diff --git a/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java b/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java index 7a503b05..fb080f87 100644 --- a/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java +++ b/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java @@ -8,12 +8,19 @@ import lombok.SneakyThrows; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.stereotype.Component; +import org.springframework.util.AntPathMatcher; import org.springframework.web.filter.OncePerRequestFilter; +import static java.util.Arrays.stream; +import static net.hostsharing.hsadminng.config.WebSecurityConfig.AUTHENTICATED_PATHS; +import static net.hostsharing.hsadminng.config.WebSecurityConfig.PERMITTED_PATHS; + @Component public class AuthenticationFilter extends OncePerRequestFilter { + private static final AntPathMatcher PATH_MATCHER = new AntPathMatcher(); + @Autowired private Authenticator authenticator; @@ -22,22 +29,23 @@ public class AuthenticationFilter extends OncePerRequestFilter { protected void doFilterInternal( HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) { - if ( !request.getRequestURI().startsWith("/api/") ) { - final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request); + final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request); + + // TODO.impl: Make request matchers work via Spring Security, maybe use Spring Security CAS support directly? + + if (stream(PERMITTED_PATHS).anyMatch(path -> PATH_MATCHER.match(path, request.getRequestURI()))) { authenticatedRequest.addHeader("current-subject", "nobody"); filterChain.doFilter(authenticatedRequest, response); - return; - } - - try { - final var currentSubject = authenticator.authenticate(request); - - final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request); - authenticatedRequest.addHeader("current-subject", currentSubject); - - filterChain.doFilter(authenticatedRequest, response); - } catch (final BadCredentialsException exc) { - // TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing + } else if (stream(AUTHENTICATED_PATHS).anyMatch(path -> PATH_MATCHER.match(path, request.getRequestURI()))) { + try { + final var currentSubject = authenticator.authenticate(request); + authenticatedRequest.addHeader("current-subject", currentSubject); + filterChain.doFilter(authenticatedRequest, response); + } catch (final BadCredentialsException exc) { + // TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing + response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + } + } else { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); } } diff --git a/src/main/java/net/hostsharing/hsadminng/config/WebSecurityConfig.java b/src/main/java/net/hostsharing/hsadminng/config/WebSecurityConfig.java index aec107b4..a5e4344c 100644 --- a/src/main/java/net/hostsharing/hsadminng/config/WebSecurityConfig.java +++ b/src/main/java/net/hostsharing/hsadminng/config/WebSecurityConfig.java @@ -8,23 +8,24 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.web.SecurityFilterChain; + @Configuration @EnableWebSecurity public class WebSecurityConfig { + public static final String[] PERMITTED_PATHS = new String[]{"/swagger-ui/**", "/v3/api-docs/**", "/actuator/**"}; + public static final String[] AUTHENTICATED_PATHS = new String[]{"/api/**"}; + @Bean @Profile("!test") public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception { return http .authorizeHttpRequests(authorize -> authorize // TODO.impl: implement CAS authentication via Spring Security + // .requestMatchers(PERMITTED_PATHS).permitAll() + // .requestMatchers(AUTHENTICATED_PATHS).authenticated() + // .anyRequest().denyAll() .anyRequest().permitAll() - // .requestMatchers("/swagger-ui/**").permitAll() - // .requestMatchers("/v3/api-docs/**").permitAll() - // .requestMatchers("/actuator/**").permitAll() - // .requestMatchers("/api/ping").permitAll() - // .requestMatchers("/api/**").authenticated() - //.anyRequest().denyAll() ) .csrf(AbstractHttpConfigurer::disable) .build();