Java Code Examples for org.springframework.security.web.authentication.AnonymousAuthenticationFilter

The following examples show how to use org.springframework.security.web.authentication.AnonymousAuthenticationFilter. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .rememberMe().disable()
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // x509
    http.addFilterBefore(x509FilterBean(), AnonymousAuthenticationFilter.class);

    // jwt
    http.addFilterBefore(jwtFilterBean(), AnonymousAuthenticationFilter.class);

    // otp
    http.addFilterBefore(otpFilterBean(), AnonymousAuthenticationFilter.class);

    // anonymous
    http.anonymous().authenticationFilter(anonymousFilterBean());
}
 
Example 2
@Override
protected void configure(final HttpSecurity http) throws Exception {
  http
    .sessionManagement()
    .sessionCreationPolicy(STATELESS)
    .and()
    .exceptionHandling()
    // this entry point handles when you request a protected page and you are not yet
    // authenticated
    .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
    .and()
    .authenticationProvider(provider)
    .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class)
    .authorizeRequests()
    .requestMatchers(PROTECTED_URLS)
    .authenticated()
    .and()
    .csrf().disable()
    .formLogin().disable()
    .httpBasic().disable()
    .logout().disable();
}
 
Example 3
Source Project: syndesis   Source File: SecurityConfiguration.java    License: Apache License 2.0 6 votes vote down vote up
@Override
@SuppressWarnings("PMD.SignatureDeclareThrowsException")
protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .addFilter(requestHeaderAuthenticationFilter())
        .addFilter(new AnonymousAuthenticationFilter("anonymous"))
        .authorizeRequests()
        .antMatchers(HttpMethod.OPTIONS).permitAll()
        .antMatchers(COMMON_NON_SECURED_PATHS).permitAll()
        .antMatchers(HttpMethod.GET, "/api/v1/credentials/callback").permitAll()
        .antMatchers("/api/v1/**").hasRole("AUTHENTICATED")
        .anyRequest().permitAll();

    http.csrf()
        .ignoringAntMatchers(COMMON_NON_SECURED_PATHS)
        .ignoringAntMatchers("/api/v1/credentials/callback")
        .ignoringAntMatchers("/api/v1/atlas/**")
        .csrfTokenRepository(new SyndesisCsrfRepository());
}
 
Example 4
Source Project: herd   Source File: Log4jMdcLoggingFilterTest.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testLoggingAnonymousUser() throws Exception
{
    invalidateApplicationUser(null);

    // Apply AnonymousAuthenticationFilter
    AnonymousAuthenticationFilter anonymousAuthenticationFilter = new AnonymousAuthenticationFilter("AnonymousFilterKey");
    anonymousAuthenticationFilter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain());
    
    // Apply user logging filter.
    Log4jMdcLoggingFilter filterUnderTest = new Log4jMdcLoggingFilter();
    filterUnderTest.init(new MockFilterConfig());
    MockFilterChain mockChain = new MockFilterChain();
    MockHttpServletRequest req = new MockHttpServletRequest();
    MockHttpServletResponse rsp = new MockHttpServletResponse();

    filterUnderTest.doFilter(req, rsp, mockChain);

    filterUnderTest.destroy();
}
 
Example 5
Source Project: Spring-5.0-Cookbook   Source File: AppSecurityModelC.java    License: MIT License 5 votes vote down vote up
@Bean
public AnonymousAuthenticationFilter appAnonAuthFilter(){
  List<GrantedAuthority> anonAuth = new ArrayList<>();  
  anonAuth.add(new SimpleGrantedAuthority("ROLE_ANONYMOUS"));
  AppAnonAuthFilter anonFilter = new AppAnonAuthFilter("ANONYMOUS","guest",anonAuth);
     return  anonFilter;
 }
 
Example 6
Source Project: Spring-5.0-Cookbook   Source File: AppSecurityModelC.java    License: MIT License 5 votes vote down vote up
@Bean
public AnonymousAuthenticationFilter appAnonAuthFilter(){
  List<GrantedAuthority> anonAuth = new ArrayList<>();  
  anonAuth.add(new SimpleGrantedAuthority("ROLE_ANONYMOUS"));
  AppAnonAuthFilter anonFilter = new AppAnonAuthFilter("ANONYMOUS","guest",anonAuth);
     return  anonFilter;
 }
 
Example 7
Source Project: nifi-registry   Source File: NiFiRegistrySecurityConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .rememberMe().disable()
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
            .exceptionHandling()
                .authenticationEntryPoint(http401AuthenticationEntryPoint())
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // Apply security headers for registry API. Security headers for docs and UI are applied with Jetty filters in registry-core.
    http.headers().xssProtection();
    http.headers().contentSecurityPolicy("frame-ancestors 'self'");
    http.headers().httpStrictTransportSecurity().maxAgeInSeconds(31540000);
    http.headers().frameOptions().sameOrigin();

