
In Spring Security,
the main bean to realize the HTTP web security is the
org.springframework.security.web.SecurityFilterChain.
When the application context is created, it is configured and build using the
org.springframework.security.config.annotation.web.builders.HttpSecurity
prototype bean. For the CAE, the default configuration is done in the
com.coremedia.cae.security.CaeWebSecurityAutoConfiguration.html#caeHttpSecurityConfigurer
bean, that is then be used to create the
com.coremedia.cae.security.CaeWebSecurityAutoConfiguration
bean. To customize the HTTP web security for the CAE, extend the
com.coremedia.cae.security.CaeHttpSecurityConfigurer,
override its configure
methods and provide it as a bean named
caeHttpSecurityConfigurer
in order to replace the CAE's default configuration bean.
With Spring-Security an HttpFirewall
is configured.
For CoreMedia CAE, the StrictHttpFirewall
is configured in
com.coremedia.cae.security.CaeWebSecurityAutoConfiguration.html#httpFirewall.
It uses the
com.coremedia.cae.security.CaeHttpFirewallConfigurationProperties
to enable selective removal of its default rejections. In the default CAE (without any
extensions), none of the default rejections are removed. If a rejection has to be
removed for an extension, the regarding cae.http-firewall.allow-*
property has to be set to true
in the extensions component properties file.