From d6cd33fec769aef6aa2e23a98c91c5c3a711e905 Mon Sep 17 00:00:00 2001 From: parthiv39731 <70740707+parthiv39731@users.noreply.github.com> Date: Mon, 18 Sep 2023 20:59:43 -0700 Subject: [PATCH 1/2] BAEL-7005, Difference Between permitAll() and anonymous() in Spring Security --- .../SecuredEcommerceApplication.java | 13 ++++ .../controller/EcommerceController.java | 27 +++++++ .../security/EcommerceWebSecurityConfig.java | 41 +++++++++++ .../SecureEcommerceApplicationUnitTest.java | 70 +++++++++++++++++++ 4 files changed, 151 insertions(+) create mode 100644 spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/SecuredEcommerceApplication.java create mode 100644 spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/controller/EcommerceController.java create mode 100644 spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/security/EcommerceWebSecurityConfig.java create mode 100644 spring-boot-modules/spring-boot-security/src/test/java/com/baeldung/permitallanonymous/SecureEcommerceApplicationUnitTest.java diff --git a/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/SecuredEcommerceApplication.java b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/SecuredEcommerceApplication.java new file mode 100644 index 0000000000..150fe399d1 --- /dev/null +++ b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/SecuredEcommerceApplication.java @@ -0,0 +1,13 @@ +package com.baeldung.permitallanonymous; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.context.annotation.ComponentScan; + +@SpringBootApplication +@ComponentScan("com.baeldung.permitallanonymous.*") +public class SecuredEcommerceApplication { + public static void main(String[] args) { + SpringApplication.run(SecuredEcommerceApplication.class, args); + } +} diff --git a/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/controller/EcommerceController.java b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/controller/EcommerceController.java new file mode 100644 index 0000000000..bbfb5b9056 --- /dev/null +++ b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/controller/EcommerceController.java @@ -0,0 +1,27 @@ +package com.baeldung.permitallanonymous.controller; + +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; + +@RestController +public class EcommerceController { + + //can be accessed by only logged-in users + @GetMapping("/private/showCart") + public @ResponseBody String showCart() { + return "Show Cart"; + } + + //can we accessed by both anonymous and authenticated users + @GetMapping("/public/showProducts") + public @ResponseBody String listProducts() { + return "List Products"; + } + + //can be access by only anonymous users not by authenticated users + @GetMapping("/public/registerUser") + public @ResponseBody String registerUser() { + return "Register User"; + } +} diff --git a/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/security/EcommerceWebSecurityConfig.java b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/security/EcommerceWebSecurityConfig.java new file mode 100644 index 0000000000..68c90fdae0 --- /dev/null +++ b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/security/EcommerceWebSecurityConfig.java @@ -0,0 +1,41 @@ +package com.baeldung.permitallanonymous.security; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; +import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; + +@Configuration +@EnableWebSecurity +public class EcommerceWebSecurityConfig { + @Bean + public InMemoryUserDetailsManager userDetailsService(PasswordEncoder passwordEncoder) { + UserDetails user = User.withUsername("spring") + .password(passwordEncoder.encode("secret")) + .roles("USER") + .build(); + + return new InMemoryUserDetailsManager(user); + } + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http.authorizeRequests() + .antMatchers("/private/**").authenticated().and().httpBasic() + .and().authorizeRequests() + .antMatchers("/public/showProducts").permitAll() + .antMatchers("/public/registerUser").anonymous(); + + return http.build(); + } + + @Bean + public BCryptPasswordEncoder passwordEncoder() { + return new BCryptPasswordEncoder(); + } +} diff --git a/spring-boot-modules/spring-boot-security/src/test/java/com/baeldung/permitallanonymous/SecureEcommerceApplicationUnitTest.java b/spring-boot-modules/spring-boot-security/src/test/java/com/baeldung/permitallanonymous/SecureEcommerceApplicationUnitTest.java new file mode 100644 index 0000000000..3c73caf1fd --- /dev/null +++ b/spring-boot-modules/spring-boot-security/src/test/java/com/baeldung/permitallanonymous/SecureEcommerceApplicationUnitTest.java @@ -0,0 +1,70 @@ +package com.baeldung.permitallanonymous; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.security.test.context.support.WithAnonymousUser; +import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.test.context.junit4.SpringRunner; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; +import org.springframework.test.web.servlet.result.MockMvcResultMatchers; + +@RunWith(SpringRunner.class) +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = SecuredEcommerceApplication.class) +@AutoConfigureMockMvc +public class SecureEcommerceApplicationUnitTest { + @Autowired + private MockMvc mockMvc; + private static final Logger logger = LoggerFactory.getLogger(SecureEcommerceApplicationUnitTest.class); + + @WithAnonymousUser + @Test + public void