diff options
-rw-r--r-- | juick-server/src/main/java/com/juick/server/security/HashParamAuthenticationFilter.java | 51 | ||||
-rw-r--r-- | juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java | 26 |
2 files changed, 55 insertions, 22 deletions
diff --git a/juick-server/src/main/java/com/juick/server/security/HashParamAuthenticationFilter.java b/juick-server/src/main/java/com/juick/server/security/HashParamAuthenticationFilter.java index df1ae38c..ce48adbe 100644 --- a/juick-server/src/main/java/com/juick/server/security/HashParamAuthenticationFilter.java +++ b/juick-server/src/main/java/com/juick/server/security/HashParamAuthenticationFilter.java @@ -5,14 +5,15 @@ import com.juick.server.security.entities.JuickUser; import com.juick.service.UserService; import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.authentication.RememberMeAuthenticationToken; -import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; +import org.springframework.security.web.authentication.RememberMeServices; +import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.FilterChain; import javax.servlet.ServletException; +import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; @@ -24,10 +25,17 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter { public static final String PARAM_NAME = "hash"; private final UserService userService; + private final RememberMeServices rememberMeServices; - public HashParamAuthenticationFilter(UserService userService) { + public HashParamAuthenticationFilter( + final UserService userService, + final RememberMeServices rememberMeServices) { + Assert.notNull(userService, "userService should not be null"); + Assert.notNull(rememberMeServices, "rememberMeServices should not be null"); + this.userService = userService; + this.rememberMeServices = rememberMeServices; } @Override @@ -36,17 +44,19 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter { HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { - String hash = request.getHeader(PARAM_NAME); - - if (hash == null) - hash = request.getParameter(PARAM_NAME); + String hash = getHashFromRequest(request); if (hash != null && authenticationIsRequired()) { User user = userService.getUserByHash(hash); - if (!user.isAnonymous()) - SecurityContextHolder.getContext().setAuthentication( - new RememberMeAuthenticationToken(hash, new JuickUser(user), JuickUser.USER_AUTHORITY)); + if (!user.isAnonymous()) { + Authentication authentication = new RememberMeAuthenticationToken( + hash, new JuickUser(user), JuickUser.USER_AUTHORITY); + + SecurityContextHolder.getContext().setAuthentication(authentication); + + rememberMeServices.loginSuccess(request, response, authentication); + } } filterChain.doFilter(request, response); @@ -55,12 +65,23 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter { private boolean authenticationIsRequired() { Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication(); - if (existingAuth == null || !existingAuth.isAuthenticated()) - return true; + return existingAuth == null || + !existingAuth.isAuthenticated() || + existingAuth instanceof AnonymousAuthenticationToken; + } + + private String getHashFromRequest(HttpServletRequest request) { + String hash = request.getHeader(PARAM_NAME); - if (existingAuth instanceof AnonymousAuthenticationToken) - return true; + if (hash == null) + hash = request.getParameter(PARAM_NAME); - return false; + if (hash == null) + for (Cookie cookie : request.getCookies()) + if (PARAM_NAME.equals(cookie.getName())) { + hash = cookie.getValue(); + break; + } + return hash; } } diff --git a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java index 3c674d0c..d3aa9e81 100644 --- a/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java +++ b/juick-www/src/main/java/com/juick/www/configuration/WebSecurityConfig.java @@ -8,12 +8,13 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.web.authentication.RememberMeServices; +import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import javax.annotation.Resource; @@ -66,11 +67,8 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { .failureUrl("/login?error=1") .and() .rememberMe() - .tokenValiditySeconds(6 * 30 * 24 * 3600) - .alwaysRemember(true) - //.useSecureCookie(true) // TODO Enable if https is supports .rememberMeCookieDomain(webDomain).key(rememberMeKey) - .userDetailsService(userDetailsServiceBean()) + .rememberMeServices(rememberMeServices()) .and() .csrf().disable() .authenticationProvider(authenticationProvider()) @@ -87,8 +85,22 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { } @Bean - public HashParamAuthenticationFilter hashParamAuthenticationFilter() { - return new HashParamAuthenticationFilter(userService); + public HashParamAuthenticationFilter hashParamAuthenticationFilter() throws Exception { + return new HashParamAuthenticationFilter(userService, rememberMeServices()); + } + + @Bean + public RememberMeServices rememberMeServices() throws Exception { + TokenBasedRememberMeServices services = new TokenBasedRememberMeServices( + rememberMeKey, userDetailsServiceBean()); + + services.setCookieName("juick-remember-me"); + services.setCookieDomain(webDomain); + services.setAlwaysRemember(true); + services.setTokenValiditySeconds(6 * 30 * 24 * 3600); + services.setUseSecureCookie(false); // TODO set true if https is supports + + return services; } @Override |