Security rules strategy execution not enough documented + SecurityRule strategy feature request

[RiccardoManzan]

Issue description

Hi all, I'm working on a project that needed a custom security rule.
This needed me to analyze the SecurityFilter in the SecurityRules section, and how all provided SecurityRules work by theirselfs.

I found very counterintuitive that the filters are somehow exclusive.
A request may pass only through a subset of security rules, as, apart from IpPatternsRule, they block the rules execution if they want to allow or reject a request.
I mean, if a rule rejects a request that's fine for me that no further rule is applied and the access to the requested resource is blocked, but i think that if a rule approves a user request, then also the following security rules need to be applied.
For example: if a user tries to access to a specific resource, and if the @Secured annotation is compliant with user's authentication, i'd like to execute also ConfigurationInterceptUrlMapRule in order to match also security configuration by properties.

This type of behavior is not explicitly described in the docs, furthermore IMHO this behavior should become a strategy, like authentication one, which choices are ALL or ANY (for this one I'd prefer FIRST ) .

In order to know in which order SecurityRules are executed i needed to check their implementation, which is not the most user-friendly way, so i prepared a table which i think it should be inserted in the docs.
Furthermore it was not clear from the docs that both @Secured annotation and micronaut.security.intercept-url-map configuration were supposed to grant access to a resource if ANY of the roles are matched instead of ALL. Also this behavior is explained in the table.

rule	order	accept	reject	unknown
IpPatternsRule	-300	never	None of the IP patterns matched the host address	Alternatively: no address could be resolved, or the address matches at least one of the patterns
SecuredAnnotationRule	-200	at least one required role is granted to the authenticated user	none of the required roles is granted to the authenticated user	no secured annotation is specified on the requested method
ConfigurationInterceptUrlMapRule	-100	at least one required role is granted to the authenticated user	none of the required roles is granted to the authenticated user	no path pattern is matched
SensitiveEndpointRule	0	user is authenticated	user is not authenticated	path is not sensitive one

[graemerocher]

Seems like a good opportunity to contribute to the docs

[RiccardoManzan]

Hi @graemerocher , as suggested i forked the project and created a pull request regarding the documentation.
In the future i guess i could open a new one regarding the strategy functionality, at the moment i haven't time budget for that.
Though i guess we should discuss more in detail how that should work before proceeding with the functionality development itself.

[Fohlen]

@RiccardoManzan can you attach a sample custom SecurityRule? I am having trouble getting mine to execute

[RiccardoManzan]

@Fohlen, what are you trying to do?

I'll check what i have and come back.

[sdelamo]

@Fohlen to create a security rule:

@Sigleton
class FooSecurityRule implements SecurityRule {
    public static final Integer ORDER = 0;//TODO set this to your preferred order

   @Override
    public int getOrder() {
        return ORDER;
    }

    @Override
    public Publisher<SecurityRuleResult> check(HttpRequest<?> request, @Nullable Authentication authentication) {
        return Mono.just(SecurityRuleResult.REJECTED
    } 
}

[ArthurHarkivsky]

Hello! Please, improve docs. It is absolutely unclear, how to build an app with such combination of auth: some URLs permitted for all, some - under JWT auth, some under Basic auth.

It should be something easy and pretty like in Spring (bad coding with it also could lead to copmlicated conf)

    @Bean
    @Order(1)
    SecurityFilterChain whiteListFilterChain(HttpSecurity http) throws Exception {
        return http
                .csrf(csrf ->
                        csrf.ignoringRequestMatchers(WHITELIST))
                .securityMatcher(WHITELIST)
                .authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
                .httpBasic(AbstractHttpConfigurer::disable)
                .formLogin(AbstractHttpConfigurer::disable)
                .build();
    }

    @Bean
    @Order(2)
    SecurityFilterChain privateFilterChain(HttpSecurity http) throws Exception {
        return http
                .csrf(csrf ->
                        csrf.ignoringRequestMatchers("/private/**"))
                .securityMatcher("/private/**")
                .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
                .httpBasic(withDefaults())
                .build();
    }

    @Bean
    @Order(3)
    public SecurityFilterChain jwtFilterChain(HttpSecurity http, JwtFilter jwtFilter) throws Exception {
        return http
                .csrf(csrf -> csrf.ignoringRequestMatchers(BASE_PATH))
                .httpBasic(AbstractHttpConfigurer::disable)
                .formLogin(AbstractHttpConfigurer::disable)
                .addFilterAfter(jwtFilter, BasicAuthenticationFilter.class)
                .build();
    }

Googling and direct docs reading gives nothing about:
micronaut security whitelist/exclude/for specific URL.

P.S. Advice, please, how to make the same with micronaut like in my code?