← Каталог
Spring Boot — безопасность в продакшене — Пример — фрагмент prod-конфигурации
Фрагмент из «Spring Boot — безопасность в продакшене»: Пример — фрагмент prod-конфигурации.
@Configuration
@EnableWebSecurity
@Profile("prod")
public class ProductionSecurityConfig {
@Bean
SecurityFilterChain prodChain(HttpSecurity http) throws Exception {
http
.requiresChannel(ch -> ch.anyRequest().requiresSecure())
.csrf(csrf -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
.headers(h -> h.contentSecurityPolicy(csp -> csp.policyDirectives(
"default-src 'self'; script-src 'self'; frame-ancestors 'none'")))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/actuator/health", "/actuator/info").permitAll()
.requestMatchers("/actuator/**").hasRole("ADMIN")
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
return http.build();
}
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}@Configuration
@EnableWebSecurity
@Profile("prod")
public class ProductionSecurityConfig {
@Bean
SecurityFilterChain prodChain(HttpSecurity http) throws Exception {
http
.requiresChannel(ch -> ch.anyRequest().requiresSecure())
.csrf(csrf -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
.headers(h -> h.contentSecurityPolicy(csp -> csp.policyDirectives(
"default-src 'self'; script-src 'self'; frame-ancestors 'none'")))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/actuator/health", "/actuator/info").permitAll()
.requestMatchers("/actuator/**").hasRole("ADMIN")
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
return http.build();
}
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}