fix user deletion flow when invalid key is present

author: Vitaly Takmazov 2019-01-30 16:40:15 +0300
committer: Vitaly Takmazov 2019-01-30 16:40:15 +0300
commit: 6d83f5614a5273ff53f1ddc5f4c614460e228993 (patch)
tree: 4369f064fbb7c9753d8df4b4cad8a5e152d03b40 /src/main/java/com/juick/service/security
parent: a2a86393941e9520a8f8a126fbad0c4fad406720 (diff)
1 files changed, 14 insertions, 11 deletions
diff --git a/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java b/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java
index 3fb16dce..22dc3b9c 100644
--- a/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java
+++ b/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java
@@ -4,6 +4,7 @@ import com.juick.User;
 import com.juick.server.SignatureManager;
 import com.juick.service.UserService;
 import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -40,17 +41,19 @@ public class HTTPSignatureAuthenticationFilter extends OncePerRequestFilter {
             Map<String, String> headers = Collections.list(request.getHeaderNames())
                     .stream()
                     .collect(Collectors.toMap(String::toLowerCase, request::getHeader));
-            User user = signatureManager.verifySignature(request.getMethod(), request.getRequestURI(), headers);
-            if (!user.isAnonymous()) {
-                String userUri = user.getUri().toString();
-                if (userUri.length() == 0) {
-                    User userWithPassword = userService.getUserByName(user.getName());
-                    userWithPassword.setAuthHash(userService.getHashByUID(userWithPassword.getUid()));
-                    Authentication authentication = new UsernamePasswordAuthenticationToken(userWithPassword.getName(), userWithPassword.getCredentials());
-                    SecurityContextHolder.getContext().setAuthentication(authentication);
-                } else {
-                    Authentication authentication = new AnonymousAuthenticationToken(userUri, user, Collections.singletonList(new SimpleGrantedAuthority("ROLE_ANONYMOUS")));
-                    SecurityContextHolder.getContext().setAuthentication(authentication);
+            if (StringUtils.isNotEmpty(headers.get("signature"))) {
+                User user = signatureManager.verifySignature(request.getMethod(), request.getRequestURI(), headers);
+                if (!user.isAnonymous()) {
+                    String userUri = user.getUri().toString();
+                    if (userUri.length() == 0) {
+                        User userWithPassword = userService.getUserByName(user.getName());
+                        userWithPassword.setAuthHash(userService.getHashByUID(userWithPassword.getUid()));
+                        Authentication authentication = new UsernamePasswordAuthenticationToken(userWithPassword.getName(), userWithPassword.getCredentials());
+                        SecurityContextHolder.getContext().setAuthentication(authentication);
+                    } else {
+                        Authentication authentication = new AnonymousAuthenticationToken(userUri, user, Collections.singletonList(new SimpleGrantedAuthority("ROLE_ANONYMOUS")));
+                        SecurityContextHolder.getContext().setAuthentication(authentication);
+                    }
                 }
             }
         }
author	Vitaly Takmazov	2019-01-30 16:40:15 +0300
committer	Vitaly Takmazov	2019-01-30 16:40:15 +0300
commit	6d83f5614a5273ff53f1ddc5f4c614460e228993 (patch)
tree	4369f064fbb7c9753d8df4b4cad8a5e152d03b40 /src/main/java/com/juick/service/security
parent	a2a86393941e9520a8f8a126fbad0c4fad406720 (diff)