yterradas/gist:7e95378640eeb597ce33

## gistfile1.java
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig
    extends WebSecurityConfigurerAdapter {
    @Value("${oauth.check_token.url:http://localhost:3030/oauth/token/info}")
    private String checkTokenUrl;

    @Autowired @Qualifier("restTemplate")
    private RestOperations authRestTemplate;

    @Override
    protected void configure( HttpSecurity http )
        throws Exception {
        // @formatter:off
        http.anonymous().authenticationFilter(proxyAuthenticationFilter()).authorities("ROLE_USER")
            // NOTE: filter must be enable
            // .sessionManagement().disable()
        .and()
            .headers().disable()
            .requestCache().disable()
            .formLogin().disable()
            .rememberMe().disable()
            .x509().disable()
            .jee().disable()
            .httpBasic().disable()
            .csrf().disable()
            .logout().disable();
        // @formatter:on
    }

    @Override
    public void configure( WebSecurity web )
        throws Exception {
        // @formatter:off
        // NOTE: disable in production
        web.debug(true);
        // @formatter:on
    }

    protected ProxyAuthenticationFilter proxyAuthenticationFilter()
        throws Exception {
        return new ProxyAuthenticationFilter(checkTokenUrl, authRestTemplate);
    }
}


public class ProxyAuthenticationFilter
    extends AnonymousAuthenticationFilter {
    private final Logger log = LoggerFactory.getLogger(getClass());

    private RestOperations authTemplate;
    private String checkTokenUrl;

    public ProxyAuthenticationFilter( final String checkTokenUrl, final RestOperations authTemplate ) {
        super("PROXY_AUTH_FILTER");
        this.checkTokenUrl = checkTokenUrl;
        this.authTemplate = authTemplate;
    }

    @Override
    public void doFilter( ServletRequest req, ServletResponse res, FilterChain chain )
        throws IOException, ServletException {

        SecurityContextHolder.getContext().setAuthentication(createAuthentication((HttpServletRequest) req));

        if ( log.isDebugEnabled() ) {
            log.debug("Populated SecurityContextHolder with authenticated user: {}",
                      SecurityContextHolder.getContext().getAuthentication());
        }

        chain.doFilter(req, res);
    }

    @Override
    protected Authentication createAuthentication( final HttpServletRequest request )
        throws AuthenticationException {
        AuthUserInfo authDetails = getUserInfo(request);

        // NOTE: delete once this is returned from provider
        if (authDetails != null) {
            authDetails.setUserId("abcde12345");
            authDetails.setUsername("username");
        }

        if (null == authDetails) {
            throw new AuthenticationCredentialsNotFoundException("Could not authenticate user");
        }

        if ( isEmpty(authDetails.getUsername()) || isEmpty(authDetails.getUserId()) ) {
            throw new BadCredentialsException("User details does not have sufficient credentials");
        }

        // NOTE: delete once this is returned from provider
        List<? extends GrantedAuthority> authorities = Collections
            .unmodifiableList(Arrays.asList(new SimpleGrantedAuthority("ROLE_USER")));
        AuthUser principal = new AuthUser(authDetails.getUsername(), authDetails.getUserId(), authorities);

        return new AnonymousAuthenticationToken("ANONYMOUS", principal, authorities);
    }

    private AuthUserInfo getUserInfo( HttpServletRequest request ) {
        final String authHeader = request.getHeader("Authorization");

        if ( log.isDebugEnabled() ) {
            log.debug("Validating: {} with provider", authHeader);
        }

        HttpEntity<String> entity = new HttpEntity<>(
            new HttpHeaders() {{
                set("Authorization", authHeader);
            }}
        );

        AuthUserInfo authDetails = null;
        try {
            ResponseEntity<AuthUserInfo> authProviderResp = authTemplate
                .exchange(checkTokenUrl, HttpMethod.GET, entity, AuthUserInfo.class);
            authDetails = authProviderResp.getBody();
        } catch (RestClientException e) {
            log.error("Could not communicate with OAuth2 provider", e);
        }

        return authDetails;
    }
}
	@Configuration
	@EnableWebMvcSecurity
	public class WebSecurityConfig
	extends WebSecurityConfigurerAdapter {
	@Value("${oauth.check_token.url:http://localhost:3030/oauth/token/info}")
	private String checkTokenUrl;