givenAnonymousUser_whenAccessToUserRegisterPage_thenAllowAccess() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/public/registerUser")) + .andExpect(MockMvcResultMatchers.status().isOk()) + .andExpect(MockMvcResultMatchers.content().string("Register User")); + } + + @WithMockUser(username = "spring", password = "secret") + @Test + public void givenAuthenticatedUser_whenAccessToUserRegisterPage_thenDenyAccess() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/public/registerUser")) + .andExpect(MockMvcResultMatchers.status().isForbidden()); + } + + @WithMockUser(username = "spring", password = "secret") + @Test + public void givenAuthenticatedUser_whenAccessToProductLinePage_thenAllowAccess() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/public/showProducts")) + .andExpect(MockMvcResultMatchers.status().isOk()) + .andExpect(MockMvcResultMatchers.content().string("List Products")); + } + + @WithAnonymousUser + @Test + public void givenAnonymousUser_whenAccessToProductLinePage_thenAllowAccess() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/public/showProducts")) + .andExpect(MockMvcResultMatchers.status().isOk()) + .andExpect(MockMvcResultMatchers.content().string("List Products")); + } + + @WithMockUser(username = "spring", password = "secret") + @Test + public void givenAuthenticatedUser_whenAccessToCartPage_thenAllowAccess() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/private/showCart")) + .andExpect(MockMvcResultMatchers.status().isOk()) + .andExpect(MockMvcResultMatchers.content().string("Show Cart")); + } + + @WithAnonymousUser + @Test + public void givenAnonymousUser_whenAccessToCartPage_thenDenyAccess() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.get("/private/showCart")) + .andExpect(MockMvcResultMatchers.status().isUnauthorized()); + } +} From 5f018b3186c50e936968cd9c31b4e492bdb403a1 Mon Sep 17 00:00:00 2001 From: parthiv39731 <70740707+parthiv39731@users.noreply.github.com> Date: Tue, 19 Sep 2023 09:49:03 -0700 Subject: [PATCH 2/2] BAEL-7005, Difference Between permitAll() and anonymous() in Spring Security --- .../controller/EcommerceController.java | 2 ++ .../filter/AuditInterceptor.java | 33 +++++++++++++++++++ .../security/EcommerceWebSecurityConfig.java | 9 +++-- 3 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/filter/AuditInterceptor.java diff --git a/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/controller/EcommerceController.java b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/controller/EcommerceController.java index bbfb5b9056..8f20baee10 100644 --- a/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/controller/EcommerceController.java +++ b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/controller/EcommerceController.java @@ -24,4 +24,6 @@ public class EcommerceController { public @ResponseBody String registerUser() { return "Register User"; } + } + diff --git a/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/filter/AuditInterceptor.java b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/filter/AuditInterceptor.java new file mode 100644 index 0000000000..c0a5f6972f --- /dev/null +++ b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/filter/AuditInterceptor.java @@ -0,0 +1,33 @@ +package com.baeldung.permitallanonymous.filter; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.authentication.AnonymousAuthenticationToken; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.web.filter.OncePerRequestFilter; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +public class AuditInterceptor extends OncePerRequestFilter { + private final Logger logger = LoggerFactory.getLogger(AuditInterceptor.class); + + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws ServletException, IOException { + + Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + if (authentication instanceof AnonymousAuthenticationToken) { + logger.info("Audit anonymous user"); + } + if (authentication instanceof UsernamePasswordAuthenticationToken) { + logger.info("Audit registered user"); + } + filterChain.doFilter(request, response); + } +} \ No newline at end of file diff --git a/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/security/EcommerceWebSecurityConfig.java b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/security/EcommerceWebSecurityConfig.java index 68c90fdae0..566ec49e42 100644 --- a/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/security/EcommerceWebSecurityConfig.java +++ b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/security/EcommerceWebSecurityConfig.java @@ -1,5 +1,6 @@ package com.baeldung.permitallanonymous.security; +import com.baeldung.permitallanonymous.filter.AuditInterceptor; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -10,6 +11,7 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; @Configuration @EnableWebSecurity @@ -23,9 +25,11 @@ public class EcommerceWebSecurityConfig { return new InMemoryUserDetailsManager(user); } + @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.authorizeRequests() + http.addFilterAfter(new AuditInterceptor(), AnonymousAuthenticationFilter.class) + .authorizeRequests() .antMatchers("/private/**").authenticated().and().httpBasic() .and().authorizeRequests() .antMatchers("/public/showProducts").permitAll() @@ -38,4 +42,5 @@ public class EcommerceWebSecurityConfig { public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } -} + +} \ No newline at end of file