Skip to content

Commit bae8384

Browse files
committed
allow status requests for anonymous users in mapi/internal api
1 parent 7ab8c53 commit bae8384

2 files changed

Lines changed: 28 additions & 3 deletions

File tree

orcid-api-web/src/main/resources/orcid-api-security-context.xml

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,9 +20,24 @@
2020
<sec:http pattern="/v2**/o2c.html" security="none"/>
2121
<sec:http pattern="/v3**/o2c.html" security="none"/>
2222

23-
<!-- Status check -->
24-
<sec:http pattern="/v*/status" security="none"/>
25-
<sec:http pattern="/v*/apiStatus" security="none"/>
23+
<!-- Status checks allow anonymous access, but still process bearer tokens when present -->
24+
<sec:http pattern="/v*/status" create-session="stateless">
25+
<sec:csrf disabled="true"/>
26+
<sec:anonymous enabled="true" />
27+
<sec:http-basic entry-point-ref="apiAuthenticationEntryPoint" />
28+
<sec:custom-filter ref="orcidBearerTokenFilter" before="PRE_AUTH_FILTER" />
29+
<sec:intercept-url pattern="/**" access="permitAll"/>
30+
<sec:access-denied-handler ref="orcidAPIAccessDeniedHandler" />
31+
</sec:http>
32+
33+
<sec:http pattern="/v*/apiStatus" create-session="stateless">
34+
<sec:csrf disabled="true"/>
35+
<sec:anonymous enabled="true" />
36+
<sec:http-basic entry-point-ref="apiAuthenticationEntryPoint" />
37+
<sec:custom-filter ref="orcidBearerTokenFilter" before="PRE_AUTH_FILTER" />
38+
<sec:intercept-url pattern="/**" access="permitAll"/>
39+
<sec:access-denied-handler ref="orcidAPIAccessDeniedHandler" />
40+
</sec:http>
2641

2742
<!-- Token endpoint -->
2843
<sec:http pattern="/oauth/token" security="none" />

orcid-internal-api/src/main/resources/orcid-internal-api-security-context.xml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,16 @@
1212
<!-- Token endpoint -->
1313
<sec:http pattern="/oauth/token" security="none"/>
1414

15+
<!-- Status check allows anonymous access, but still processes bearer tokens when present -->
16+
<sec:http pattern="/status" create-session="stateless" >
17+
<sec:csrf disabled="true"/>
18+
<sec:anonymous enabled="true" />
19+
<sec:http-basic entry-point-ref="apiAuthenticationEntryPoint" />
20+
<sec:custom-filter ref="orcidBearerTokenFilter" before="PRE_AUTH_FILTER" />
21+
<sec:intercept-url pattern="/**" access="permitAll"/>
22+
<sec:access-denied-handler ref="orcidAPIAccessDeniedHandler" />
23+
</sec:http>
24+
1525
<sec:http create-session="stateless" >
1626
<sec:csrf disabled="true"/>
1727
<sec:anonymous enabled="true" />

0 commit comments

Comments
 (0)