apply AuthenticationFilter only to /api requests

This commit is contained in:
Michael Hoennig 2025-03-11 14:49:56 +01:00
parent b1a785eda5
commit 1685221567

View File

@ -1,9 +1,6 @@
package net.hostsharing.hsadminng.config; package net.hostsharing.hsadminng.config;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain; import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse; import jakarta.servlet.http.HttpServletResponse;
@ -11,29 +8,37 @@ import lombok.SneakyThrows;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
@Component @Component
public class AuthenticationFilter implements Filter { public class AuthenticationFilter extends OncePerRequestFilter {
@Autowired @Autowired
private Authenticator authenticator; private Authenticator authenticator;
@Override @Override
@SneakyThrows @SneakyThrows
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) { protected void doFilterInternal(
final var httpRequest = (HttpServletRequest) request; HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {
final var httpResponse = (HttpServletResponse) response;
if ( !request.getRequestURI().startsWith("/api/") ) {
final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
authenticatedRequest.addHeader("current-subject", "nobody");
filterChain.doFilter(authenticatedRequest, response);
return;
}
try { try {
final var currentSubject = authenticator.authenticate(httpRequest); final var currentSubject = authenticator.authenticate(request);
final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(httpRequest); final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
authenticatedRequest.addHeader("current-subject", currentSubject); authenticatedRequest.addHeader("current-subject", currentSubject);
chain.doFilter(authenticatedRequest, response); filterChain.doFilter(authenticatedRequest, response);
} catch (final BadCredentialsException exc) { } catch (final BadCredentialsException exc) {
// TODO.impl: should not be necessary if ResponseStatusException worked // TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
} }
} }
} }