Skip to content

Support For ReactiveAnonymousAuthentication In Reactive Web Security #5934

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ankurpathak opened this issue Oct 10, 2018 · 8 comments
Closed

Support For ReactiveAnonymousAuthentication In Reactive Web Security #5934

ankurpathak opened this issue Oct 10, 2018 · 8 comments
Assignees
@rwinch
Milestone
5.2.0.M1

Comments

@ankurpathak
Copy link
Contributor

I coudn't find the support for Reactive Anonymous Authentication In Reactice Web Security.
We should add support for Reactive Annonymous Authentication and Reactive Remember
Me Authentication. This will make the security for Servlet Stack and Netty Stack similar.
@rwinch rwinch added this to the 5.2.0 milestone Oct 10, 2018
@rwinch
Copy link
Member

rwinch commented Oct 10, 2018

Thanks for the suggestion. Would you be interested in providing a PR for this?

@ankurpathak
Copy link
Contributor Author

Sure I will work on PR but I need some clues from you before that:
In Servlet Based Security we have AbstractAuthenticationFilter and

  1. AnonymousAuthenticationFilter extends it
  2. RemembeMeAuthenticationFilter also extend it
    And then we plug in these filters into filter chain

But In FluxBasedSecurity we don't have equivalent of AbstractAuthenticationFilter. We have one
AuthenticationWebFilter and user different AuthenticationConverter based on type of Authentication like
HttpBasis, Form etc. How we will plug all kind of Authentication like Anonymous, RemberMe in One Filter. If you can clear this point, I am good to go and will start work on PR.

@rwinch
Copy link
Member

rwinch commented Oct 10, 2018

I think it just becomes a new WebFilter that is placed after AuthenticationWebFilter and populates AnonymousAuthenticationToken if the Authentication is empty. There is no need to force it into using a ReactiveAuthenticationManager since we are not really authenticating anonymous users.

@ankurpathak
Copy link
Contributor Author

AnonymousAuthenticationFilter can be implemented as normal Filter extending WebFilter.
RemberrMeAuthenticationFilter can also be implemented as nrmal Filter extending WebFilter.
But we will have to plugin support for RemberMeSevices in AuthenticationFilter the
way we do in AbstractAuthenticationProcesingFilter.

protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
if (this.logger.isDebugEnabled()) {
this.logger.debug("Authentication success. Updating SecurityContextHolder to contain: " + authResult);
}

    SecurityContextHolder.getContext().setAuthentication(authResult);
    this.rememberMeServices.loginSuccess(request, response, authResult);
    if (this.eventPublisher != null) {
        this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
    }

    this.successHandler.onAuthenticationSuccess(request, response, authResult);
}

protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
    SecurityContextHolder.clearContext();
    if (this.logger.isDebugEnabled()) {
        this.logger.debug("Authentication request failed: " + failed.toString(), failed);
        this.logger.debug("Updated SecurityContextHolder to contain null Authentication");
        this.logger.debug("Delegating to authentication failure handler " + this.failureHandler);
    }

    this.rememberMeServices.loginFail(request, response);
    this.failureHandler.onAuthenticationFailure(request, response, failed);
}

@rwinch
Copy link
Member

rwinch commented Oct 16, 2018

I'd like to stick with one thing at a time. Let's focus this issue on anonymous support.

@ankurpathak
Copy link
Contributor Author

@rwinch Ya sure we can have this issue for Anonymous thing. But we already have very old issue for RememberMe Here at:
#5504

@rwinch
Copy link
Member

rwinch commented Oct 18, 2018

@ankurpathak I responded there.

@ankurpathak ankurpathak mentioned this issue Nov 30, 2018
Merged
@ankurpathak
Copy link
Contributor Author

@rwinch Here is my PR for this issue:
#6198
Please guide me if it reuires improvements, modifications or corrections.

ankurpathak added a commit to ankurpathak/spring-security that referenced this issue Dec 8, 2018
@ankurpathak
Added support for Anonymous Authentication
48edf49 
1. Created new WebFilter AnonymousAuthenticationWebFilter to
for anonymous authentication
2. Created class AnonymousSpec, method anonymous to configure
anonymous authentication in ServerHttpSecurity
3. Added ANONYMOUS_AUTHENTICATION order after AUTHENTICATION for
anonymous authentication in SecurityWebFiltersOrder
4. Added tests for anonymous authentication in
AnonymousAuthenticationWebFilterTests and ServerHttpSecurityTests
5. Added support for Controller in WebTestClientBuilder

Fixes: spring-projectsgh-5934
@rwinch rwinch modified the milestones: 5.2.0, 5.2.0.M1 Dec 12, 2018
@rwinch rwinch self-assigned this Dec 12, 2018
@rwinch rwinch closed this as completed in 2b369cf Dec 12, 2018
@coffeeaddict1978 coffeeaddict1978 mentioned this issue Feb 26, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
None yet
Projects
None yet
Milestone
5.2.0.M1
Development

No branches or pull requests
2 participants
@rwinch @ankurpathak