/* * Copyright (C) 2008-2017, Juick * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as * published by the Free Software Foundation, either version 3 of the * License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License * along with this program. If not, see . */ package com.juick.service.security; import com.juick.User; import com.juick.service.security.entities.JuickUser; import com.juick.service.UserService; import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.authentication.RememberMeAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.util.WebUtils; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** * Created by aalexeev on 4/5/17. */ public class HashParamAuthenticationFilter extends OncePerRequestFilter { public static final String PARAM_NAME = "hash"; private final UserService userService; private final RememberMeServices rememberMeServices; public HashParamAuthenticationFilter( final UserService userService, final RememberMeServices rememberMeServices) { Assert.notNull(userService, "userService should not be null"); Assert.notNull(rememberMeServices, "rememberMeServices should not be null"); this.userService = userService; this.rememberMeServices = rememberMeServices; } @Override protected void doFilterInternal( HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { String hash = getHashFromRequest(request); if (hash != null && authenticationIsRequired()) { User user = userService.getUserByHash(hash); if (!user.isAnonymous()) { User userWithPassword = userService.getFullyUserByName(user.getName()); userWithPassword.setAuthHash(userService.getHashForUser(userWithPassword)); Authentication authentication = new RememberMeAuthenticationToken( ((AbstractRememberMeServices)rememberMeServices).getKey(), new JuickUser(userWithPassword), JuickUser.USER_AUTHORITY); SecurityContextHolder.getContext().setAuthentication(authentication); rememberMeServices.loginSuccess(request, response, authentication); } } filterChain.doFilter(request, response); } private boolean authenticationIsRequired() { Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication(); return existingAuth == null || !existingAuth.isAuthenticated() || existingAuth instanceof AnonymousAuthenticationToken; } private String getHashFromRequest(HttpServletRequest request) { String paramHash = request.getParameter(PARAM_NAME); Cookie cookieHash = WebUtils.getCookie(request, PARAM_NAME); if (paramHash == null && cookieHash != null) { return cookieHash.getValue(); } return paramHash; } }