@Override @SuppressWarnings("PMD.SignatureDeclareThrowsException") protected void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .addFilter(requestHeaderAuthenticationFilter()) .addFilter(new AnonymousAuthenticationFilter("anonymous")) .authorizeRequests() .antMatchers(HttpMethod.OPTIONS).permitAll() .antMatchers("/api/v1/swagger.*").permitAll() .antMatchers("/api/v1/index.html").permitAll() .antMatchers("/api/v1/version").permitAll() .antMatchers(HttpMethod.GET, "/api/v1/credentials/callback").permitAll() .antMatchers("/api/v1/**").hasRole("AUTHENTICATED") .anyRequest().permitAll(); http.csrf().disable(); }
@Test public void testLoggingAnonymousUser() throws Exception { invalidateApplicationUser(null); // Apply AnonymousAuthenticationFilter AnonymousAuthenticationFilter anonymousAuthenticationFilter = new AnonymousAuthenticationFilter("AnonymousFilterKey"); anonymousAuthenticationFilter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain()); // Apply user logging filter. Log4jMdcLoggingFilter filterUnderTest = new Log4jMdcLoggingFilter(); filterUnderTest.init(new MockFilterConfig()); MockFilterChain mockChain = new MockFilterChain(); MockHttpServletRequest req = new MockHttpServletRequest(); MockHttpServletResponse rsp = new MockHttpServletResponse(); filterUnderTest.doFilter(req, rsp, mockChain); filterUnderTest.destroy(); }
@Bean public AnonymousAuthenticationFilter appAnonAuthFilter(){ List<GrantedAuthority> anonAuth = new ArrayList<>(); anonAuth.add(new SimpleGrantedAuthority("ROLE_ANONYMOUS")); AppAnonAuthFilter anonFilter = new AppAnonAuthFilter("ANONYMOUS","guest",anonAuth); return anonFilter; }
@Override protected void configure(HttpSecurity http) throws Exception { HttpSecurity httpSecurity = http .requestMatchers() .antMatchers(urlPatterns()) .and() .csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .exceptionHandling().and() .headers() .cacheControl().and() .frameOptions().disable() .and() .authorizeRequests().anyRequest().permitAll().and(); Filter[] filters = primarySchemeFilters(); for (Filter filter : filters) { httpSecurity = httpSecurity.addFilterBefore(filter, AnonymousAuthenticationFilter.class); } httpSecurity = httpSecurity.addFilterBefore(new JwtFilter(), AnonymousAuthenticationFilter.class); if (bpmEnabled) { httpSecurity = httpSecurity.addFilterBefore(bpmAuthenticationFilter(), AnonymousAuthenticationFilter.class); } httpSecurity.addFilterAfter(new JwtPostFilter(tokenProvider), FilterSecurityInterceptor.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .rememberMe().disable() .authorizeRequests() .anyRequest().fullyAuthenticated() .and() .exceptionHandling() .authenticationEntryPoint(http401AuthenticationEntryPoint()) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); // x509 http.addFilterBefore(x509AuthenticationFilter(), AnonymousAuthenticationFilter.class); // jwt http.addFilterBefore(jwtAuthenticationFilter(), AnonymousAuthenticationFilter.class); // otp // todo, if needed one-time password auth filter goes here if (properties.getSslPort() == null) { // If we are running an unsecured NiFi Registry server, add an // anonymous authentication filter that will populate the // authenticated, anonymous user if no other user identity // is detected earlier in the Spring filter chain. http.anonymous().authenticationFilter(anonymousAuthenticationFilter); } }
@Override protected void configure(HttpSecurity http) throws Exception { http .rememberMe().disable().authorizeRequests().anyRequest().fullyAuthenticated().and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.addFilterBefore(x509AuthenticationFilter, AnonymousAuthenticationFilter.class); http.anonymous().authenticationFilter(c2AnonymousAuthenticationFilter); }
@Override protected void configure(HttpSecurity http) throws Exception { UloginAuthenticationFilter uloginFilter = new UloginAuthenticationFilter("/ulogin"); uloginFilter.setAuthenticationManager(authenticationManager()); HttpSecurity httpSecurity = http. addFilterBefore(uloginFilter, AnonymousAuthenticationFilter.class); httpSecurity.authorizeRequests().antMatchers("/login.html").permitAll() .anyRequest().authenticated() ; httpSecurity.formLogin().loginPage("/login.html"); }
@Bean public AnonymousAuthenticationFilter anonymousAuthenticationFilter(){ List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); authorities.add(new SimpleGrantedAuthority("ROLE_ANONYMOUS")); AnonymousAuthenticationFilter bean = new AnonymousAuthenticationFilter("changeThis","anonymousUser",authorities); return bean; }
/** * Gets a filter chain proxy. * * @param trustedUserAuthenticationFilter the trusted user authentication filter. * @param httpHeaderAuthenticationFilter the HTTP header authentication filter. * * @return the filter chain proxy. */ @Bean public FilterChainProxy filterChainProxy(final TrustedUserAuthenticationFilter trustedUserAuthenticationFilter, final HttpHeaderAuthenticationFilter httpHeaderAuthenticationFilter) { return new FilterChainProxy(new SecurityFilterChain() { @Override public boolean matches(HttpServletRequest request) { // Match all URLs. return true; } @Override public List<Filter> getFilters() { List<Filter> filters = new ArrayList<>(); // Required filter to store session information between HTTP requests. filters.add(new SecurityContextPersistenceFilter()); // Trusted user filter to bypass security based on SpEL expression environment property. filters.add(trustedUserAuthenticationFilter); // Filter that authenticates based on http headers. if (Boolean.valueOf(configurationHelper.getProperty(ConfigurationValue.SECURITY_HTTP_HEADER_ENABLED))) { filters.add(httpHeaderAuthenticationFilter); } // Anonymous user filter. filters.add(new AnonymousAuthenticationFilter("AnonymousFilterKey")); return filters; } }); }
@Override protected void configure(HttpSecurity http) throws Exception { configureHeaders(http.headers()); http.requestMatchers().antMatchers("/signin/**", "/blog/**").and() .addFilterBefore(authenticationFilter(), AnonymousAuthenticationFilter.class).anonymous().and().csrf() .disable(); }
