Finalized security. Resolved all issues

This commit is contained in:
Nikolaos Laskaris 2017-10-16 17:57:17 +03:00
parent 7bebf8b84b
commit d3c85a08b7
5 changed files with 32 additions and 11 deletions

View File

@ -8,7 +8,6 @@ import java.util.stream.Collectors;
import javax.transaction.Transactional;
import org.apache.commons.lang3.SerializationUtils;
import org.junit.internal.builders.AllDefaultPossibilitiesBuilder;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;

View File

@ -32,11 +32,9 @@ public class CustomAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
if (authentication != null) {
String token = (String)authentication.getCredentials();
TokenValidator tokenValidator = null;
if(TokenAuthenticationFilter.HEADER_GOOGLE_TOKEN_FIELD.equals(authentication.getPrincipal()))
@ -61,6 +59,7 @@ public class CustomAuthenticationProvider implements AuthenticationProvider {
// if reached this point, authentication is ok, so return just an instance with whatever.
return new UsernamePasswordAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), new ArrayList<>());
}
else
throw new AuthenticationServiceException("Authentication failed");

View File

@ -7,6 +7,7 @@ import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
@ -15,19 +16,19 @@ import org.springframework.web.filter.GenericFilterBean;
public class TokenAuthenticationFilter extends GenericFilterBean {
// public static final String HEADER_TOKEN_FIELD = "Authorization";
public static final String HEADER_NATIVE_TOKEN_FIELD = "native-token";
public static final String HEADER_GOOGLE_TOKEN_FIELD = "google-token";
public static final char HEADERNAME_USERNAME_DELIMITER = 0x1e; //specially crafted delimiter
@Override
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException {
final HttpServletRequest httpRequest = (HttpServletRequest) request;
final HttpServletRequest httpRequest = (HttpServletRequest) request;
String nativeToken = httpRequest.getHeader(HEADER_NATIVE_TOKEN_FIELD);
String googleToken = httpRequest.getHeader(HEADER_GOOGLE_TOKEN_FIELD);
//just pass the header, the username and the token into the credentials object of the UsernamePasswordAuthenticationToken class
UsernamePasswordAuthenticationToken authentication = null;
if(nativeToken != null)
@ -35,11 +36,30 @@ public class TokenAuthenticationFilter extends GenericFilterBean {
if(googleToken != null)
authentication = new UsernamePasswordAuthenticationToken(HEADER_GOOGLE_TOKEN_FIELD, googleToken);
SecurityContextHolder.getContext().setAuthentication(authentication);
chain.doFilter(request, response);
final HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.setHeader("Access-Control-Allow-Origin", "*");
httpResponse.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
httpResponse.setHeader("Access-Control-Max-Age", "7200");
httpResponse.setHeader("Access-Control-Allow-Headers", "content-type, "+HEADER_NATIVE_TOKEN_FIELD+", "+HEADER_GOOGLE_TOKEN_FIELD);
// httpResponse.addHeader("Access-Control-Expose-Headers", "xsrf-token , " +HEADER_NATIVE_TOKEN_FIELD+", "+HEADER_GOOGLE_TOKEN_FIELD);
if ("OPTIONS".equals(httpRequest.getMethod())) {
httpResponse.setStatus(HttpServletResponse.SC_OK);
}
else {
chain.doFilter(httpRequest, httpResponse);
}
}
}

View File

@ -17,6 +17,10 @@
<http use-expressions="true" create-session="stateless" auto-config='true'>
<!-- Default to Spring MVC's CORS configuration -->
<cors />
<custom-filter after="BASIC_AUTH_FILTER" ref="tokenAuthenticationFilter" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<http-basic/>

View File

@ -54,8 +54,7 @@
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml,/WEB-INF/spring-security.xml
</param-value>
<param-value>/WEB-INF/applicationContext.xml,/WEB-INF/spring-security.xml</param-value>
</context-param>
<session-config>
<session-timeout>30</session-timeout>