aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Alexander Alexeev2017-04-05 18:51:31 +0700
committerGravatar Vitaly Takmazov2017-04-05 15:13:40 +0300
commit66d3be7862c8525f6f85e387503c6002a00371ee (patch)
tree9f2e668c7f1771f58676ac82068261f6ca576dd6
parenta06c82e4ecfea6452f4d90aa41189f294c434160 (diff)
rememberMe improved: added compatibility with old version
-rw-r--r--juick-server/src/main/java/com/juick/server/security/HashParamAuthenticationFilter.java51
-rw-r--r--juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java26
2 files changed, 55 insertions, 22 deletions
diff --git a/juick-server/src/main/java/com/juick/server/security/HashParamAuthenticationFilter.java b/juick-server/src/main/java/com/juick/server/security/HashParamAuthenticationFilter.java
index df1ae38c..ce48adbe 100644
--- a/juick-server/src/main/java/com/juick/server/security/HashParamAuthenticationFilter.java
+++ b/juick-server/src/main/java/com/juick/server/security/HashParamAuthenticationFilter.java
@@ -5,14 +5,15 @@ import com.juick.server.security.entities.JuickUser;
import com.juick.service.UserService;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.RememberMeAuthenticationToken;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.authentication.RememberMeServices;
+import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@@ -24,10 +25,17 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter {
public static final String PARAM_NAME = "hash";
private final UserService userService;
+ private final RememberMeServices rememberMeServices;
- public HashParamAuthenticationFilter(UserService userService) {
+ public HashParamAuthenticationFilter(
+ final UserService userService,
+ final RememberMeServices rememberMeServices) {
+ Assert.notNull(userService, "userService should not be null");
+ Assert.notNull(rememberMeServices, "rememberMeServices should not be null");
+
this.userService = userService;
+ this.rememberMeServices = rememberMeServices;
}
@Override
@@ -36,17 +44,19 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter {
HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
- String hash = request.getHeader(PARAM_NAME);
-
- if (hash == null)
- hash = request.getParameter(PARAM_NAME);
+ String hash = getHashFromRequest(request);
if (hash != null && authenticationIsRequired()) {
User user = userService.getUserByHash(hash);
- if (!user.isAnonymous())
- SecurityContextHolder.getContext().setAuthentication(
- new RememberMeAuthenticationToken(hash, new JuickUser(user), JuickUser.USER_AUTHORITY));
+ if (!user.isAnonymous()) {
+ Authentication authentication = new RememberMeAuthenticationToken(
+ hash, new JuickUser(user), JuickUser.USER_AUTHORITY);
+
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+
+ rememberMeServices.loginSuccess(request, response, authentication);
+ }
}
filterChain.doFilter(request, response);
@@ -55,12 +65,23 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter {
private boolean authenticationIsRequired() {
Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
- if (existingAuth == null || !existingAuth.isAuthenticated())
- return true;
+ return existingAuth == null ||
+ !existingAuth.isAuthenticated() ||
+ existingAuth instanceof AnonymousAuthenticationToken;
+ }
+
+ private String getHashFromRequest(HttpServletRequest request) {
+ String hash = request.getHeader(PARAM_NAME);
- if (existingAuth instanceof AnonymousAuthenticationToken)
- return true;
+ if (hash == null)
+ hash = request.getParameter(PARAM_NAME);
- return false;
+ if (hash == null)
+ for (Cookie cookie : request.getCookies())
+ if (PARAM_NAME.equals(cookie.getName())) {
+ hash = cookie.getValue();
+ break;
+ }
+ return hash;
}
}
diff --git a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
index 3c674d0c..d3aa9e81 100644
--- a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
+++ b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java
@@ -8,12 +8,13 @@ import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.authentication.RememberMeServices;
+import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import javax.annotation.Resource;
@@ -66,11 +67,8 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
.failureUrl("/login?error=1")
.and()
.rememberMe()
- .tokenValiditySeconds(6 * 30 * 24 * 3600)
- .alwaysRemember(true)
- //.useSecureCookie(true) // TODO Enable if https is supports
.rememberMeCookieDomain(webDomain).key(rememberMeKey)
- .userDetailsService(userDetailsServiceBean())
+ .rememberMeServices(rememberMeServices())
.and()
.csrf().disable()
.authenticationProvider(authenticationProvider())
@@ -87,8 +85,22 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
}
@Bean
- public HashParamAuthenticationFilter hashParamAuthenticationFilter() {
- return new HashParamAuthenticationFilter(userService);
+ public HashParamAuthenticationFilter hashParamAuthenticationFilter() throws Exception {
+ return new HashParamAuthenticationFilter(userService, rememberMeServices());
+ }
+
+ @Bean
+ public RememberMeServices rememberMeServices() throws Exception {
+ TokenBasedRememberMeServices services = new TokenBasedRememberMeServices(
+ rememberMeKey, userDetailsServiceBean());
+
+ services.setCookieName("juick-remember-me");
+ services.setCookieDomain(webDomain);
+ services.setAlwaysRemember(true);
+ services.setTokenValiditySeconds(6 * 30 * 24 * 3600);
+ services.setUseSecureCookie(false); // TODO set true if https is supports
+
+ return services;
}
@Override