Custom controller anonymous access


(Shanur Anasari) #1

Hi,

I am trying to access custom controller without token,
I am calling a custom controller to get the active token for user login id Ex: “anonymousAccessUser” it will give me if there is any active token in the database which is not expired for this user and if no active token present in the database then I am creating a new token and returning the response back which is working perfect.

But I want to access this API(custom controller) without passing any oAuth token. Below is the code for your reference please help me to correct the thing where i am making mistake

portal-security-spring.xml

<security:http pattern="/rest/myapi/**"
                   create-session="stateless"
                   entry-point-ref="oauthAuthenticationEntryPoint"
                   xmlns="http://www.springframework.org/schema/security">
        <intercept-url pattern="/rest/myapi/**" access="true"/>
        <anonymous enabled="true"/>
        <csrf disabled="true"/>
        <cors configuration-source-ref="cuba_RestCorsSource"/>
        <custom-filter ref="resourceFilter" before="PRE_AUTH_FILTER"/>
        <custom-filter ref="cuba_AnonymousAuthenticationFilter" after="PRE_AUTH_FILTER"/>
    </security:http>

My custom controller

@RestController
@RequestMapping("/myapi")
public class MyController {

    @GetMapping("/getUserTokenDetails")
    public String getUserTokenDetails() {
        try {
            String userLogin = "anonymousAccessUser"; //user created with this login id
            UserTokenDTO tokenDetails = utilityService.getAnonymousToken(userLogin); //calling service method which returns active token for this user
if(tokenDetails == null){
//generating new token if no active token found in databse
                OAuthTokenIssuer.OAuth2AccessTokenResult tokenResult = oAuthTokenIssuer.issueToken(userLogin,
                        messageTools.getDefaultLocale(), Collections.emptyMap());
                OAuth2AccessToken accessToken = tokenResult.getAccessToken();

                return accessToken.getValue();
            } else {
//return existing active token
                return tokenDetails.getAccess_token();
            }

        } catch (Exception ex) {
            return "No active token found"+ex;
        }
    }

Service bean method to return active token if any

@Override
public UserTokenDTO getAnonymousToken(String userLogin) throws Exception{
    String query = "SELECT ACCESS_TOKEN_VALUE, EXPIRY, AUTHENTICATION_KEY, USER_LOGIN FROM SYS_REST_API_TOKEN "
            + " WHERE USER_LOGIN = '"+ userLogin +"' AND EXPIRY > CURRENT_TIMESTAMP "
            + " ORDER BY EXPIRY DESC ";
    Map<String, String> params = new HashMap<>();
    
    log.debug("Executing query : "+query);
    List<UserTokenDTO> userTokenList = entityManagerService.getUserTokenDetails(query, params);
    return userTokenList.isEmpty() ? null : userTokenList.get(0);
}

When i run this API it says "java.lang.SecurityException: No security context bound to the current thread"
I feel when we are calling service method getAnonymousToken(String userLogin) it is asking for token.


(Shanur Anasari) #3

Do we need to make any changes in the “portal-security-spring.xml” configuration


(Max Gorbunkov) #5

Hi,
2 thoughts:

  1. If you don’t need any security for your endpoints, maybe you can disable it?
<security:http pattern="/rest/myapi/**" security="none"/>
  1. Check that your service method uses system authentication: https://doc.cuba-platform.com/manual-6.7/system_authentication.html

(Shanur Anasari) #7

Thanks for the reply @gorbunkov I will try to make the changes you suggested and update you back


(Shashank Singhal) #8

Hi,

I tried this in cuba version 6.9.4 but I keep getting following error:

{
    "error": "unauthorized",
    "error_description": "An Authentication object was not found in the SecurityContext"
}

Am I missing something??

Thanks


(Shanur Anasari) #9

Hi @shashanksinghal,

Which type of request you are making?
GET or POST?

Regards
Shanur