Rest API none security method

Support
#1

Hi,

I am developing a rest api method which will not require login. How can I do that?

I already tried add new http element (security=‘none’) in rest-dispatcher-spring.xml but didn’t work. The exception below:
org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.SecurityException: No security context bound to the current thread
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1013)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:897)
javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:882)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:209)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
com.haulmont.cuba.web.sys.CubaHttpFilter.doFilter(CubaHttpFilter.java:103)

Please help me. Thanks

#4

Hi,
you need to set anonymous user session to security context. You can do it this way:

@RestController("sample_MyUnprotectedController")
@RequestMapping("/unprotected")
public class MyUnprotectedController {

    @Inject
    private DataManager dataManager;

    @Inject
    private TrustedClientService trustedClientService;

    @Inject
    private RestApiConfig restApiConfig;

    @GetMapping("/logins")
    public List<String> getUserLogins() {
        UserSession anonymousSession = getAnonymousSession();
        AppContext.setSecurityContext(new SecurityContext(anonymousSession));
        try {
            return dataManager.load(User.class)
                    .list()
                    .stream()
                    .map(User::getLogin)
                    .collect(Collectors.toList());
        } finally {
            AppContext.setSecurityContext(null);
        }
    }

    private UserSession getAnonymousSession() {
        try {
            return trustedClientService.getAnonymousSession(restApiConfig.getTrustedClientPassword(),
                    restApiConfig.getSecurityScope());
        } catch (LoginException e) {
            throw new RuntimeException("Unable to obtain anonymous session", e);
        }
    }
}