org.springframework.security.web.authentication.AnonymousAuthenticationFilter Java Examples

The following examples show how to use org.springframework.security.web.authentication.AnonymousAuthenticationFilter. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: NiFiWebApiSecurityConfiguration.java    From localization_nifi with Apache License 2.0 7 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .rememberMe().disable()
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // x509
    http.addFilterBefore(x509FilterBean(), AnonymousAuthenticationFilter.class);

    // jwt
    http.addFilterBefore(jwtFilterBean(), AnonymousAuthenticationFilter.class);

    // otp
    http.addFilterBefore(otpFilterBean(), AnonymousAuthenticationFilter.class);

    // anonymous
    http.anonymous().authenticationFilter(anonymousFilterBean());
}
 
Example #2
Source File: SecurityConfig.java    From securing-rest-api-spring-security with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(final HttpSecurity http) throws Exception {
  http
    .sessionManagement()
    .sessionCreationPolicy(STATELESS)
    .and()
    .exceptionHandling()
    // this entry point handles when you request a protected page and you are not yet
    // authenticated
    .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
    .and()
    .authenticationProvider(provider)
    .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class)
    .authorizeRequests()
    .requestMatchers(PROTECTED_URLS)
    .authenticated()
    .and()
    .csrf().disable()
    .formLogin().disable()
    .httpBasic().disable()
    .logout().disable();
}
 
Example #3
Source File: SecurityConfiguration.java    From syndesis with Apache License 2.0 6 votes vote down vote up
@Override
@SuppressWarnings("PMD.SignatureDeclareThrowsException")
protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .addFilter(requestHeaderAuthenticationFilter())
        .addFilter(new AnonymousAuthenticationFilter("anonymous"))
        .authorizeRequests()
        .antMatchers(HttpMethod.OPTIONS).permitAll()
        .antMatchers(COMMON_NON_SECURED_PATHS).permitAll()
        .antMatchers(HttpMethod.GET, "/api/v1/credentials/callback").permitAll()
        .antMatchers("/api/v1/**").hasRole("AUTHENTICATED")
        .anyRequest().permitAll();

    http.csrf()
        .ignoringAntMatchers(COMMON_NON_SECURED_PATHS)
        .ignoringAntMatchers("/api/v1/credentials/callback")
        .ignoringAntMatchers("/api/v1/atlas/**")
        .csrfTokenRepository(new SyndesisCsrfRepository());
}
 
Example #4
Source File: NiFiRegistrySecurityConfig.java    From nifi-registry with Apache License 2.0 6 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .rememberMe().disable()
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
            .exceptionHandling()
                .authenticationEntryPoint(http401AuthenticationEntryPoint())
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // Apply security headers for registry API. Security headers for docs and UI are applied with Jetty filters in registry-core.
    http.headers().xssProtection();
    http.headers().contentSecurityPolicy("frame-ancestors 'self'");
    http.headers().httpStrictTransportSecurity().maxAgeInSeconds(31540000);
    http.headers().frameOptions().sameOrigin();

    // x509
    http.addFilterBefore(x509AuthenticationFilter(), AnonymousAuthenticationFilter.class);

    // jwt
    http.addFilterBefore(jwtAuthenticationFilter(), AnonymousAuthenticationFilter.class);

    // otp
    // todo, if needed one-time password auth filter goes here

    // add an anonymous authentication filter that will populate the authenticated,
    // anonymous user if no other user identity is detected earlier in the Spring filter chain
    http.anonymous().authenticationFilter(anonymousAuthenticationFilter);

    // After Spring Security filter chain is complete (so authentication is done),
    // but before the Jersey application endpoints get the request,
    // insert the ResourceAuthorizationFilter to do its authorization checks
    http.addFilterAfter(resourceAuthorizationFilter(), FilterSecurityInterceptor.class);

}
 
Example #5
Source File: Log4jMdcLoggingFilterTest.java    From herd with Apache License 2.0 6 votes vote down vote up
@Test
public void testLoggingAnonymousUser() throws Exception
{
    invalidateApplicationUser(null);

    // Apply AnonymousAuthenticationFilter
    AnonymousAuthenticationFilter anonymousAuthenticationFilter = new AnonymousAuthenticationFilter("AnonymousFilterKey");
    anonymousAuthenticationFilter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain());
    
