When overriding default GRPC security configuration, @Secured annotation is enabled by default.

Author: Alexander Furer

ReleaseNotes.adoc

@@ -1,3 +1,6 @@
+== Version 4.2.1-SNAPSHOT
+* When overriding default GRPC security configuration, `@Secured` annotation is enabled by default.
+
 == Version 4.2.0
 * gRPC version upgraded to 1.33.0
 * Fixed the issue with default method-level `@Secured` annotation (see #159)

grpc-spring-boot-starter-demo/src/main/java/org/lognet/springboot/grpc/demo/GreeterService.java

@@ -29,12 +29,15 @@ public void sayAuthHello(Empty request, StreamObserver<GreeterOuterClass.HelloRe
 
 
         final Authentication auth = GrpcSecurity.AUTHENTICATION_CONTEXT_KEY.get();
-        String user = auth.getName();
-        if(auth instanceof JwtAuthenticationToken){
-            user = JwtAuthenticationToken.class.cast(auth).getTokenAttributes().get("preferred_username").toString();
+        if(null!=auth) {
+            String user = auth.getName();
+            if (auth instanceof JwtAuthenticationToken) {
+                user = JwtAuthenticationToken.class.cast(auth).getTokenAttributes().get("preferred_username").toString();
+            }
+            responseObserver.onNext(GreeterOuterClass.HelloReply.newBuilder().setMessage(user).build());
+        }else{
+            responseObserver.onNext(GreeterOuterClass.HelloReply.newBuilder().setMessage("Hello").build());
         }
-
-        responseObserver.onNext(GreeterOuterClass.HelloReply.newBuilder().setMessage(user).build());
         responseObserver.onCompleted();
     }
 }

grpc-spring-boot-starter-demo/src/test/java/org/lognet/springboot/grpc/auth/DisabledSecuredAnnTest.java

@@ -0,0 +1,49 @@
+package org.lognet.springboot.grpc.auth;
+
+
+import com.google.protobuf.Empty;
+import io.grpc.examples.GreeterGrpc;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.lognet.springboot.grpc.demo.DemoApp;
+import org.lognet.springboot.grpc.security.EnableGrpcSecurity;
+import org.lognet.springboot.grpc.security.GrpcSecurity;
+import org.lognet.springboot.grpc.security.GrpcSecurityConfigurerAdapter;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.TestConfiguration;
+import org.springframework.context.annotation.Import;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import static org.junit.Assert.assertNotNull;
+
+
+@SpringBootTest(classes = DemoApp.class)
+@RunWith(SpringRunner.class)
+@Import({DisabledSecuredAnnTest.TestCfg.class})
+public class DisabledSecuredAnnTest extends JwtAuthBaseTest {
+
+
+    @TestConfiguration
+    @EnableGrpcSecurity
+    static class TestCfg  extends GrpcSecurityConfigurerAdapter {
+        @Override
+        public void configure(GrpcSecurity builder) throws Exception {
+            builder.authorizeRequests().withoutSecuredAnnotation();
+        }
+    }
+
+    public DisabledSecuredAnnTest() {
+        super(false);
+    }
+
+    @Test
+    public void nonSecuredServiceTest() {
+
+        final GreeterGrpc.GreeterBlockingStub   greeter = GreeterGrpc.newBlockingStub(getChannel(true));
+
+        final String reply = greeter.sayAuthHello(Empty.getDefaultInstance()).getMessage();
+        assertNotNull("Reply should not be null",reply);
+
+
+    }
+}

grpc-spring-boot-starter/src/main/java/org/lognet/springboot/grpc/security/GrpcServiceAuthorizationConfigurer.java

@@ -28,19 +28,20 @@
 public class GrpcServiceAuthorizationConfigurer
         extends SecurityConfigurerAdapter<ServerInterceptor, GrpcSecurity> {
 
-    private final GrpcServiceAuthorizationConfigurer.Registry REGISTRY;
+    private final GrpcServiceAuthorizationConfigurer.Registry registry;
 
     public GrpcServiceAuthorizationConfigurer(ApplicationContext context) {
-        this.REGISTRY = new GrpcServiceAuthorizationConfigurer.Registry(context);
+        this.registry = new GrpcServiceAuthorizationConfigurer.Registry(context);
     }
 
     public Registry getRegistry() {
-        return REGISTRY;
+        return registry;
     }
 
     @Override
     public void configure(GrpcSecurity builder) throws Exception {
-        builder.setSharedObject(GrpcSecurityMetadataSource.class, new GrpcSecurityMetadataSource(REGISTRY.securedMethods));
+        registry.processSecuredAnnotation();
+        builder.setSharedObject(GrpcSecurityMetadataSource.class, new GrpcSecurityMetadataSource(registry.securedMethods));
     }
 
