Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
Kirill Batalin2017-08-11 13:12:31
Java
Kirill Batalin, 2017-08-11 13:12:31

Spring Security: How to allow access to unauthorized clients?

On REST, only a few methods require the user to be authorized. The remaining methods should be available to everyone .
For authorization, I wrote a custom filter inherited from AbstractAuthenticationProcessingFilter. The filter processes all requests coming to REST. If there is no token in the request, then attemptAuthenticationreturns

SecurityContextHolder.getContext().getAuthentication();

To be precise, AnonymousAuthenticationToken
how should HttpSecurity be configured so that all users have access to all REST methods? Other than methods marked with @Secured
The implementation of attemptAuthentication in my filter is:
@Override
    public Authentication attemptAuthentication(HttpServletRequest request,
                                                HttpServletResponse response)
            throws AuthenticationException, IOException, ServletException {
        String token = request.getHeader(HEADER_TOKEN);
        if (token == null) {
            return SecurityContextHolder.getContext().getAuthentication();
        }

        TokenAuthentication authentication = new TokenAuthentication(token);
        return getAuthenticationManager().authenticate(authentication);
    }

Current setup that doesn't work:
@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                    .anyRequest()
                    .permitAll()
            .and()
                .httpBasic()
                .authenticationEntryPoint(entryPoint);
    }

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
K
Kirill Batalin, 2017-08-11
@kir55rus

I solved the problem by setting the filter flag continueChainBeforeSuccessfulAuthentication = true

Report
V
Vladimir Rozhkov, 2017-08-11
@r0zh0k

Write a matcher for everything and allow it to everyone. Close the necessary endpoints, for example:

@Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .csrf().disable()
            .exceptionHandling().and()
            .anonymous().and()
            .servletApi().and()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/api/**").permitAll()
            .antMatchers(HttpMethod.POST, "/api/**").permitAll()
            .anyRequest().authenticated().and()
            .addFilterBefore(
                    new AuthFilter(),
                    UsernamePasswordAuthenticationFilter.class
            );
    }

Similar questions
T
Tange2015-07-25 16:47:09
How to find out the user's mail through the VK API? 1Reply
L
lookingfor22020-04-07 13:04:29
It is necessary that only the fields of the first tab would be checked in the form? 2Reply
A
Andrey2015-06-18 18:36:47
Convert datetime given TimeZone from string? 1Reply
M
me762017-05-31 08:45:16
What open source projects would you recommend to gain experience in C#, Java, AngularJS or Android? 2Reply
S
StrangeAttractor2015-06-19 00:48:25
How to make a desktop application from a JVM servlet? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question