dlcs · hairmare · Oct 21, 2020 · garyttierney · Oct 30, 2020 · hairmare
diff --git a/elucidate-server/src/main/java/com/digirati/elucidate/infrastructure/config/AuthConfig.java b/elucidate-server/src/main/java/com/digirati/elucidate/infrastructure/config/AuthConfig.java
@@ -11,6 +11,7 @@
 import com.digirati.elucidate.repository.security.GroupRepository;
 import com.digirati.elucidate.repository.security.UserRepository;
 import org.apache.commons.lang3.StringUtils;
+import org.springframework.http.HttpMethod;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
@@ -19,7 +20,6 @@
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.jwt.crypto.sign.MacSigner;
 import org.springframework.security.jwt.crypto.sign.RsaVerifier;
@@ -69,11 +69,17 @@ public class AuthConfig implements ResourceServerConfigurer {
     private String uidProperties;
 
     /**
-     * The public key used to verify a tokens signature.
+     * Is auth enabled?
      */
     @Value("${auth.enabled:false}")
     private boolean authEnabled;
 
+    /**
+     * Allow anonymous access to /w3c/* and /oa/* endpoints even when auth is enabled?
+     */
+    @Value("${auth.anonReadAccess:false}")
+    private boolean anonReadAccess;
+
     /**
      * The URL scheme that will be used in the OAuth2 resource id.
      */
@@ -119,16 +125,30 @@ public void configure(ResourceServerSecurityConfigurer resources) throws Excepti
 
     @Override
     public void configure(HttpSecurity http) throws Exception {
-        ExpressionUrlAuthorizationConfigurer.AuthorizedUrl authorizationConfigurer = http
-            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-            .and()
-            .authorizeRequests()
-            .anyRequest();
-
-        if (authEnabled) {
-            authorizationConfigurer.authenticated();
+        HttpSecurity authorizationConfigurer = http
+            .sessionManagement()
+            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+            .and();
+
+        if (authEnabled && anonReadAccess) {
+            authorizationConfigurer
+                .authorizeRequests()
+                    .antMatchers(HttpMethod.GET, "/w3c/**", "/oa/**")
+                    .permitAll()
+                    .and()
+                .authorizeRequests()
+                    .anyRequest()
+                    .authenticated();
+        } else if (authEnabled) {
+            authorizationConfigurer
+                .authorizeRequests()
+                    .anyRequest()
+                    .authenticated();
         } else {
-            authorizationConfigurer.permitAll();
+            authorizationConfigurer
+                .authorizeRequests()
+                    .anyRequest()
+                    .permitAll();
         }
     }
 

diff --git a/...va/com/digirati/elucidate/infrastructure/security/impl/JwtUserSecurityDetailsContext.java b/...va/com/digirati/elucidate/infrastructure/security/impl/JwtUserSecurityDetailsContext.java
@@ -10,6 +10,7 @@
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
 
 import java.util.Collection;
 
@@ -20,6 +21,9 @@ public class JwtUserSecurityDetailsContext implements UserSecurityDetailsContext
     @Override
     public boolean isAuthorized(Permission operation, AbstractAnnotation annotation) {
         Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+        if (auth instanceof AnonymousAuthenticationToken) {
 .authorizeRequests() 
     .antMatchers(HttpMethod.GET, "/w3c/**", "/oa/**") 
     .permitAll() 
     .and() 
 .authorizeRequests() 
     .anyRequest() 
     .authenticated(); 
 .authorizeRequests() 
     .antMatchers(HttpMethod.GET, "/w3c/**", "/oa/**") 
     .permitAll() 
     .and() 
 .authorizeRequests() 
     .anyRequest() 
     .authenticated(); 
+            return true;
+        }
         UserSecurityDetails details = (UserSecurityDetails) auth.getPrincipal();
         Collection<? extends GrantedAuthority> roles = auth.getAuthorities();
 

diff --git a/elucidate-server/src/main/resources/eludicate-server.properties b/elucidate-server/src/main/resources/eludicate-server.properties
@@ -145,6 +145,7 @@ auth.enabled=false
 auth.token.verifierType=secret
 auth.token.verifierKey=
 auth.token.uidProperties=sub,user_name
+auth.anonReadAccess=false
 
 # Generator to use when generating Security Group IDs
 annotation.group.id.generator=com.digirati.elucidate.infrastructure.generator.impl.UUIDIDGeneratorImpl