How to apply different authentication settings to different services/methods (Spring security)

[nsobadzhiev]

The setup

Imagine we have a gRPC server application. All services are authenticated. We want to add a service or a single rpc that is publicly accessible (without an account). In the conventional Spring Security world, we'd add a matcher like this:

.antMatchers("/public").permitAll()  
.anyRequest().authenticated() 

to the HTTP security configuration.

The problem

The aforementioned methods and not available in GrpcSecurity. An alternative solution would be to add another authentication provider and scheme selector and introduce something like Anonymous authentication. However, as far as I understand, you can only set a provider globally, and not just for a particular service/method.

The question

I know I can use the @Secured annotation, or maybe even a @PreAuthorize. However, I'd like to have everything secure by default and only explicitly specify the services/methods I DON'T want authenticated. Is there an accepted way of doing so with this framework?

I'd greatly appreciate if someone could point me to the right direction. Thanks!

[jvmlet]

If you have a look at this api you can get the idea how to achieve what you are after. Just inject GRpcServicesRegistry into your adapter bean, filter services you want to secure and call services method.
You should be using strongly typed generated service descriptor to filter it out from the all the services.

[nsobadzhiev]

I think I got it. That's pretty clever actually!
Let me summarise so we can make sure we are talking about the same thing (and maybe it would become clearer for others). You are saying that I can use GRpcServicesRegistry.beanNameToServiceBeanMap to get a list of all registered gRPC service and methods, and then use GrpcSecurity and its authorisation registry to secure every service/method EXCLUDING the ones I explicitly filtered out? Something like this (I hope you don't mind the Kotlin code):

override fun configure(builder: GrpcSecurity) {
        val methods = gRpcServicesRegistry.beanNameToServiceBeanMap
            .values
            .map(BindableService::bindService)
            .map(ServerServiceDefinition::getServiceDescriptor)
            .flatMap { it.methods }
            .filterNot { it.fullMethodName == "<dont_secure_me>" }
            .toTypedArray()
        builder.authorizeRequests().methods(*methods).authenticated()
            // ... setup authentication providers and schemes
    }

[jvmlet]

Exactly.
My advice - use generated static method accessor to get the io.grpc.MethodDescriptor , like GreeterGrpc.getSayHelloMethod() and then it becomes strongly typed :

override fun configure(builder: GrpcSecurity) {
        val methods = gRpcServicesRegistry.beanNameToServiceBeanMap
            .values
            .map(BindableService::bindService)
            .map(ServerServiceDefinition::getServiceDescriptor)
            .flatMap { it.methods }
            .filterNot { it ==GreeterGrpc.getSayHelloMethod() } // typed !!!
            .toTypedArray()
        builder.authorizeRequests().methods(*methods).authenticated()
            // ... setup authentication providers and schemes
    }

Mind to PR such a shorthand methods to GrpcServiceAuthorizationConfigurer.Registry class with :

1. anyMethodExcluding(MethodDescriptor<?, ?>... methodDescriptor)
2. anyServiceExcluding(ServiceDescriptor... serviceDescriptor)
   ?

[nsobadzhiev]

Oh wow! Yeah, I like it much better like that!
Sure, I can open a PR and maybe even write a sentence in the README about it.
Thanks for the support!

[jvmlet]

Tests are also welcome 😊