2 files changed, 75 insertions, 3 deletions

diff --git a/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java b/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java
new file mode 100644
index 00000000..44d97207
--- /dev/null
+++ b/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java
@@ -0,0 +1,71 @@
+package com.juick.service.security;
+
+import com.juick.User;
+import com.juick.server.SignatureManager;
+import com.juick.service.UserService;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.annotation.Nonnull;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+public class HTTPSignatureAuthenticationFilter extends OncePerRequestFilter {
+
+    private final SignatureManager signatureManager;
+    private final UserService userService;
+
+
+    public HTTPSignatureAuthenticationFilter(
+            final SignatureManager signatureManager,
+            final UserService userService) {
+        this.signatureManager = signatureManager;
+        this.userService = userService;
+    }
+    @Override
+    protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull HttpServletResponse response, @Nonnull FilterChain filterChain) throws IOException, ServletException {
+        if (authenticationIsRequired()) {
+            Map<String, String> headers = Collections.list(request.getHeaderNames())
+                    .stream()
+                    .collect(Collectors.toMap(String::toLowerCase, request::getHeader));
+            if (StringUtils.isNotEmpty(headers.get("signature"))) {
+                User user = signatureManager.verifySignature(request.getMethod(), request.getRequestURI(), headers);
+                String userUri = user.getUri().toString();
+                if (!user.isAnonymous() || userUri.length() > 0) {
+                    if (userUri.length() == 0) {
+                        User userWithPassword = userService.getUserByName(user.getName());
+                        userWithPassword.setAuthHash(userService.getHashByUID(userWithPassword.getUid()));
+                        Authentication authentication = new UsernamePasswordAuthenticationToken(userWithPassword.getName(), userWithPassword.getCredentials());
+                        SecurityContextHolder.getContext().setAuthentication(authentication);
+                    } else {
+                        Authentication authentication = new AnonymousAuthenticationToken(userUri, user, Collections.singletonList(new SimpleGrantedAuthority("ROLE_ANONYMOUS")));
+                        SecurityContextHolder.getContext().setAuthentication(authentication);
+                    }
+                }
+            }
+        }
+
+        filterChain.doFilter(request, response);
+    }
+
+    private boolean authenticationIsRequired() {
+        Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
+
+        return existingAuth == null ||
+                !existingAuth.isAuthenticated() ||
+                existingAuth instanceof AnonymousAuthenticationToken;
+    }
+}
diff --git a/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java b/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
index 9215d09a..2fd5a2a7 100644
--- a/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
+++ b/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
@@ -30,6 +30,7 @@ import org.springframework.util.Assert;
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.web.util.WebUtils;
 
+import javax.annotation.Nonnull;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
@@ -59,9 +60,9 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter {
 
     @Override
     protected void doFilterInternal(
-            HttpServletRequest request,
-            HttpServletResponse response,
-            FilterChain filterChain) throws ServletException, IOException {
+            @Nonnull HttpServletRequest request,
+            @Nonnull HttpServletResponse response,
+            @Nonnull FilterChain filterChain) throws ServletException, IOException {
 
         String hash = getHashFromRequest(request);