From 8bd7c95cd756b6b2790c5470b8cf2f0a4202796c Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Fri, 7 Sep 2018 15:22:09 +0300 Subject: Fix hash param authentication --- .../juick/server/configuration/SecurityConfig.java | 50 ++++++++++++---------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/juick-server/src/main/java/com/juick/server/configuration/SecurityConfig.java b/juick-server/src/main/java/com/juick/server/configuration/SecurityConfig.java index 676de56b..883677d9 100644 --- a/juick-server/src/main/java/com/juick/server/configuration/SecurityConfig.java +++ b/juick-server/src/main/java/com/juick/server/configuration/SecurityConfig.java @@ -67,24 +67,6 @@ public class SecurityConfig { public UserDetailsService userDetailsService() { return new JuickUserDetailsService(userService); } - @Bean - public RememberMeServices rememberMeServices() throws Exception { - TokenBasedRememberMeServices services = new TokenBasedRememberMeServices( - rememberMeKey, userDetailsService()); - - services.setCookieName(COOKIE_NAME); - services.setCookieDomain(webDomain); - services.setAlwaysRemember(true); - services.setTokenValiditySeconds(6 * 30 * 24 * 3600); - services.setUseSecureCookie(false); // TODO set true if https is supports - - return services; - } - @Bean - public HashParamAuthenticationFilter hashParamAuthenticationFilter() throws Exception { - return new HashParamAuthenticationFilter(userService, rememberMeServices()); - } - @Configuration @Order(1) @@ -102,10 +84,16 @@ public class SecurityConfig { RememberMeServices rememberMeServices(){ return new RequestParamHashRememberMeServices(rememberMeKey, userService); } + @Bean + public HashParamAuthenticationFilter hashParamAuthenticationFilter() { + return new HashParamAuthenticationFilter(userService, rememberMeServices()); + } @Override protected void configure(HttpSecurity http) throws Exception { - http.antMatcher("/api/**").authorizeRequests() + http.antMatcher("/api/**") + .addFilterBefore(hashParamAuthenticationFilter(), BasicAuthenticationFilter.class) + .authorizeRequests() .antMatchers(HttpMethod.OPTIONS).permitAll() .antMatchers("/api/", "/api/messages", "/api/users", "/api/thread", "/api/tags", "/api/tlgmbtwbhk", "/api/fbwbhk", "/api/skypebotendpoint", "/api/_fblogin", "/api/_vklogin", "/api/_tglogin", "/api/u/**", "/.well-known/webfinger").permitAll() @@ -155,17 +143,35 @@ public class SecurityConfig { @Configuration public static class WebConfig extends WebSecurityConfigurerAdapter { - @Inject - private RememberMeServices rememberMeServices; @Value("${auth_remember_me_key:secret}") private String rememberMeKey; @Value("${web_domain:localhost}") private String webDomain; @Resource private UserService userService; + @Inject + private UserDetailsService userDetailsService; + @Bean + public HashParamAuthenticationFilter hashParamAuthenticationFilter() { + return new HashParamAuthenticationFilter(userService, rememberMeServices()); + } + @Bean + public RememberMeServices rememberMeServices() { + TokenBasedRememberMeServices services = new TokenBasedRememberMeServices( + rememberMeKey, userDetailsService); + + services.setCookieName(COOKIE_NAME); + services.setCookieDomain(webDomain); + services.setAlwaysRemember(true); + services.setTokenValiditySeconds(6 * 30 * 24 * 3600); + services.setUseSecureCookie(false); // TODO set true if https is supports + + return services; + } @Override protected void configure(HttpSecurity http) throws Exception { http + .addFilterBefore(hashParamAuthenticationFilter(), BasicAuthenticationFilter.class) .authorizeRequests() .antMatchers("/settings", "/pm/**", "/**/bl", "/_twitter", "/post", "/post2", "/comment") .authenticated() @@ -192,7 +198,7 @@ public class SecurityConfig { .and() .rememberMe() .rememberMeCookieDomain(webDomain).key(rememberMeKey) - .rememberMeServices(rememberMeServices) + .rememberMeServices(rememberMeServices()) .and() .csrf().disable() .headers().defaultsDisabled().cacheControl(); -- cgit v1.2.3