SteelAlex/SecurityConfig.java

## SecurityConfig.java
@Slf4j
@Configuration
@EnableWebSecurity
@EnableJdbcHttpSession
@EnableGlobalMethodSecurity(prePostEnabled = true)
class SecurityConfig extends WebSecurityConfigurerAdapter {

    private static final String SESSION_STORAGE_NAME = "X-COMPANY-NAME-TOKEN";

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/").permitAll()
            .and()
                .sessionManagement()
                .maximumSessions(1)
                .maxSessionsPreventsLogin(false).and()
                .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .and()
                .formLogin()
                    .loginPage("/")
                    .loginProcessingUrl("/auth")
                    .usernameParameter("login")
                    .passwordParameter("password")
                    .successHandler((request, response, authentication) -> {
                        //for MSIE 8 support
                        if (authentication.isAuthenticated()) {
                            log.info("Successful authentication");
                            response.setStatus(200);
                        } else {
                            response.setStatus(401);
                        }
                    })
                    .failureHandler((request, response, authentication) -> {
                        log.info("Failed authentication");
                        response.setStatus(401);
                    })
                .and()
                .logout()
                    .logoutUrl("/logout")
                    .logoutSuccessUrl("/index.html")
                    .invalidateHttpSession(true)
                    .clearAuthentication(true)
            .and()
                .httpBasic()
            .and()
                .csrf().disable()
            .headers()
                .contentTypeOptions().disable()
                .xssProtection().disable()
                .cacheControl()
                .and().frameOptions().disable()
            .and()
                .cors()
                .configurationSource(corsConfigurationSource())
            .and()
                .requestCache()
        ;
    }

    @Bean
    public HttpSessionIdResolver httpSessionIdResolver() {
        return new HeaderHttpSessionIdResolver(SESSION_STORAGE_NAME);
    }

    ...
}
	@Slf4j
	@Configuration
	@EnableWebSecurity
	@EnableJdbcHttpSession
	@EnableGlobalMethodSecurity(prePostEnabled = true)
	class SecurityConfig extends WebSecurityConfigurerAdapter {

	private static final String SESSION_STORAGE_NAME = "X-COMPANY-NAME-TOKEN";

	@Override
	protected void configure(HttpSecurity http) throws Exception {
	http
	.authorizeRequests()
	.antMatchers("/").permitAll()
	.and()
	.sessionManagement()
	.maximumSessions(1)
	.maxSessionsPreventsLogin(false).and()
	.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
	.and()
	.formLogin()
	.loginPage("/")
	.loginProcessingUrl("/auth")
	.usernameParameter("login")
	.passwordParameter("password")
	.successHandler((request, response, authentication) -> {
	//for MSIE 8 support
	if (authentication.isAuthenticated()) {
	log.info("Successful authentication");
	response.setStatus(200);
	} else {
	response.setStatus(401);
	}
	})
	.failureHandler((request, response, authentication) -> {
	log.info("Failed authentication");
	response.setStatus(401);
	})
	.and()
	.logout()
	.logoutUrl("/logout")
	.logoutSuccessUrl("/index.html")
	.invalidateHttpSession(true)
	.clearAuthentication(true)
	.and()
	.httpBasic()
	.and()
	.csrf().disable()
	.headers()
	.contentTypeOptions().disable()
	.xssProtection().disable()
	.cacheControl()
	.and().frameOptions().disable()
	.and()
	.cors()
	.configurationSource(corsConfigurationSource())
	.and()
	.requestCache()
	;
	}

	@Bean
	public HttpSessionIdResolver httpSessionIdResolver() {
	return new HeaderHttpSessionIdResolver(SESSION_STORAGE_NAME);
	}

	...
	}