define matchers only in WebSecurityConfig, where it belongs - but cannot be used yet

This commit is contained in:
Michael Hoennig 2025-03-11 17:07:19 +01:00
parent 1f3ae1ddd7
commit b6b3c588ca
2 changed files with 29 additions and 20 deletions

View File

@ -8,12 +8,19 @@ import lombok.SneakyThrows;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import org.springframework.util.AntPathMatcher;
import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.filter.OncePerRequestFilter;
import static java.util.Arrays.stream;
import static net.hostsharing.hsadminng.config.WebSecurityConfig.AUTHENTICATED_PATHS;
import static net.hostsharing.hsadminng.config.WebSecurityConfig.PERMITTED_PATHS;
@Component @Component
public class AuthenticationFilter extends OncePerRequestFilter { public class AuthenticationFilter extends OncePerRequestFilter {
private static final AntPathMatcher PATH_MATCHER = new AntPathMatcher();
@Autowired @Autowired
private Authenticator authenticator; private Authenticator authenticator;
@ -22,22 +29,23 @@ public class AuthenticationFilter extends OncePerRequestFilter {
protected void doFilterInternal( protected void doFilterInternal(
HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) { HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {
if ( !request.getRequestURI().startsWith("/api/") ) { final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
// TODO.impl: Make request matchers work via Spring Security, maybe use Spring Security CAS support directly?
if (stream(PERMITTED_PATHS).anyMatch(path -> PATH_MATCHER.match(path, request.getRequestURI()))) {
authenticatedRequest.addHeader("current-subject", "nobody"); authenticatedRequest.addHeader("current-subject", "nobody");
filterChain.doFilter(authenticatedRequest, response); filterChain.doFilter(authenticatedRequest, response);
return; } else if (stream(AUTHENTICATED_PATHS).anyMatch(path -> PATH_MATCHER.match(path, request.getRequestURI()))) {
} try {
final var currentSubject = authenticator.authenticate(request);
try { authenticatedRequest.addHeader("current-subject", currentSubject);
final var currentSubject = authenticator.authenticate(request); filterChain.doFilter(authenticatedRequest, response);
} catch (final BadCredentialsException exc) {
final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request); // TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
authenticatedRequest.addHeader("current-subject", currentSubject); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
filterChain.doFilter(authenticatedRequest, response); } else {
} catch (final BadCredentialsException exc) {
// TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
} }
} }

View File

@ -8,23 +8,24 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.SecurityFilterChain;
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
public class WebSecurityConfig { public class WebSecurityConfig {
public static final String[] PERMITTED_PATHS = new String[]{"/swagger-ui/**", "/v3/api-docs/**", "/actuator/**"};
public static final String[] AUTHENTICATED_PATHS = new String[]{"/api/**"};
@Bean @Bean
@Profile("!test") @Profile("!test")
public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception { public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
return http return http
.authorizeHttpRequests(authorize -> authorize .authorizeHttpRequests(authorize -> authorize
// TODO.impl: implement CAS authentication via Spring Security // TODO.impl: implement CAS authentication via Spring Security
// .requestMatchers(PERMITTED_PATHS).permitAll()
// .requestMatchers(AUTHENTICATED_PATHS).authenticated()
// .anyRequest().denyAll()
.anyRequest().permitAll() .anyRequest().permitAll()
// .requestMatchers("/swagger-ui/**").permitAll()
// .requestMatchers("/v3/api-docs/**").permitAll()
// .requestMatchers("/actuator/**").permitAll()
// .requestMatchers("/api/ping").permitAll()
// .requestMatchers("/api/**").authenticated()
//.anyRequest().denyAll()
) )
.csrf(AbstractHttpConfigurer::disable) .csrf(AbstractHttpConfigurer::disable)
.build(); .build();