Skip to content

Add option to disable anonymous authentication in RSocketSecurity #17159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add option to disable anonymous authentication in RSocketSecurity #17159

wants to merge 1 commit into from

Conversation

therepanic
Copy link
Contributor

@therepanic therepanic commented May 22, 2025
edited
Loading

Adding anonymous interceptor hardcoded to RSocketSecurity#payloadInterceptors and is added anyway. I think you should add an option to disable adding anonymous interceptor.

I think the most logical way is to add a flag, as in our case I did. I also added a method disableAnonymous which sets the field to true and we no longer add the anonymous interceptor.

Fixes: #17132

@therepanic therepanic changed the title Aadd option to disable anonymous authentication in RSocketSecurity Add option to disable anonymous authentication in RSocketSecurity May 22, 2025
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 22, 2025
@therepanic
Copy link
Contributor Author

Hmmm, is the build going down by my mistake or is it not about me?

@jzheaux jzheaux self-assigned this Jul 31, 2025
@jzheaux jzheaux added type: enhancement A general enhancement in: rsocket and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 31, 2025
@jzheaux jzheaux added this to the 7.0.x milestone Jul 31, 2025
jzheaux
jzheaux requested changes Jul 31, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, @therepanic! I've left feedback inline.

Also, are you able to add a test that confirms that when anonymous is disabled then it isn't active in the filter chain?

...ig/src/main/java/org/springframework/security/config/annotation/rsocket/RSocketSecurity.java
* Disables anonymous authentication.
* @return the builder for additional customizations
*/
public RSocketSecurity disableAnonymous() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I agree that this is a straightforward way to expose the feature, I see some additional benefit in exposing it in a way that's similar to HttpSecurity and ServerHttpSecurity. Are you able to add this feature in the following way instead?

Copy link
Contributor Author

@therepanic therepanic Jul 31, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, that would indeed be better. I think we should add a class similar to RSocketSecurity.BasicAuthenticationSpec, but without fields, and the build() method will execute the logic of the current anonymous() method. And I think we can remove it as unnecessary.

@therepanic
Copy link
Contributor Author

therepanic commented Jul 31, 2025
edited
Loading

Thanks for review, @jzheaux! I'd be happy to add the test. I just have one question about it.

I think we could make a test that checks the functionality you described by creating a new test class, let's call it AnonymousAuthenticationITests (similar to SimpleAuthenticationITests). And, similar to how SimpleAuthenticationITests works, we will check the functionality of disabling the addition of the anonymous auth interceptor. I think this is okay, what do you think? Or is there an easier way?

@therepanic therepanic mentioned this pull request Aug 1, 2025
Closed
@jzheaux
Copy link
Contributor

jzheaux commented Aug 1, 2025

@therepanic, that sounds like a good approach. Also, you might consider a test like AnonymousConfigurerTests#requestWhenAnonymousDisabledInLambdaThenRespondsWithForbidden that authorizes only anonymous users. When anonymous is disabled, the requests in that test should fail.

RSocketSecurity doesn't expose the anonymous() access rule, but you can use access(ReactiveAuthorizationManager) to provide one:

AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
ReactiveAuthorizationManager<PayloadExchange> anonymous = (authentication, exchange) -> 
    authentication.map(trustResolver::isAnonymous).map(AuthorizationDecision::new);
// ...

.anyExchange().access(anonymous)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees

@jzheaux jzheaux

Labels
in: rsocket type: enhancement A general enhancement
Projects
None yet
Milestone
7.0.x
Development

Successfully merging this pull request may close these issues.

Ability to disable anonymous authentication in RSocketSecurity
3 participants
@therepanic @jzheaux @spring-projects-issues