define matchers only in WebSecurityConfig, where it belongs - but cannot be used yet
This commit is contained in:
parent
1f3ae1ddd7
commit
b6b3c588ca
@ -8,12 +8,19 @@ import lombok.SneakyThrows;
|
|||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
import org.springframework.security.authentication.BadCredentialsException;
|
import org.springframework.security.authentication.BadCredentialsException;
|
||||||
import org.springframework.stereotype.Component;
|
import org.springframework.stereotype.Component;
|
||||||
|
import org.springframework.util.AntPathMatcher;
|
||||||
import org.springframework.web.filter.OncePerRequestFilter;
|
import org.springframework.web.filter.OncePerRequestFilter;
|
||||||
|
|
||||||
|
|
||||||
|
import static java.util.Arrays.stream;
|
||||||
|
import static net.hostsharing.hsadminng.config.WebSecurityConfig.AUTHENTICATED_PATHS;
|
||||||
|
import static net.hostsharing.hsadminng.config.WebSecurityConfig.PERMITTED_PATHS;
|
||||||
|
|
||||||
@Component
|
@Component
|
||||||
public class AuthenticationFilter extends OncePerRequestFilter {
|
public class AuthenticationFilter extends OncePerRequestFilter {
|
||||||
|
|
||||||
|
private static final AntPathMatcher PATH_MATCHER = new AntPathMatcher();
|
||||||
|
|
||||||
@Autowired
|
@Autowired
|
||||||
private Authenticator authenticator;
|
private Authenticator authenticator;
|
||||||
|
|
||||||
@ -22,22 +29,23 @@ public class AuthenticationFilter extends OncePerRequestFilter {
|
|||||||
protected void doFilterInternal(
|
protected void doFilterInternal(
|
||||||
HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {
|
HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {
|
||||||
|
|
||||||
if ( !request.getRequestURI().startsWith("/api/") ) {
|
final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
|
||||||
final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
|
|
||||||
|
// TODO.impl: Make request matchers work via Spring Security, maybe use Spring Security CAS support directly?
|
||||||
|
|
||||||
|
if (stream(PERMITTED_PATHS).anyMatch(path -> PATH_MATCHER.match(path, request.getRequestURI()))) {
|
||||||
authenticatedRequest.addHeader("current-subject", "nobody");
|
authenticatedRequest.addHeader("current-subject", "nobody");
|
||||||
filterChain.doFilter(authenticatedRequest, response);
|
filterChain.doFilter(authenticatedRequest, response);
|
||||||
return;
|
} else if (stream(AUTHENTICATED_PATHS).anyMatch(path -> PATH_MATCHER.match(path, request.getRequestURI()))) {
|
||||||
}
|
try {
|
||||||
|
final var currentSubject = authenticator.authenticate(request);
|
||||||
try {
|
authenticatedRequest.addHeader("current-subject", currentSubject);
|
||||||
final var currentSubject = authenticator.authenticate(request);
|
filterChain.doFilter(authenticatedRequest, response);
|
||||||
|
} catch (final BadCredentialsException exc) {
|
||||||
final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
|
// TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
|
||||||
authenticatedRequest.addHeader("current-subject", currentSubject);
|
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
||||||
|
}
|
||||||
filterChain.doFilter(authenticatedRequest, response);
|
} else {
|
||||||
} catch (final BadCredentialsException exc) {
|
|
||||||
// TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
|
|
||||||
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -8,23 +8,24 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
|
|||||||
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||||
import org.springframework.security.web.SecurityFilterChain;
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
|
|
||||||
|
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
public class WebSecurityConfig {
|
public class WebSecurityConfig {
|
||||||
|
|
||||||
|
public static final String[] PERMITTED_PATHS = new String[]{"/swagger-ui/**", "/v3/api-docs/**", "/actuator/**"};
|
||||||
|
public static final String[] AUTHENTICATED_PATHS = new String[]{"/api/**"};
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
@Profile("!test")
|
@Profile("!test")
|
||||||
public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
|
public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
|
||||||
return http
|
return http
|
||||||
.authorizeHttpRequests(authorize -> authorize
|
.authorizeHttpRequests(authorize -> authorize
|
||||||
// TODO.impl: implement CAS authentication via Spring Security
|
// TODO.impl: implement CAS authentication via Spring Security
|
||||||
|
// .requestMatchers(PERMITTED_PATHS).permitAll()
|
||||||
|
// .requestMatchers(AUTHENTICATED_PATHS).authenticated()
|
||||||
|
// .anyRequest().denyAll()
|
||||||
.anyRequest().permitAll()
|
.anyRequest().permitAll()
|
||||||
// .requestMatchers("/swagger-ui/**").permitAll()
|
|
||||||
// .requestMatchers("/v3/api-docs/**").permitAll()
|
|
||||||
// .requestMatchers("/actuator/**").permitAll()
|
|
||||||
// .requestMatchers("/api/ping").permitAll()
|
|
||||||
// .requestMatchers("/api/**").authenticated()
|
|
||||||
//.anyRequest().denyAll()
|
|
||||||
)
|
)
|
||||||
.csrf(AbstractHttpConfigurer::disable)
|
.csrf(AbstractHttpConfigurer::disable)
|
||||||
.build();
|
.build();
|
||||||
|
Loading…
x
Reference in New Issue
Block a user