Studio Developer Manual / Version 2304
Table Of Contents
The concrete configuration of the SecurityFilterChain
will of course depend heavily on your
SSO provider, but there are also some mandatory and recommended Studio-specific settings.
The following example has been created for an OAuth2 provider, and we will go through it step-by-step.
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http,
SessionFixationProtectionStrategy sessionFixationProtectionStrategy,
SimpleLogoutAccessDeniedHandler accessDeniedHandler,
SimpleUrlLogoutSuccessHandler logoutSuccessHandler,
CapLogoutHandler capLogoutHandler,
RequestMatcher csrfRequestMatcher) throws Exception {
return http
.oauth2Login()
.and()
.authorizeHttpRequests()
.requestMatchers(
antMatcher("/api/connection"),
antMatcher("/api/loginService/**"),
antMatcher("/api/accept-language-header.js"),
antMatcher("/api/supported-locales.js"),
antMatcher("/api/themeImporter/**"),
antMatcher("/api/dynamicpackages/remote")).permitAll()
.requestMatchers(antMatcher("/api/**")).authenticated()
.and()
.sessionManagement()
.sessionAuthenticationStrategy(sessionFixationProtectionStrategy)
.and()
.csrf()
.requireCsrfProtectionMatcher(csrfRequestMatcher)
.and()
.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler)
.and()
.logout()
.addLogoutHandler(capLogoutHandler)
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.headers()
.and()
.build();
}
There are different styles of writing such a configuration. In this example we create several Configurers
on the HttpSecurity bean like e.g. logout()
, customize their behavior by calling methods on them and
then get back to the HttpSecurity bean with and()
to continue with the next Configurer
.
The first configurer oauth2Login()
adds support for authentication using OAuth2 and is just an example.
Your SSO provider might require different configuration.
authorizeHttpRequests()
and the following requestMatchers
configure which requests require
authentication in the first place. Generally only the requests to /api/**
are protected, but there
are also some paths below that need to be accessible without authentication.
sessionManagement()
and csrf()
are used to configure protection against session fixation
attacks and CSRF with predefined strategies for Studio.
exceptionHandling()
: The accessDeniedHandler
is configured to a predefined handler which
takes care of either redirecting or returning an error code on unauthenticated access depending on the request.
logout()
: The predefined capLogoutHandler
and logoutSuccessHandler
take care of
closing a user's CapSession
and correct redirection on logout.
headers()
adds some recommended security headers to the response.