BAEL-7005, Difference Between permitAll() and anonymous() in Spring Security

2023-09-18 20:59:43 -07:00 · 2023-09-18 20:59:43 -07:00 · d6cd33fec7
parent c54cd04c33
commit d6cd33fec7
4 changed files with 151 additions and 0 deletions
--- a/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/SecuredEcommerceApplication.java
+++ b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/SecuredEcommerceApplication.java
@ -0,0 +1,13 @@
+package com.baeldung.permitallanonymous;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.ComponentScan;
+
+@SpringBootApplication
+@ComponentScan("com.baeldung.permitallanonymous.*")
+public class SecuredEcommerceApplication {
+    public static void main(String[] args) {
+        SpringApplication.run(SecuredEcommerceApplication.class, args);
+    }
+}
--- a/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/controller/EcommerceController.java
+++ b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/controller/EcommerceController.java
@ -0,0 +1,27 @@
+package com.baeldung.permitallanonymous.controller;
+
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class EcommerceController {
+
+    //can be accessed by only logged-in users
+    @GetMapping("/private/showCart")
+    public @ResponseBody String showCart() {
+        return "Show Cart";
+    }
+
+    //can we accessed by both anonymous and authenticated users
+    @GetMapping("/public/showProducts")
+    public @ResponseBody String listProducts() {
+        return "List Products";
+    }
+
+    //can be access by only anonymous users not by authenticated users
+    @GetMapping("/public/registerUser")
+    public @ResponseBody String registerUser() {
+        return "Register User";
+    }
+}
--- a/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/security/EcommerceWebSecurityConfig.java
+++ b/spring-boot-modules/spring-boot-security/src/main/java/com/baeldung/permitallanonymous/security/EcommerceWebSecurityConfig.java
@ -0,0 +1,41 @@
+package com.baeldung.permitallanonymous.security;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+public class EcommerceWebSecurityConfig {
+    @Bean
+    public InMemoryUserDetailsManager userDetailsService(PasswordEncoder passwordEncoder) {
+        UserDetails user = User.withUsername("spring")
+                .password(passwordEncoder.encode("secret"))
+                .roles("USER")
+                .build();
+
+        return new InMemoryUserDetailsManager(user);
+    }
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http.authorizeRequests()
+                .antMatchers("/private/**").authenticated().and().httpBasic()
+                .and().authorizeRequests()
+                .antMatchers("/public/showProducts").permitAll()
+                .antMatchers("/public/registerUser").anonymous();
+
+        return http.build();
+    }
+
+    @Bean
+    public BCryptPasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+}
--- a/spring-boot-modules/spring-boot-security/src/test/java/com/baeldung/permitallanonymous/SecureEcommerceApplicationUnitTest.java
+++ b/spring-boot-modules/spring-boot-security/src/test/java/com/baeldung/permitallanonymous/SecureEcommerceApplicationUnitTest.java
@ -0,0 +1,70 @@
+package com.baeldung.permitallanonymous;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.security.test.context.support.WithAnonymousUser;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = SecuredEcommerceApplication.class)
+@AutoConfigureMockMvc
+public class SecureEcommerceApplicationUnitTest {
+    @Autowired
+    private MockMvc mockMvc;
+    private static final Logger logger = LoggerFactory.getLogger(SecureEcommerceApplicationUnitTest.class);
+
+    @WithAnonymousUser
+    @Test
+    public void givenAnonymousUser_whenAccessToUserRegisterPage_thenAllowAccess() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/public/registerUser"))
+                .andExpect(MockMvcResultMatchers.status().isOk())
+                .andExpect(MockMvcResultMatchers.content().string("Register User"));
+    }
+
+    @WithMockUser(username = "spring", password = "secret")
+    @Test
+    public void givenAuthenticatedUser_whenAccessToUserRegisterPage_thenDenyAccess() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/public/registerUser"))
+                .andExpect(MockMvcResultMatchers.status().isForbidden());
+    }
+
+    @WithMockUser(username = "spring", password = "secret")
+    @Test
+    public void givenAuthenticatedUser_whenAccessToProductLinePage_thenAllowAccess() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/public/showProducts"))
+                .andExpect(MockMvcResultMatchers.status().isOk())
+                .andExpect(MockMvcResultMatchers.content().string("List Products"));
+    }
+
+    @WithAnonymousUser
+    @Test
+    public void givenAnonymousUser_whenAccessToProductLinePage_thenAllowAccess() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/public/showProducts"))
+                .andExpect(MockMvcResultMatchers.status().isOk())
+                .andExpect(MockMvcResultMatchers.content().string("List Products"));
+    }
+
+    @WithMockUser(username = "spring", password = "secret")
+    @Test
+    public void givenAuthenticatedUser_whenAccessToCartPage_thenAllowAccess() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/private/showCart"))
+                .andExpect(MockMvcResultMatchers.status().isOk())
+                .andExpect(MockMvcResultMatchers.content().string("Show Cart"));
+    }
+
+    @WithAnonymousUser
+    @Test
+    public void givenAnonymousUser_whenAccessToCartPage_thenDenyAccess() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/private/showCart"))
+                .andExpect(MockMvcResultMatchers.status().isUnauthorized());
+    }
+}