apply AuthenticationFilter only to /api requests

2025-03-11 14:49:56 +01:00 · 2025-03-11 14:49:56 +01:00 · 1685221567
commit 1685221567
parent b1a785eda5
1 changed files with 17 additions and 12 deletions
--- a/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java
+++ b/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java
@ -1,9 +1,6 @@
 package net.hostsharing.hsadminng.config;

-import jakarta.servlet.Filter;
 import jakarta.servlet.FilterChain;
-import jakarta.servlet.ServletRequest;
-import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;

@ -11,29 +8,37 @@ import lombok.SneakyThrows;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+

@Component
-public class AuthenticationFilter implements Filter {
+public class AuthenticationFilter extends OncePerRequestFilter {

    @Autowired
    private Authenticator authenticator;

    @Override
    @SneakyThrows
-    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) {
-        final var httpRequest = (HttpServletRequest) request;
-        final var httpResponse = (HttpServletResponse) response;
+    protected void doFilterInternal(
+            HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {
+
+        if ( !request.getRequestURI().startsWith("/api/") ) {
+            final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
+            authenticatedRequest.addHeader("current-subject", "nobody");
+            filterChain.doFilter(authenticatedRequest, response);
+            return;
+        }

        try {
-            final var currentSubject = authenticator.authenticate(httpRequest);
+            final var currentSubject = authenticator.authenticate(request);

-            final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(httpRequest);
+            final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
            authenticatedRequest.addHeader("current-subject", currentSubject);

-            chain.doFilter(authenticatedRequest, response);
+            filterChain.doFilter(authenticatedRequest, response);
        } catch (final BadCredentialsException exc) {
-            // TODO.impl: should not be necessary if ResponseStatusException worked
-            httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            // TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
+            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        }
    }
 }