define matchers only in WebSecurityConfig, where it belongs - but cannot be used yet

2025-03-11 17:07:19 +01:00 · 2025-03-11 17:07:19 +01:00 · b6b3c588ca
commit b6b3c588ca
parent 1f3ae1ddd7
2 changed files with 29 additions and 20 deletions
--- a/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java
+++ b/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java
@ -8,12 +8,19 @@ import lombok.SneakyThrows;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.stereotype.Component;
+import org.springframework.util.AntPathMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;


+import static java.util.Arrays.stream;
+import static net.hostsharing.hsadminng.config.WebSecurityConfig.AUTHENTICATED_PATHS;
+import static net.hostsharing.hsadminng.config.WebSecurityConfig.PERMITTED_PATHS;
+
@Component
 public class AuthenticationFilter extends OncePerRequestFilter {

+    private static final AntPathMatcher PATH_MATCHER = new AntPathMatcher();
+
    @Autowired
    private Authenticator authenticator;

@ -22,22 +29,23 @@ public class AuthenticationFilter extends OncePerRequestFilter {
    protected void doFilterInternal(
            HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {

-        if ( !request.getRequestURI().startsWith("/api/") ) {
-            final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
+        final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
+
+        // TODO.impl: Make request matchers work via Spring Security, maybe use Spring Security CAS support directly?
+
+        if (stream(PERMITTED_PATHS).anyMatch(path -> PATH_MATCHER.match(path, request.getRequestURI()))) {
            authenticatedRequest.addHeader("current-subject", "nobody");
            filterChain.doFilter(authenticatedRequest, response);
-            return;
-        }
-
-        try {
-            final var currentSubject = authenticator.authenticate(request);
-
-            final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
-            authenticatedRequest.addHeader("current-subject", currentSubject);
-
-            filterChain.doFilter(authenticatedRequest, response);
-        } catch (final BadCredentialsException exc) {
-            // TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
+        } else if (stream(AUTHENTICATED_PATHS).anyMatch(path -> PATH_MATCHER.match(path, request.getRequestURI()))) {
+            try {
+                final var currentSubject = authenticator.authenticate(request);
+                authenticatedRequest.addHeader("current-subject", currentSubject);
+                filterChain.doFilter(authenticatedRequest, response);
+            } catch (final BadCredentialsException exc) {
+                // TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
+                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            }
+        } else {
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        }
    }
--- a/src/main/java/net/hostsharing/hsadminng/config/WebSecurityConfig.java
+++ b/src/main/java/net/hostsharing/hsadminng/config/WebSecurityConfig.java
@ -8,23 +8,24 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.web.SecurityFilterChain;

+
@Configuration
@EnableWebSecurity
 public class WebSecurityConfig {

+    public static final String[] PERMITTED_PATHS = new String[]{"/swagger-ui/**", "/v3/api-docs/**", "/actuator/**"};
+    public static final String[] AUTHENTICATED_PATHS = new String[]{"/api/**"};
+
    @Bean
    @Profile("!test")
    public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
        return http
                .authorizeHttpRequests(authorize -> authorize
                        // TODO.impl: implement CAS authentication via Spring Security
+                        // .requestMatchers(PERMITTED_PATHS).permitAll()
+                        // .requestMatchers(AUTHENTICATED_PATHS).authenticated()
+                        // .anyRequest().denyAll()
                        .anyRequest().permitAll()
-                        // .requestMatchers("/swagger-ui/**").permitAll()
-                        // .requestMatchers("/v3/api-docs/**").permitAll()
-                        // .requestMatchers("/actuator/**").permitAll()
-                        // .requestMatchers("/api/ping").permitAll()
-                        // .requestMatchers("/api/**").authenticated()
-                        //.anyRequest().denyAll()
                )
                .csrf(AbstractHttpConfigurer::disable)
                .build();