apply AuthenticationFilter only to /api requests

This commit is contained in:
Michael Hoennig 2025-03-11 14:49:56 +01:00
parent b1a785eda5
commit 1685221567

View File

@ -1,9 +1,6 @@
package net.hostsharing.hsadminng.config;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
@ -11,29 +8,37 @@ import lombok.SneakyThrows;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
@Component
public class AuthenticationFilter implements Filter {
public class AuthenticationFilter extends OncePerRequestFilter {
@Autowired
private Authenticator authenticator;
@Override
@SneakyThrows
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) {
final var httpRequest = (HttpServletRequest) request;
final var httpResponse = (HttpServletResponse) response;
protected void doFilterInternal(
HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {
if ( !request.getRequestURI().startsWith("/api/") ) {
final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
authenticatedRequest.addHeader("current-subject", "nobody");
filterChain.doFilter(authenticatedRequest, response);
return;
}
try {
final var currentSubject = authenticator.authenticate(httpRequest);
final var currentSubject = authenticator.authenticate(request);
final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(httpRequest);
final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
authenticatedRequest.addHeader("current-subject", currentSubject);
chain.doFilter(authenticatedRequest, response);
filterChain.doFilter(authenticatedRequest, response);
} catch (final BadCredentialsException exc) {
// TODO.impl: should not be necessary if ResponseStatusException worked
httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
// TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
}
}