 
@@ -58,8 +59,8 @@ private AuthorizedMethod(ServiceDescriptor... serviceDescriptor) {
         }
 
         public GrpcServiceAuthorizationConfigurer.Registry authenticated() {
-            GrpcServiceAuthorizationConfigurer.this.REGISTRY.map(methods);
-            return GrpcServiceAuthorizationConfigurer.this.REGISTRY;
+            GrpcServiceAuthorizationConfigurer.this.registry.map(methods);
+            return GrpcServiceAuthorizationConfigurer.this.registry;
         }
 
         public GrpcServiceAuthorizationConfigurer.Registry hasAnyRole(String... roles) {
@@ -76,9 +77,9 @@ public GrpcServiceAuthorizationConfigurer.Registry hasAnyRole(String... roles) {
 
         public GrpcServiceAuthorizationConfigurer.Registry hasAnyAuthority(String... authorities) {
             for (String auth : authorities) {
-                GrpcServiceAuthorizationConfigurer.this.REGISTRY.map(auth, methods);
+                GrpcServiceAuthorizationConfigurer.this.registry.map(auth, methods);
             }
-            return GrpcServiceAuthorizationConfigurer.this.REGISTRY;
+            return GrpcServiceAuthorizationConfigurer.this.registry;
         }
 
 
@@ -88,6 +89,7 @@ public class Registry {
 
         private MultiValueMap<MethodDescriptor<?, ?>, ConfigAttribute> securedMethods = new LinkedMultiValueMap<>();
         private ApplicationContext context;
+        private boolean withSecuredAnnotation = true;
 
         Registry(ApplicationContext context) {
             this.context = context;
@@ -104,30 +106,48 @@ public AuthorizedMethod anyMethod() {
 
         }
 
+        public GrpcSecurity withoutSecuredAnnotation() {
+            return withSecuredAnnotation(false);
+        }
+
+        /**
+         * Same as  {@code withSecuredAnnotation(true)}
+         * @return GrpcSecurity configuration
+         */
         public GrpcSecurity withSecuredAnnotation() {
-            final Collection<BindableService> services = context.getBeansOfType(BindableService.class).values();
+            return withSecuredAnnotation(true);
+        }
+        public GrpcSecurity withSecuredAnnotation(boolean withSecuredAnnotation) {
+            this.withSecuredAnnotation = withSecuredAnnotation;
+            return and();
+        }
 
-            for (BindableService service : services) {
-                final ServerServiceDefinition serverServiceDefinition = service.bindService();
-                // service level security
-                {
-                    final Secured securedAnn = AnnotationUtils.findAnnotation(service.getClass(), Secured.class);
+        private void processSecuredAnnotation() {
+            if (withSecuredAnnotation) {
+                final Collection<BindableService> services = context.getBeansOfType(BindableService.class).values();
 
-                    if (null != securedAnn) {
-                        new AuthorizedMethod(serverServiceDefinition.getServiceDescriptor()).hasAnyAuthority(securedAnn.value());
+                for (BindableService service : services) {
+                    final ServerServiceDefinition serverServiceDefinition = service.bindService();
+                    // service level security
+                    {
+                        final Secured securedAnn = AnnotationUtils.findAnnotation(service.getClass(), Secured.class);
+
+                        if (null != securedAnn) {
+                            new AuthorizedMethod(serverServiceDefinition.getServiceDescriptor()).hasAnyAuthority(securedAnn.value());
+                        }
                     }
-                }
-                // method level security
-                for(ServerMethodDefinition<?,?> methodDefinition :serverServiceDefinition.getMethods()){
-                     Stream.of(service.getClass().getMethods()) // get method from methodDefinition
-                            .filter(m -> 0==Objects.compare(methodDefinition.getMethodDescriptor().getBareMethodName(),m.getName(), Comparator.naturalOrder()))
-                            .findFirst()
-                            .flatMap(m->Optional.ofNullable(AnnotationUtils.findAnnotation(m, Secured.class)))
-                            .ifPresent(secured -> new AuthorizedMethod(methodDefinition.getMethodDescriptor()) .hasAnyAuthority(secured.value()));
+                    // method level security
+                    for (ServerMethodDefinition<?, ?> methodDefinition : serverServiceDefinition.getMethods()) {
+                        Stream.of(service.getClass().getMethods()) // get method from methodDefinition
+                                .filter(m -> 0 == Objects.compare(methodDefinition.getMethodDescriptor().getBareMethodName(), m.getName(), Comparator.naturalOrder()))
+                                .findFirst()
+                                .flatMap(m -> Optional.ofNullable(AnnotationUtils.findAnnotation(m, Secured.class)))
+                                .ifPresent(secured -> new AuthorizedMethod(methodDefinition.getMethodDescriptor()).hasAnyAuthority(secured.value()));
 
+                    }
                 }
             }
-            return and();
+
         }
 
         public AuthorizedMethod methods(MethodDescriptor<?, ?>... methodDescriptor) {