From 9241901c9367259eebf1128c0693f9bc3f3597a5 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Sun, 27 Nov 2016 19:57:28 +0300 Subject: juick-api: add hash-based authentication filter --- .../juick/api/configuration/ApiSecurityConfig.java | 8 +++- .../juick/api/configuration/JuickHashFilter.java | 44 ++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java (limited to 'juick-api/src/main/java/com/juick/api/configuration') diff --git a/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java index d7904199..cd5e3bbc 100644 --- a/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java +++ b/juick-api/src/main/java/com/juick/api/configuration/ApiSecurityConfig.java @@ -12,6 +12,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; +import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import javax.inject.Inject; @@ -33,7 +34,8 @@ public class ApiSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests() + http.addFilterBefore(getJuickHashFilter(), UsernamePasswordAuthenticationFilter.class) + .authorizeRequests() .antMatchers(HttpMethod.OPTIONS).permitAll() .anyRequest().hasRole("USER") .and().httpBasic().authenticationEntryPoint(getJuickAuthenticationEntryPoint()) @@ -49,4 +51,8 @@ public class ApiSecurityConfig extends WebSecurityConfigurerAdapter { public JuickAuthenticationEntryPoint getJuickAuthenticationEntryPoint() { return new JuickAuthenticationEntryPoint(); } + @Bean + public JuickHashFilter getJuickHashFilter() { + return new JuickHashFilter(); + } } diff --git a/juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java b/juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java new file mode 100644 index 00000000..62e6f3d2 --- /dev/null +++ b/juick-api/src/main/java/com/juick/api/configuration/JuickHashFilter.java @@ -0,0 +1,44 @@ +package com.juick.api.configuration; + +import com.juick.User; +import com.juick.service.UserService; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.web.authentication.WebAuthenticationDetails; +import org.springframework.web.filter.GenericFilterBean; + +import javax.inject.Inject; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; +import java.util.Collections; +import java.util.List; + +/** + * Created by vitalyster on 27.11.2016. + */ +public class JuickHashFilter extends GenericFilterBean { + @Inject + UserService userService; + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + String hash = request.getParameter("hash"); + if (hash != null) { + User user = userService.getUserByHash(hash); + if (user.getUid() > 0) { + List authorities = Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER")); + UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getName(), null); + token.setDetails(new WebAuthenticationDetails((HttpServletRequest) request)); + SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(user.getName(), null, authorities)); + } + } + chain.doFilter(request, response); + } + } -- cgit v1.2.3