@Override protected void configure(HttpSecurity http) throws Exception { configureShared(http); http.addFilterBefore(restTokenFilter(), AnonymousAuthenticationFilter.class); }
@Override protected void configure(HttpSecurity http) throws Exception { http .addFilterBefore(createCustomFilter(), AnonymousAuthenticationFilter.class) .csrf().disable(); }
@Override protected void configure(final HttpSecurity http) throws Exception { final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource(); final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter( ddiSecurityConfiguration.getRp().getCnHeader(), ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement, tenantAware, systemSecurityContext); securityHeaderFilter.setAuthenticationManager(authenticationManager()); securityHeaderFilter.setCheckForPrincipalChanges(true); securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource); final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter( tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext); securityTokenFilter.setAuthenticationManager(authenticationManager()); securityTokenFilter.setCheckForPrincipalChanges(true); securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter( tenantConfigurationManagement, tenantAware, systemSecurityContext); gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager()); gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true); gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); HttpSecurity httpSec = http.csrf().disable(); if (springSecurityProperties.isRequireSsl()) { httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and(); } if (ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) { LOG.info( "******************\n** Anonymous controller security enabled, should only be used for developing purposes **\n******************"); final AnonymousAuthenticationFilter anoymousFilter = new AnonymousAuthenticationFilter( "controllerAnonymousFilter", "anonymous", Arrays.asList(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS))); anoymousFilter.setAuthenticationDetailsSource(authenticationDetailsSource); httpSec.requestMatchers().antMatchers(DDI_ANT_MATCHERS).and().securityContext().disable().anonymous() .authenticationFilter(anoymousFilter); } else { httpSec.addFilter(securityHeaderFilter).addFilter(securityTokenFilter) .addFilter(gatewaySecurityTokenFilter).requestMatchers().antMatchers(DDI_ANT_MATCHERS).and() .anonymous().disable().authorizeRequests().anyRequest().authenticated().and() .exceptionHandling() .authenticationEntryPoint((request, response, authException) -> response .setStatus(HttpStatus.UNAUTHORIZED.value())) .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } }
@Override protected void configure(final HttpSecurity http) throws Exception { final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource(); final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter( ddiSecurityConfiguration.getRp().getCnHeader(), ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement, tenantAware, systemSecurityContext); securityHeaderFilter.setAuthenticationManager(authenticationManager()); securityHeaderFilter.setCheckForPrincipalChanges(true); securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource); final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter( tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext); securityTokenFilter.setAuthenticationManager(authenticationManager()); securityTokenFilter.setCheckForPrincipalChanges(true); securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter( tenantConfigurationManagement, tenantAware, systemSecurityContext); gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager()); gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true); gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource); final HttpControllerPreAuthenticateAnonymousDownloadFilter controllerAnonymousDownloadFilter = new HttpControllerPreAuthenticateAnonymousDownloadFilter( tenantConfigurationManagement, tenantAware, systemSecurityContext); controllerAnonymousDownloadFilter.setAuthenticationManager(authenticationManager()); controllerAnonymousDownloadFilter.setCheckForPrincipalChanges(true); controllerAnonymousDownloadFilter.setAuthenticationDetailsSource(authenticationDetailsSource); HttpSecurity httpSec = http.csrf().disable(); if (springSecurityProperties.isRequireSsl()) { httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and(); } if (ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) { LOG.info( "******************\n** Anonymous controller security enabled, should only be used for developing purposes **\n******************"); final AnonymousAuthenticationFilter anoymousFilter = new AnonymousAuthenticationFilter( "controllerAnonymousFilter", "anonymous", Arrays.asList(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS))); anoymousFilter.setAuthenticationDetailsSource(authenticationDetailsSource); httpSec.requestMatchers().antMatchers(DDI_DL_ANT_MATCHER).and().securityContext().disable().anonymous() .authenticationFilter(anoymousFilter); } else { httpSec.addFilter(securityHeaderFilter).addFilter(securityTokenFilter) .addFilter(gatewaySecurityTokenFilter).addFilter(controllerAnonymousDownloadFilter) .requestMatchers().antMatchers(DDI_DL_ANT_MATCHER).and().anonymous().disable() .authorizeRequests().anyRequest().authenticated().and().exceptionHandling() .authenticationEntryPoint((request, response, authException) -> response .setStatus(HttpStatus.UNAUTHORIZED.value())) .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } }
private void addAnonymousAuthenticationFilter(List<Filter> filters) { SecureRandom random = new SecureRandom(); AnonymousAuthenticationFilter anonFilter = new AnonymousAuthenticationFilter(Long.toString(random.nextLong())); filters.add(anonFilter); }
