How to use this plugin with alternative authentication at the same time?

[ea-ncu]

Hi,

We are currently using this lovely plugin to help us with authenticating with Keycloak.

I want to set up alternative authentication methods for certain endpoints, such as HTTP Basic for our OpenAPI YAML file, and API Key Header authentication for another legacy service.

Could someone point me in the right direction for getting these authentications set up?

I would imagine for HTTP Basic, it'd be enough to permit it in the plugin yaml and then handle it with another filter, but the legacy API key method should work at the same time as the plugin way.

My config class for reference is as follows

@Configuration
@EnableMethodSecurity
public class WebSecurityConfig {

    @Bean
    JwtAbstractAuthenticationTokenConverter authenticationConverter(
            Converter<Map<String, Object>, Collection<? extends GrantedAuthority>> authoritiesConverter,
            SpringAddonsOidcProperties addonsProperties
    ) {
        //this is where you can specify how to build your security class
        return jwt -> new CustomUserAuthentication(
                new OpenidClaimSet(
                        jwt.getClaims(),
                        addonsProperties.getOpProperties(jwt.getClaims().get(JwtClaimNames.ISS)).getUsernameClaim()
                ),
                authoritiesConverter.convert(jwt.getClaims()),
                jwt.getTokenValue()
        );
    }

    @Bean
    public ExpressionInterceptUrlRegistryPostProcessor expressionInterceptUrlRegistryPostProcessor() {
        return (AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry registry) ->
                registry.anyRequest().authenticated();
    }

    @Bean
    MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
        return new C4MethodSecurityExpressionHandler(CustomUserMethodSecurityExpressionRoot::new);
    }

}

[ch4mpy]

As this would be done without spring-addons: define a security filter-chain bean for each of these other security mechanisms.

Use an @Order of at maximum LOWEST_PRECEDENCE + 2 (spring-addons resource server filter chain is ordered with LOWEST_PRECEDENCE and client's one with LOWEST_PRECEDENCE + 1.

Do not forget the securityMatcher in your own filter-chain(s) or you'll hide spring-addons ones.

@Configuration
public class SecurityConfig {

    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    SecurityFilterChain basicAuthFilterChain(HttpSecurity http) throws Exception {
        // process only requests with HTTP Basic Authorization
        http.securityMatcher((HttpServletRequest request) -> {
            return Optional.ofNullable(request.getHeader(HttpHeaders.AUTHORIZATION)).map(h -> {
                return h.toLowerCase().startsWith("basic ");
            }).orElse(false);
        });

        http.httpBasic(withDefaults());

        http.exceptionHandling(eh -> eh.authenticationEntryPoint((request, response, authException) -> {
            response.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"Restricted Content\"");
            response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
        }));

        ...

        return http.build();
    }
}