	@Autowired @Qualifier("restTemplate")
	private RestOperations authRestTemplate;

	@Override
	protected void configure( HttpSecurity http )
	throws Exception {
	// @formatter:off
	http.anonymous().authenticationFilter(proxyAuthenticationFilter()).authorities("ROLE_USER")
	// NOTE: filter must be enable
	// .sessionManagement().disable()
	.and()
	.headers().disable()
	.requestCache().disable()
	.formLogin().disable()
	.rememberMe().disable()
	.x509().disable()
	.jee().disable()
	.httpBasic().disable()
	.csrf().disable()
	.logout().disable();
	// @formatter:on
	}

	@Override
	public void configure( WebSecurity web )
	throws Exception {
	// @formatter:off
	// NOTE: disable in production
	web.debug(true);
	// @formatter:on
	}

	protected ProxyAuthenticationFilter proxyAuthenticationFilter()
	throws Exception {
	return new ProxyAuthenticationFilter(checkTokenUrl, authRestTemplate);
	}
	}



	public class ProxyAuthenticationFilter
	extends AnonymousAuthenticationFilter {
	private final Logger log = LoggerFactory.getLogger(getClass());

	private RestOperations authTemplate;
	private String checkTokenUrl;

	public ProxyAuthenticationFilter( final String checkTokenUrl, final RestOperations authTemplate ) {
	super("PROXY_AUTH_FILTER");
	this.checkTokenUrl = checkTokenUrl;
	this.authTemplate = authTemplate;
	}

	@Override
	public void doFilter( ServletRequest req, ServletResponse res, FilterChain chain )
	throws IOException, ServletException {

	SecurityContextHolder.getContext().setAuthentication(createAuthentication((HttpServletRequest) req));

	if ( log.isDebugEnabled() ) {
	log.debug("Populated SecurityContextHolder with authenticated user: {}",
	SecurityContextHolder.getContext().getAuthentication());
	}

	chain.doFilter(req, res);
	}

	@Override
	protected Authentication createAuthentication( final HttpServletRequest request )
	throws AuthenticationException {
	AuthUserInfo authDetails = getUserInfo(request);

	// NOTE: delete once this is returned from provider
	if (authDetails != null) {
	authDetails.setUserId("abcde12345");
	authDetails.setUsername("username");
	}

	if (null == authDetails) {
	throw new AuthenticationCredentialsNotFoundException("Could not authenticate user");
	}

	if ( isEmpty(authDetails.getUsername()) \|\| isEmpty(authDetails.getUserId()) ) {
	throw new BadCredentialsException("User details does not have sufficient credentials");
	}

	// NOTE: delete once this is returned from provider
	List<? extends GrantedAuthority> authorities = Collections
	.unmodifiableList(Arrays.asList(new SimpleGrantedAuthority("ROLE_USER")));
	AuthUser principal = new AuthUser(authDetails.getUsername(), authDetails.getUserId(), authorities);

	return new AnonymousAuthenticationToken("ANONYMOUS", principal, authorities);
	}

	private AuthUserInfo getUserInfo( HttpServletRequest request ) {
	final String authHeader = request.getHeader("Authorization");

	if ( log.isDebugEnabled() ) {
	log.debug("Validating: {} with provider", authHeader);
	}

	HttpEntity<String> entity = new HttpEntity<>(
	new HttpHeaders() {{
	set("Authorization", authHeader);
	}}
	);

	AuthUserInfo authDetails = null;
	try {
	ResponseEntity<AuthUserInfo> authProviderResp = authTemplate
	.exchange(checkTokenUrl, HttpMethod.GET, entity, AuthUserInfo.class);
	authDetails = authProviderResp.getBody();
	} catch (RestClientException e) {
	log.error("Could not communicate with OAuth2 provider", e);
	}

	return authDetails;
	}
	}