    // Apply user logging filter.
    Log4jMdcLoggingFilter filterUnderTest = new Log4jMdcLoggingFilter();
    filterUnderTest.init(new MockFilterConfig());
    MockFilterChain mockChain = new MockFilterChain();
    MockHttpServletRequest req = new MockHttpServletRequest();
    MockHttpServletResponse rsp = new MockHttpServletResponse();

    filterUnderTest.doFilter(req, rsp, mockChain);

    filterUnderTest.destroy();
}
 
Example #6
Source File: AppSecurityModelC.java    From Spring-5.0-Cookbook with MIT License 5 votes vote down vote up
@Bean
public AnonymousAuthenticationFilter appAnonAuthFilter(){
  List<GrantedAuthority> anonAuth = new ArrayList<>();  
  anonAuth.add(new SimpleGrantedAuthority("ROLE_ANONYMOUS"));
  AppAnonAuthFilter anonFilter = new AppAnonAuthFilter("ANONYMOUS","guest",anonAuth);
     return  anonFilter;
 }
 
Example #7
Source File: AppSecurityModelC.java    From Spring-5.0-Cookbook with MIT License 5 votes vote down vote up
@Bean
public AnonymousAuthenticationFilter appAnonAuthFilter(){
  List<GrantedAuthority> anonAuth = new ArrayList<>();  
  anonAuth.add(new SimpleGrantedAuthority("ROLE_ANONYMOUS"));
  AppAnonAuthFilter anonFilter = new AppAnonAuthFilter("ANONYMOUS","guest",anonAuth);
     return  anonFilter;
 }
 
Example #8
Source File: SecurityConfiguration.java    From nifi-minifi with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .rememberMe().disable().authorizeRequests().anyRequest().fullyAuthenticated().and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http.addFilterBefore(x509AuthenticationFilter, AnonymousAuthenticationFilter.class);
    http.anonymous().authenticationFilter(c2AnonymousAuthenticationFilter);
}
 
Example #9
Source File: FiatAuthenticationConfig.java    From fiat with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
  http.servletApi()
      .and()
      .exceptionHandling()
      .and()
      .anonymous()
      .and()
      .addFilterBefore(
          new FiatAuthenticationFilter(fiatStatus), AnonymousAuthenticationFilter.class);
}
 
Example #10
Source File: AppSpringModuleConfig.java    From herd with Apache License 2.0 5 votes vote down vote up
/**
 * Gets a filter chain proxy.
 *
 * @param trustedUserAuthenticationFilter the trusted user authentication filter.
 * @param httpHeaderAuthenticationFilter the HTTP header authentication filter.
 *
 * @return the filter chain proxy.
 */
@Bean
public FilterChainProxy filterChainProxy(final TrustedUserAuthenticationFilter trustedUserAuthenticationFilter,
    final HttpHeaderAuthenticationFilter httpHeaderAuthenticationFilter)
{
    return new FilterChainProxy(new SecurityFilterChain()
    {
        @Override
        public boolean matches(HttpServletRequest request)
        {
            // Match all URLs.
            return true;
        }

        @Override
        public List<Filter> getFilters()
        {
            List<Filter> filters = new ArrayList<>();

            // Required filter to store session information between HTTP requests.
            filters.add(new SecurityContextPersistenceFilter());

            // Trusted user filter to bypass security based on SpEL expression environment property.
            filters.add(trustedUserAuthenticationFilter);

            // Filter that authenticates based on http headers.
            if (Boolean.valueOf(configurationHelper.getProperty(ConfigurationValue.SECURITY_HTTP_HEADER_ENABLED)))
            {
                filters.add(httpHeaderAuthenticationFilter);
            }

            // Anonymous user filter.
            filters.add(new AnonymousAuthenticationFilter("AnonymousFilterKey"));

            return filters;
        }
    });
}
 
Example #11
Source File: NiFiWebApiSecurityConfiguration.java    From nifi with Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors().and()
            .rememberMe().disable()
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // x509
    http.addFilterBefore(x509FilterBean(), AnonymousAuthenticationFilter.class);

    // jwt
    http.addFilterBefore(jwtFilterBean(), AnonymousAuthenticationFilter.class);

    // otp
    http.addFilterBefore(otpFilterBean(), AnonymousAuthenticationFilter.class);

    // knox
    http.addFilterBefore(knoxFilterBean(), AnonymousAuthenticationFilter.class);

    // anonymous
    http.addFilterAfter(anonymousFilterBean(), AnonymousAuthenticationFilter.class);

    // disable default anonymous handling because it doesn't handle conditional authentication well
    http.anonymous().disable();
}
 
Example #12
Source File: WebSecurityConfig.java    From spring-custom-token-auth with MIT License 4 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	http
	  .addFilterBefore(createCustomFilter(), AnonymousAuthenticationFilter.class)
	  .csrf().disable();
}
 
