From 086d9a7625bfc5a386f5b1028d364fb546c2fa9d Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Wed, 4 Jan 2023 03:37:05 +0300
Subject: JWT authentication for API
---
.../service/security/BaseAuthenticationFilter.java | 33 +++++++++
.../security/BearerTokenAuthenticationFilter.java | 82 ++++++++++++++++++++++
.../HTTPSignatureAuthenticationFilter.java | 23 ++----
.../security/HashParamAuthenticationFilter.java | 23 ++----
4 files changed, 128 insertions(+), 33 deletions(-)
create mode 100644 src/main/java/com/juick/service/security/BaseAuthenticationFilter.java
create mode 100644 src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java
(limited to 'src/main/java/com/juick/service/security')
diff --git a/src/main/java/com/juick/service/security/BaseAuthenticationFilter.java b/src/main/java/com/juick/service/security/BaseAuthenticationFilter.java
new file mode 100644
index 00000000..7bfc39b2
--- /dev/null
+++ b/src/main/java/com/juick/service/security/BaseAuthenticationFilter.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2008-2023, Juick
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package com.juick.service.security;
+
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+public abstract class BaseAuthenticationFilter extends OncePerRequestFilter {
+ boolean authenticationIsRequired() {
+ Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
+
+ return existingAuth == null ||
+ !existingAuth.isAuthenticated() ||
+ existingAuth instanceof AnonymousAuthenticationToken;
+ }
+}
diff --git a/src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java b/src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java
new file mode 100644
index 00000000..2e96a594
--- /dev/null
+++ b/src/main/java/com/juick/service/security/BearerTokenAuthenticationFilter.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2008-2023, Juick
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package com.juick.service.security;
+
+import com.juick.service.UserService;
+import com.juick.service.security.entities.JuickUser;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.Jwts;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import javax.annotation.Nonnull;
+import java.io.IOException;
+import java.security.KeyPair;
+import java.util.Collections;
+import java.util.stream.Collectors;
+
+public class BearerTokenAuthenticationFilter extends BaseAuthenticationFilter {
+ private static final Logger logger = LoggerFactory.getLogger("Auth");
+ private final JwtParser jwtParser;
+ private final UserService userService;
+
+ public BearerTokenAuthenticationFilter(UserService userService, KeyPair keys) {
+ this.userService = userService;
+ this.jwtParser = Jwts.parserBuilder()
+ .setSigningKey(keys.getPrivate())
+ .build();
+ }
+
+ @Override
+ protected void doFilterInternal(@Nonnull HttpServletRequest request,
+ @Nonnull HttpServletResponse response,
+ @Nonnull FilterChain filterChain) throws ServletException, IOException {
+ if (authenticationIsRequired()) {
+ var headers = Collections.list(request.getHeaderNames())
+ .stream()
+ .collect(Collectors.toMap(String::toLowerCase, request::getHeader));
+ var authorizationHeaderValue = headers.get("authorization");
+ if (StringUtils.isNotEmpty(authorizationHeaderValue) && authorizationHeaderValue.startsWith("Bearer")) {
+ String token = authorizationHeaderValue.substring(7);
+ try {
+ var claims = jwtParser.parseClaimsJws(token).getBody();
+ var user = userService.getUserByName(claims.getSubject());
+ if (!user.isAnonymous()) {
+ Authentication authentication = new UsernamePasswordAuthenticationToken(
+ new JuickUser(user),
+ user.getCredentials(),
+ JuickUser.USER_AUTHORITY);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+ }
+ } catch (Exception e) {
+ logger.warn("Invalid Bearer token: {}", e.getMessage());
+ }
+ }
+ }
+ filterChain.doFilter(request, response);
+ }
+}
diff --git a/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java b/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java
index 92e26406..5f6a730e 100644
--- a/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java
+++ b/src/main/java/com/juick/service/security/HTTPSignatureAuthenticationFilter.java
@@ -17,21 +17,19 @@
package com.juick.service.security;
-import com.juick.model.User;
import com.juick.SignatureManager;
+import com.juick.model.User;
import com.juick.service.UserService;
import com.juick.service.security.entities.JuickUser;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.web.filter.OncePerRequestFilter;
-
-import jakarta.servlet.FilterChain;
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
import javax.annotation.Nonnull;
import java.io.IOException;
@@ -39,7 +37,7 @@ import java.util.Collections;
import java.util.Map;
import java.util.stream.Collectors;
-public class HTTPSignatureAuthenticationFilter extends OncePerRequestFilter {
+public class HTTPSignatureAuthenticationFilter extends BaseAuthenticationFilter {
private final SignatureManager signatureManager;
private final UserService userService;
@@ -69,6 +67,7 @@ public class HTTPSignatureAuthenticationFilter extends OncePerRequestFilter {
new JuickUser(user), userWithPassword.getCredentials(), JuickUser.USER_AUTHORITY);
SecurityContextHolder.getContext().setAuthentication(authentication);
} else {
+ // anonymous must have with uri
Authentication authentication = new AnonymousAuthenticationToken(userUri,
new JuickUser(user), JuickUser.ANONYMOUS_AUTHORITY);
SecurityContextHolder.getContext().setAuthentication(authentication);
@@ -79,12 +78,4 @@ public class HTTPSignatureAuthenticationFilter extends OncePerRequestFilter {
filterChain.doFilter(request, response);
}
-
- private boolean authenticationIsRequired() {
- Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
-
- return existingAuth == null ||
- !existingAuth.isAuthenticated() ||
- existingAuth instanceof AnonymousAuthenticationToken;
- }
}
diff --git a/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java b/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
index 0f4ac66f..06f5edf4 100644
--- a/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
+++ b/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java
@@ -20,10 +20,14 @@ package com.juick.service.security;
import com.juick.model.User;
import com.juick.service.UserService;
import com.juick.service.security.entities.JuickUser;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.springframework.lang.NonNull;
import org.springframework.lang.Nullable;
-import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.RememberMeAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
@@ -31,20 +35,14 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
import org.springframework.util.Assert;
-import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.WebUtils;
-import jakarta.servlet.FilterChain;
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.Cookie;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* Created by aalexeev on 4/5/17.
*/
-public class HashParamAuthenticationFilter extends OncePerRequestFilter {
+public class HashParamAuthenticationFilter extends BaseAuthenticationFilter {
public static final String PARAM_NAME = "hash";
@@ -85,7 +83,6 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter {
userWithPassword.getCredentials(),
JuickUser.USER_AUTHORITY);
SecurityContextHolder.getContext().setAuthentication(authentication);
-
}
}
}
@@ -93,14 +90,6 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter {
filterChain.doFilter(request, response);
}
- private boolean authenticationIsRequired() {
- Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
-
- return existingAuth == null ||
- !existingAuth.isAuthenticated() ||
- existingAuth instanceof AnonymousAuthenticationToken;
- }
-
private String hashFromAuthorizationHeader(HttpServletRequest request) {
String authorizationHeader = request.getHeader("Authorization");
if (StringUtils.isNotEmpty(authorizationHeader)) {
--
cgit v1.2.3