Skip to content

Add option to disable anonymous authentication in RSocketSecurity #17159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 26, 2025
Merged

Add option to disable anonymous authentication in RSocketSecurity #17159

merged 2 commits into from
Aug 26, 2025
+187 −7

Conversation

therepanic
Copy link
Contributor

@therepanic therepanic commented May 22, 2025
edited
Loading

Adding anonymous interceptor hardcoded to RSocketSecurity#payloadInterceptors and is added anyway. I think you should add an option to disable adding anonymous interceptor.

I think the most logical way is to add a flag, as in our case I did. I also added a method disableAnonymous which sets the field to true and we no longer add the anonymous interceptor.

Fixes: #17132

@therepanic therepanic changed the title Aadd option to disable anonymous authentication in RSocketSecurity Add option to disable anonymous authentication in RSocketSecurity May 22, 2025
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 22, 2025
@therepanic
Copy link
Contributor Author

Hmmm, is the build going down by my mistake or is it not about me?

@jzheaux jzheaux self-assigned this Jul 31, 2025
@jzheaux jzheaux added type: enhancement A general enhancement in: rsocket and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 31, 2025
@jzheaux jzheaux added this to the 7.0.x milestone Jul 31, 2025
jzheaux
jzheaux requested changes Jul 31, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, @therepanic! I've left feedback inline.

Also, are you able to add a test that confirms that when anonymous is disabled then it isn't active in the filter chain?

@therepanic
Copy link
Contributor Author

therepanic commented Jul 31, 2025
edited
Loading

Thanks for review, @jzheaux! I'd be happy to add the test. I just have one question about it.

I think we could make a test that checks the functionality you described by creating a new test class, let's call it AnonymousAuthenticationITests (similar to SimpleAuthenticationITests). And, similar to how SimpleAuthenticationITests works, we will check the functionality of disabling the addition of the anonymous auth interceptor. I think this is okay, what do you think? Or is there an easier way?

@therepanic therepanic mentioned this pull request Aug 1, 2025
Closed
@jzheaux
Copy link
Contributor

jzheaux commented Aug 1, 2025

@therepanic, that sounds like a good approach. Also, you might consider a test like AnonymousConfigurerTests#requestWhenAnonymousDisabledInLambdaThenRespondsWithForbidden that authorizes only anonymous users. When anonymous is disabled, the requests in that test should fail.

RSocketSecurity doesn't expose the anonymous() access rule, but you can use access(ReactiveAuthorizationManager) to provide one:

AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
ReactiveAuthorizationManager<PayloadExchange> anonymous = (authentication, exchange) -> 
    authentication.map(trustResolver::isAnonymous).map(AuthorizationDecision::new);
// ...

.anyExchange().access(anonymous)

@therepanic therepanic force-pushed the gh-17132 branch 2 times, most recently from 7defe58 to 4496a48 Compare August 4, 2025 21:19
@therepanic therepanic requested a review from jzheaux August 4, 2025 21:28
@jzheaux jzheaux added the status: waiting-for-feedback We need additional information before we can continue label Aug 22, 2025
@therepanic
Copy link
Contributor Author

Thanks for review @jzheaux again.

Yes, you are right, I did make a mistake. In a separate commit, for your convenience, I added the creation of an anonymousAuthSpec instance by default, and also added a disable method to AnonymousAuthenticationSpec. In addition, I rolled back all changes in RSocketMessageHandlerITests (as unnecessary), and in our AnonymousAuthenticationITests#requestWhenAnonymousDisabledThenRespondsWithForbidden test, we manually disable anonymous authentication using the disable method.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Aug 23, 2025
therepanic and others added 2 commits August 26, 2025 17:22
@therepanic @jzheaux
Add Disabling Anonymous Authentication in RSocketSecurity
20d3bbc 
Closes: spring-projectsgh-17132

Signed-off-by: Andrey Litvitski <[email protected]>

1

Signed-off-by: Andrey Litvitski <[email protected]>

1

Signed-off-by: Andrey Litvitski <[email protected]>
@jzheaux
Polish RSocket Anonymous Support
a4a3f4f 
Changed the DSL method name to anonymous to align with jwt.
Since basicAuthenication is deprecated, we don't need to
align with its naming convention.

Also added a since attribute to the method.

Issue spring-projectsgh-17132
@jzheaux jzheaux modified the milestones: 7.0.x, 7.0.0-M3 Aug 26, 2025
@jzheaux jzheaux enabled auto-merge (rebase) August 26, 2025 23:22
@jzheaux
Copy link
Contributor

jzheaux commented Aug 26, 2025

Thanks for your help with this, @therepanic! This will merge to main once the build completes.

@jzheaux jzheaux merged commit 4cbe8de into spring-projects:main Aug 26, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux approved these changes

Assignees

@jzheaux jzheaux

Labels
in: rsocket status: feedback-provided Feedback has been provided type: enhancement A general enhancement
Projects
None yet
Milestone
7.0.0-M3
Development

Successfully merging this pull request may close these issues.

Ability to disable anonymous authentication in RSocketSecurity
3 participants
@therepanic @jzheaux @spring-projects-issues