Example #13
Source File: SecurityManagedConfiguration.java    From hawkbit with Eclipse Public License 1.0 4 votes vote down vote up
@Override
protected void configure(final HttpSecurity http) throws Exception {

    final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource();

    final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter(
            ddiSecurityConfiguration.getRp().getCnHeader(),
            ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement,
            tenantAware, systemSecurityContext);
    securityHeaderFilter.setAuthenticationManager(authenticationManager());
    securityHeaderFilter.setCheckForPrincipalChanges(true);
    securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter(
            tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext);
    securityTokenFilter.setAuthenticationManager(authenticationManager());
    securityTokenFilter.setCheckForPrincipalChanges(true);
    securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
            tenantConfigurationManagement, tenantAware, systemSecurityContext);
    gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager());
    gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true);
    gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    HttpSecurity httpSec = http.csrf().disable();

    if (securityProperties.isRequireSsl()) {
        httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
    }

    if (ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) {

        LOG.info(
                "******************\n** Anonymous controller security enabled, should only be used for developing purposes **\n******************");

        final AnonymousAuthenticationFilter anonymousFilter = new AnonymousAuthenticationFilter(
                "controllerAnonymousFilter", "anonymous",
                Arrays.asList(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS)));
        anonymousFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
        httpSec.requestMatchers().antMatchers(DDI_ANT_MATCHERS).and().securityContext().disable().anonymous()
                .authenticationFilter(anonymousFilter);
    } else {

        httpSec.addFilter(securityHeaderFilter).addFilter(securityTokenFilter)
                .addFilter(gatewaySecurityTokenFilter).requestMatchers().antMatchers(DDI_ANT_MATCHERS).and()
                .anonymous().disable().authorizeRequests().anyRequest().authenticated().and()
                .exceptionHandling()
                .authenticationEntryPoint((request, response, authException) -> response
                        .setStatus(HttpStatus.UNAUTHORIZED.value()))
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}
 
Example #14
Source File: SecurityManagedConfiguration.java    From hawkbit with Eclipse Public License 1.0 4 votes vote down vote up
@Override
protected void configure(final HttpSecurity http) throws Exception {

    final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource();

    final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter(
            ddiSecurityConfiguration.getRp().getCnHeader(),
            ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement,
            tenantAware, systemSecurityContext);
    securityHeaderFilter.setAuthenticationManager(authenticationManager());
    securityHeaderFilter.setCheckForPrincipalChanges(true);
    securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter(
            tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext);
    securityTokenFilter.setAuthenticationManager(authenticationManager());
    securityTokenFilter.setCheckForPrincipalChanges(true);
    securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
            tenantConfigurationManagement, tenantAware, systemSecurityContext);
    gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager());
    gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true);
    gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    final HttpControllerPreAuthenticateAnonymousDownloadFilter controllerAnonymousDownloadFilter = new HttpControllerPreAuthenticateAnonymousDownloadFilter(
            tenantConfigurationManagement, tenantAware, systemSecurityContext);
    controllerAnonymousDownloadFilter.setAuthenticationManager(authenticationManager());
    controllerAnonymousDownloadFilter.setCheckForPrincipalChanges(true);
    controllerAnonymousDownloadFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    HttpSecurity httpSec = http.csrf().disable();

    if (securityProperties.isRequireSsl()) {
        httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
    }

    if (ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) {

        LOG.info(
                "******************\n** Anonymous controller security enabled, should only be used for developing purposes **\n******************");

        final AnonymousAuthenticationFilter anonymousFilter = new AnonymousAuthenticationFilter(
                "controllerAnonymousFilter", "anonymous",
                Arrays.asList(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS)));
        anonymousFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
        httpSec.requestMatchers().antMatchers(DDI_DL_ANT_MATCHER).and().securityContext().disable().anonymous()
                .authenticationFilter(anonymousFilter);
    } else {

        httpSec.addFilter(securityHeaderFilter).addFilter(securityTokenFilter)
                .addFilter(gatewaySecurityTokenFilter).addFilter(controllerAnonymousDownloadFilter)
                .requestMatchers().antMatchers(DDI_DL_ANT_MATCHER).and().anonymous().disable()
                .authorizeRequests().anyRequest().authenticated().and().exceptionHandling()
                .authenticationEntryPoint((request, response, authException) -> response
                        .setStatus(HttpStatus.UNAUTHORIZED.value()))
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}