Support anonymous token #16
Conversation
Mortinke
force-pushed
the
supportAnonymousToken
branch
from
ef11d56
to
4d16cfe
Compare
Mortinke
force-pushed
the
supportAnonymousToken
branch
2 times, most recently
from
a2dd707
to
18e7cc5
Compare
Mortinke
force-pushed
the
supportAnonymousToken
branch
from
18e7cc5
to
82141a9
Compare
|
|
||
| @NonNull | ||
| private Set<String> unauthenticatedPaths; | ||
|
|
There was a problem hiding this comment.
Bad API design. The token filter gets a set of strings. These given strings have a special meaning because they bypass the normal jwt-token handling.
Better: use a builder pattern or use a special method like addUnauthenticatedPaths. You must make the exceptional cases explicitly!
Mortinke
force-pushed
the
supportAnonymousToken
branch
from
82141a9
to
12dd7d6
Compare
| log.warn("no JWT token found {}{} ({})", request.getServletPath(), pathInfo != null ? pathInfo : "", | ||
| header); | ||
| throw new InvalidTokenException("no token"); | ||
| if (unauthenticatedPaths.toJavaStream().filter(path -> antPathMatcher.match(path, pathToCheck)).count() == 0) { |
There was a problem hiding this comment.
if (unauthenticatedPaths.toJavaStream().noneMatch(path -> antPathMatcher.match(path, pathToCheck)))
| @@ -15,40 +15,64 @@ | |||
| */ | |||
There was a problem hiding this comment.
That's not JavaDoc (use * instead of **)
| String tokenHeader = request.getHeader(TOKEN_HEADER); | ||
|
|
||
| if (tokenHeader == null || !tokenHeader.startsWith("Bearer ")) { | ||
| final String pathInfo = String.valueOf(request.getPathInfo()).replace("null",""); |
There was a problem hiding this comment.
I'd prefer a dedicated method for this large block (getAuthenticationWithoutToken(request, tokenHeader)).
| String header = request.getHeader(TOKEN_HEADER); | ||
| String tokenHeader = request.getHeader(TOKEN_HEADER); | ||
|
|
||
| if (tokenHeader == null || !tokenHeader.startsWith("Bearer ")) { |
There was a problem hiding this comment.
Could you introduce a local variable/method to describe what this means? noToken?
|
replaced by #18 |
Use Case
The root endpoint of an API should deliver different links depending on the presence of a valid JWT token.
If a valid JWT exists, the links for the private sector should be delivered. If JWT doesn't exists, the links for the public sector should be delivered.
To implement this, we added the root endpoint as
addAnonymousPaths. Unfortunately, aJWTPrincipal.fromContext()will result afterwards in a NPE as spring-security will be ignored for unauthenticated paths (configured here).Behavior after this pull request:
An
AnonymousAuthenticationTokenis returned, if no JWT is used for an anonymous path. If a JWT is used for an anonymous path, the old behavior should still to be used (e.g. JWT is expired).