diff --git a/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java b/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java index 1849b815..7a503b05 100644 --- a/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java +++ b/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java @@ -1,9 +1,6 @@ package net.hostsharing.hsadminng.config; -import jakarta.servlet.Filter; import jakarta.servlet.FilterChain; -import jakarta.servlet.ServletRequest; -import jakarta.servlet.ServletResponse; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; @@ -11,29 +8,37 @@ import lombok.SneakyThrows; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.stereotype.Component; +import org.springframework.web.filter.OncePerRequestFilter; + @Component -public class AuthenticationFilter implements Filter { +public class AuthenticationFilter extends OncePerRequestFilter { @Autowired private Authenticator authenticator; @Override @SneakyThrows - public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) { - final var httpRequest = (HttpServletRequest) request; - final var httpResponse = (HttpServletResponse) response; + protected void doFilterInternal( + HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) { + + if ( !request.getRequestURI().startsWith("/api/") ) { + final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request); + authenticatedRequest.addHeader("current-subject", "nobody"); + filterChain.doFilter(authenticatedRequest, response); + return; + } try { - final var currentSubject = authenticator.authenticate(httpRequest); + final var currentSubject = authenticator.authenticate(request); - final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(httpRequest); + final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request); authenticatedRequest.addHeader("current-subject", currentSubject); - chain.doFilter(authenticatedRequest, response); + filterChain.doFilter(authenticatedRequest, response); } catch (final BadCredentialsException exc) { - // TODO.impl: should not be necessary if ResponseStatusException worked - httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + // TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing + response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); } } }