    // x509
    http.addFilterBefore(x509AuthenticationFilter(), AnonymousAuthenticationFilter.class);

    // jwt
    http.addFilterBefore(jwtAuthenticationFilter(), AnonymousAuthenticationFilter.class);

    // otp
    // todo, if needed one-time password auth filter goes here

    // add an anonymous authentication filter that will populate the authenticated,
    // anonymous user if no other user identity is detected earlier in the Spring filter chain
    http.anonymous().authenticationFilter(anonymousAuthenticationFilter);

    // After Spring Security filter chain is complete (so authentication is done),
    // but before the Jersey application endpoints get the request,
    // insert the ResourceAuthorizationFilter to do its authorization checks
    http.addFilterAfter(resourceAuthorizationFilter(), FilterSecurityInterceptor.class);

}
 
Example 8
Source Project: nifi-minifi   Source File: SecurityConfiguration.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .rememberMe().disable().authorizeRequests().anyRequest().fullyAuthenticated().and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http.addFilterBefore(x509AuthenticationFilter, AnonymousAuthenticationFilter.class);
    http.anonymous().authenticationFilter(c2AnonymousAuthenticationFilter);
}
 
Example 9
Source Project: fiat   Source File: FiatAuthenticationConfig.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
  http.servletApi()
      .and()
      .exceptionHandling()
      .and()
      .anonymous()
      .and()
      .addFilterBefore(
          new FiatAuthenticationFilter(fiatStatus), AnonymousAuthenticationFilter.class);
}
 
Example 10
Source Project: herd   Source File: AppSpringModuleConfig.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Gets a filter chain proxy.
 *
 * @param trustedUserAuthenticationFilter the trusted user authentication filter.
 * @param httpHeaderAuthenticationFilter the HTTP header authentication filter.
 *
 * @return the filter chain proxy.
 */
@Bean
public FilterChainProxy filterChainProxy(final TrustedUserAuthenticationFilter trustedUserAuthenticationFilter,
    final HttpHeaderAuthenticationFilter httpHeaderAuthenticationFilter)
{
    return new FilterChainProxy(new SecurityFilterChain()
    {
        @Override
        public boolean matches(HttpServletRequest request)
        {
            // Match all URLs.
            return true;
        }

        @Override
        public List<Filter> getFilters()
        {
            List<Filter> filters = new ArrayList<>();

            // Required filter to store session information between HTTP requests.
            filters.add(new SecurityContextPersistenceFilter());

            // Trusted user filter to bypass security based on SpEL expression environment property.
            filters.add(trustedUserAuthenticationFilter);

            // Filter that authenticates based on http headers.
            if (Boolean.valueOf(configurationHelper.getProperty(ConfigurationValue.SECURITY_HTTP_HEADER_ENABLED)))
            {
                filters.add(httpHeaderAuthenticationFilter);
            }

            // Anonymous user filter.
            filters.add(new AnonymousAuthenticationFilter("AnonymousFilterKey"));

            return filters;
        }
    });
}
 
Example 11
Source Project: nifi   Source File: NiFiWebApiSecurityConfiguration.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors().and()
            .rememberMe().disable()
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // x509
    http.addFilterBefore(x509FilterBean(), AnonymousAuthenticationFilter.class);

    // jwt
    http.addFilterBefore(jwtFilterBean(), AnonymousAuthenticationFilter.class);

    // otp
    http.addFilterBefore(otpFilterBean(), AnonymousAuthenticationFilter.class);

    // knox
    http.addFilterBefore(knoxFilterBean(), AnonymousAuthenticationFilter.class);

    // anonymous
    http.addFilterAfter(anonymousFilterBean(), AnonymousAuthenticationFilter.class);

    // disable default anonymous handling because it doesn't handle conditional authentication well
    http.anonymous().disable();
}
 
Example 12
Source Project: spring-custom-token-auth   Source File: WebSecurityConfig.java    License: MIT License 4 votes vote down vote up
@Override
protected void configure(HttpSecurity http) throws Exception {
	http
	  .addFilterBefore(createCustomFilter(), AnonymousAuthenticationFilter.class)
	  .csrf().disable();
}
 
