gladius/firebase-spring-boot-rest-api-authentication

Not an issue but a return of experience

Sylvain-Assemat-DGC opened this issue · 4 comments

Sylvain-Assemat-DGC commented

Hi gladius

Maybe just a point about securityProperties.getAllowedPublicApis()

It should be useful to create another service method to take care of the regexp annotation antMatchers(securityProperties.getAllowedPublicApis()

I mean in complement of this method

public boolean isPublic() {
   return securityProperties.getAllowedPublicApis().contains(httpServletRequest.getRequestURI());
}
Sylvain-Assemat-DGC commented

Something like that

	public boolean isPublic() {
		if (securityProperties.getAllowedPublicApis() == null || securityProperties.getAllowedPublicApis().isEmpty()) {
			return false; //By default 'false' for protection
		}
		
		for (String antRegexp : securityProperties.getAllowedPublicApis()) {
			AntPathRequestMatcher matcher = new AntPathRequestMatcher(antRegexp);
			if (matcher.matches(httpServletRequest)) {
				//LOG.info("--> IS  PUBLIC : "+httpServletRequest.getRequestURI()+" <==> "+antRegexp);
				return true;
			}
		}
		//LOG.info("--> NOT PUBLIC : "+httpServletRequest.getRequestURI());
		return false;
	}
gladius commented

@Sylvain-Assemat-DGC that is a really nice enhancement to have :) . If you have tested this piece of code already and don't mind creating a pull request, please go ahead, if not I will test this out and push during the weekend.

gladius commented

I found time to check on this. If I understand correctly, you are expecting an annotation like @isPublic which can be defined along with @RequestMapping to dynamically make a rest api public.

I couldn't find a straight forward way of doing this in sync with the existing flow right now, but will keep an eye out for doing this eventually.

Sylvain-Assemat-DGC commented

Hi Gladius

I think that using the "contains" way to compare in the method "isPublic" is a little too restrictive.
The regexp way is more elegant and more suitable in the security configuration.

.antMatchers(securityProperties.getAllowedPublicApis().stream().toArray(String[]::new)).permitAll()

The antMacthers use antPatterns, that's why i advise to use regexp way.

No need to use an annotation, just an update with my previous code is enough to see the magic :-)