diff options
| author |  Vitaly Takmazov | 2023-01-05 11:00:50 +0300 |
|---|---|---|
| committer | Vitaly Takmazov | 2023-01-05 20:58:47 +0300 |
| commit | cdd03aa64548810591e043fb59a287a1b36c92ba (patch) | |
| tree | 665ad1e3f1162d0be76c95a814ec4500bcf5ce55 /src/main/java/com/juick/service/security | |
| parent | 120b26c55069f89cc60ef862514d5cf09566f348 (diff) | |
ActivityPub: signed GET requests, fix Signature verification
Diffstat (limited to 'src/main/java/com/juick/service/security')
| -rw-r--r-- | src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java | 7 | ||||
| -rw-r--r-- | src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java | 43 |
2 files changed, 23 insertions, 27 deletions
diff --git a/src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java b/src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java index 2e96a594..f4e73b12 100644 --- a/src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java +++ b/src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java @@ -19,7 +19,6 @@ package com.juick.service.security; import com.juick.service.UserService; import com.juick.service.security.entities.JuickUser; -import io.jsonwebtoken.Claims; import io.jsonwebtoken.JwtParser; import io.jsonwebtoken.Jwts; import jakarta.servlet.FilterChain; @@ -52,9 +51,9 @@ public class BearerTokenAuthenticationFilter extends BaseAuthenticationFilter { } @Override - protected void doFilterInternal(@Nonnull HttpServletRequest request, - @Nonnull HttpServletResponse response, - @Nonnull FilterChain filterChain) throws ServletException, IOException { + protected void doFilterInternal(HttpServletRequest request, + HttpServletResponse response, + FilterChain filterChain) throws ServletException, IOException { if (authenticationIsRequired()) { var headers = Collections.list(request.getHeaderNames()) .stream() diff --git a/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java b/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java index 5f6a730e..a851ef36 100644 --- a/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java +++ b/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java @@ -17,8 +17,8 @@ package com.juick.service.security; -import com.juick.SignatureManager; import com.juick.model.User; +import com.juick.service.ActivityPubService; import com.juick.service.UserService; import com.juick.service.security.entities.JuickUser; import jakarta.servlet.FilterChain; @@ -31,7 +31,6 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; -import javax.annotation.Nonnull; import java.io.IOException; import java.util.Collections; import java.util.Map; @@ -39,39 +38,37 @@ import java.util.stream.Collectors; public class HTTPSignatureAuthenticationFilter extends BaseAuthenticationFilter { - private final SignatureManager signatureManager; + private final ActivityPubService signatureManager; private final UserService userService; public HTTPSignatureAuthenticationFilter( - final SignatureManager signatureManager, + final ActivityPubService activityPubService, final UserService userService) { - this.signatureManager = signatureManager; + this.signatureManager = activityPubService; this.userService = userService; } @Override - protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull HttpServletResponse response, - @Nonnull FilterChain filterChain) throws IOException, ServletException { + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, + FilterChain filterChain) throws IOException, ServletException { if (authenticationIsRequired()) { Map<String, String> headers = Collections.list(request.getHeaderNames()) .stream() .collect(Collectors.toMap(String::toLowerCase, request::getHeader)); - if (StringUtils.isNotEmpty(headers.get("signature"))) { - User user = signatureManager.verifySignature(request.getMethod(), request.getRequestURI(), headers); - String userUri = user.getUri().toString(); - if (!user.isAnonymous() || userUri.length() > 0) { - if (userUri.length() == 0) { - User userWithPassword = userService.getUserByName(user.getName()); - userWithPassword.setAuthHash(userService.getHashByUID(userWithPassword.getUid())); - Authentication authentication = new UsernamePasswordAuthenticationToken( - new JuickUser(user), userWithPassword.getCredentials(), JuickUser.USER_AUTHORITY); - SecurityContextHolder.getContext().setAuthentication(authentication); - } else { - // anonymous must have with uri - Authentication authentication = new AnonymousAuthenticationToken(userUri, - new JuickUser(user), JuickUser.ANONYMOUS_AUTHORITY); - SecurityContextHolder.getContext().setAuthentication(authentication); - } + var user = signatureManager.verifyActor(request.getMethod(), request.getRequestURI(), headers); + String userUri = user.getUri().toString(); + if (!user.isAnonymous() || userUri.length() > 0) { + if (userUri.length() == 0) { + User userWithPassword = userService.getUserByName(user.getName()); + userWithPassword.setAuthHash(userService.getHashByUID(userWithPassword.getUid())); + Authentication authentication = new UsernamePasswordAuthenticationToken( + new JuickUser(user), userWithPassword.getCredentials(), JuickUser.USER_AUTHORITY); + SecurityContextHolder.getContext().setAuthentication(authentication); + } else { + // anonymous must have with uri + Authentication authentication = new AnonymousAuthenticationToken(userUri, + new JuickUser(user), JuickUser.ANONYMOUS_AUTHORITY); + SecurityContextHolder.getContext().setAuthentication(authentication); } } } |