Example 13
@Override
protected void configure(final HttpSecurity http) throws Exception {

    final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource();

    final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter(
            ddiSecurityConfiguration.getRp().getCnHeader(),
            ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement,
            tenantAware, systemSecurityContext);
    securityHeaderFilter.setAuthenticationManager(authenticationManager());
    securityHeaderFilter.setCheckForPrincipalChanges(true);
    securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter(
            tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext);
    securityTokenFilter.setAuthenticationManager(authenticationManager());
    securityTokenFilter.setCheckForPrincipalChanges(true);
    securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
            tenantConfigurationManagement, tenantAware, systemSecurityContext);
    gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager());
    gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true);
    gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    HttpSecurity httpSec = http.csrf().disable();

    if (securityProperties.isRequireSsl()) {
        httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
    }

    if (ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) {

        LOG.info(
                "******************\n** Anonymous controller security enabled, should only be used for developing purposes **\n******************");

        final AnonymousAuthenticationFilter anonymousFilter = new AnonymousAuthenticationFilter(
                "controllerAnonymousFilter", "anonymous",
                Arrays.asList(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS)));
        anonymousFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
        httpSec.requestMatchers().antMatchers(DDI_ANT_MATCHERS).and().securityContext().disable().anonymous()
                .authenticationFilter(anonymousFilter);
    } else {

        httpSec.addFilter(securityHeaderFilter).addFilter(securityTokenFilter)
                .addFilter(gatewaySecurityTokenFilter).requestMatchers().antMatchers(DDI_ANT_MATCHERS).and()
                .anonymous().disable().authorizeRequests().anyRequest().authenticated().and()
                .exceptionHandling()
                .authenticationEntryPoint((request, response, authException) -> response
                        .setStatus(HttpStatus.UNAUTHORIZED.value()))
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}
 
Example 14
@Override
protected void configure(final HttpSecurity http) throws Exception {

    final ControllerTenantAwareAuthenticationDetailsSource authenticationDetailsSource = new ControllerTenantAwareAuthenticationDetailsSource();

    final HttpControllerPreAuthenticatedSecurityHeaderFilter securityHeaderFilter = new HttpControllerPreAuthenticatedSecurityHeaderFilter(
            ddiSecurityConfiguration.getRp().getCnHeader(),
            ddiSecurityConfiguration.getRp().getSslIssuerHashHeader(), tenantConfigurationManagement,
            tenantAware, systemSecurityContext);
    securityHeaderFilter.setAuthenticationManager(authenticationManager());
    securityHeaderFilter.setCheckForPrincipalChanges(true);
    securityHeaderFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    final HttpControllerPreAuthenticateSecurityTokenFilter securityTokenFilter = new HttpControllerPreAuthenticateSecurityTokenFilter(
            tenantConfigurationManagement, tenantAware, controllerManagement, systemSecurityContext);
    securityTokenFilter.setAuthenticationManager(authenticationManager());
    securityTokenFilter.setCheckForPrincipalChanges(true);
    securityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    final HttpControllerPreAuthenticatedGatewaySecurityTokenFilter gatewaySecurityTokenFilter = new HttpControllerPreAuthenticatedGatewaySecurityTokenFilter(
            tenantConfigurationManagement, tenantAware, systemSecurityContext);
    gatewaySecurityTokenFilter.setAuthenticationManager(authenticationManager());
    gatewaySecurityTokenFilter.setCheckForPrincipalChanges(true);
    gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    final HttpControllerPreAuthenticateAnonymousDownloadFilter controllerAnonymousDownloadFilter = new HttpControllerPreAuthenticateAnonymousDownloadFilter(
            tenantConfigurationManagement, tenantAware, systemSecurityContext);
    controllerAnonymousDownloadFilter.setAuthenticationManager(authenticationManager());
    controllerAnonymousDownloadFilter.setCheckForPrincipalChanges(true);
    controllerAnonymousDownloadFilter.setAuthenticationDetailsSource(authenticationDetailsSource);

    HttpSecurity httpSec = http.csrf().disable();

    if (securityProperties.isRequireSsl()) {
        httpSec = httpSec.requiresChannel().anyRequest().requiresSecure().and();
    }

    if (ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled()) {

        LOG.info(
                "******************\n** Anonymous controller security enabled, should only be used for developing purposes **\n******************");

        final AnonymousAuthenticationFilter anonymousFilter = new AnonymousAuthenticationFilter(
                "controllerAnonymousFilter", "anonymous",
                Arrays.asList(new SimpleGrantedAuthority(SpringEvalExpressions.CONTROLLER_ROLE_ANONYMOUS)));
        anonymousFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
        httpSec.requestMatchers().antMatchers(DDI_DL_ANT_MATCHER).and().securityContext().disable().anonymous()
                .authenticationFilter(anonymousFilter);
    } else {

        httpSec.addFilter(securityHeaderFilter).addFilter(securityTokenFilter)
                .addFilter(gatewaySecurityTokenFilter).addFilter(controllerAnonymousDownloadFilter)
                .requestMatchers().antMatchers(DDI_DL_ANT_MATCHER).and().anonymous().disable()
                .authorizeRequests().anyRequest().authenticated().and().exceptionHandling()
                .authenticationEntryPoint((request, response, authException) -> response
                        .setStatus(HttpStatus.UNAUTHORIZED.value()))
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}