Finalized security. Resolved all issues

2017-10-16 17:57:17 +03:00 · 2017-10-16 17:57:17 +03:00 · d3c85a08b7
parent 7bebf8b84b
commit d3c85a08b7
5 changed files with 32 additions and 11 deletions
--- a/dmp-backend/src/main/java/rest/entities/DMPs.java
+++ b/dmp-backend/src/main/java/rest/entities/DMPs.java
@ -8,7 +8,6 @@ import java.util.stream.Collectors;
 import javax.transaction.Transactional;

 import org.apache.commons.lang3.SerializationUtils;
-import org.junit.internal.builders.AllDefaultPossibilitiesBuilder;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
--- a/dmp-backend/src/main/java/security/CustomAuthenticationProvider.java
+++ b/dmp-backend/src/main/java/security/CustomAuthenticationProvider.java
@ -32,11 +32,9 @@ public class CustomAuthenticationProvider implements AuthenticationProvider {
 	@Override
 	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
 		
-
 		if (authentication != null) {
 			
 			String token = (String)authentication.getCredentials();
-			
 			TokenValidator tokenValidator = null;
 			
 			if(TokenAuthenticationFilter.HEADER_GOOGLE_TOKEN_FIELD.equals(authentication.getPrincipal())) 
@ -61,6 +59,7 @@ public class CustomAuthenticationProvider implements AuthenticationProvider {
 			
 			// if reached this point, authentication is ok, so return just an instance with whatever.
 			return new UsernamePasswordAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), new ArrayList<>());
+			
 		}
 		else
 			throw new AuthenticationServiceException("Authentication failed");
--- a/dmp-backend/src/main/java/security/TokenAuthenticationFilter.java
+++ b/dmp-backend/src/main/java/security/TokenAuthenticationFilter.java
@ -7,6 +7,7 @@ import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;

 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
@ -15,19 +16,19 @@ import org.springframework.web.filter.GenericFilterBean;

 public class TokenAuthenticationFilter extends GenericFilterBean {
 	
+//	public static final String HEADER_TOKEN_FIELD = "Authorization";
+	
 	public static final String HEADER_NATIVE_TOKEN_FIELD = "native-token";
 	public static final String HEADER_GOOGLE_TOKEN_FIELD = "google-token";
-	
 	public static final char HEADERNAME_USERNAME_DELIMITER = 0x1e;  //specially crafted delimiter
 	
 	@Override
 	public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException	{
 		
-		final HttpServletRequest httpRequest = (HttpServletRequest) request;
-
+        final HttpServletRequest httpRequest = (HttpServletRequest) request;
+		
 		String nativeToken = httpRequest.getHeader(HEADER_NATIVE_TOKEN_FIELD);
 		String googleToken = httpRequest.getHeader(HEADER_GOOGLE_TOKEN_FIELD);
-		
 		//just pass the header, the username and the token into the credentials object of the UsernamePasswordAuthenticationToken class
 		UsernamePasswordAuthenticationToken authentication = null;
 		if(nativeToken != null)
@ -35,11 +36,30 @@ public class TokenAuthenticationFilter extends GenericFilterBean {
 		if(googleToken != null)
 			authentication = new UsernamePasswordAuthenticationToken(HEADER_GOOGLE_TOKEN_FIELD, googleToken);
 		
-		
 		SecurityContextHolder.getContext().setAuthentication(authentication);
-		chain.doFilter(request, response);
+		
+		
+		
+		final HttpServletResponse httpResponse = (HttpServletResponse) response;
+		
+		httpResponse.setHeader("Access-Control-Allow-Origin", "*");
+		httpResponse.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+		httpResponse.setHeader("Access-Control-Max-Age", "7200");
+		httpResponse.setHeader("Access-Control-Allow-Headers", "content-type, "+HEADER_NATIVE_TOKEN_FIELD+", "+HEADER_GOOGLE_TOKEN_FIELD);
+//		httpResponse.addHeader("Access-Control-Expose-Headers", "xsrf-token , " +HEADER_NATIVE_TOKEN_FIELD+", "+HEADER_GOOGLE_TOKEN_FIELD);
+		
+		
+        if ("OPTIONS".equals(httpRequest.getMethod())) {
+        	httpResponse.setStatus(HttpServletResponse.SC_OK);
+        } 
+        else { 
+        	chain.doFilter(httpRequest, httpResponse);
+        }

 		
 	}
+	
+	
+	

 }
--- a/dmp-backend/src/main/webapp/WEB-INF/spring-security.xml
+++ b/dmp-backend/src/main/webapp/WEB-INF/spring-security.xml
@ -17,6 +17,10 @@
 
 	
 	<http use-expressions="true" create-session="stateless" auto-config='true'>
+	
+		<!-- Default to Spring MVC's CORS configuration -->
+		<cors />
+	
 		<custom-filter after="BASIC_AUTH_FILTER" ref="tokenAuthenticationFilter" />
 	     <intercept-url pattern="/**" access="isAuthenticated()" />
 	     <http-basic/>
--- a/dmp-backend/src/main/webapp/WEB-INF/web.xml
+++ b/dmp-backend/src/main/webapp/WEB-INF/web.xml
@ -54,8 +54,7 @@

  <context-param>
    <param-name>contextConfigLocation</param-name>
-    <param-value>/WEB-INF/applicationContext.xml,/WEB-INF/spring-security.xml 
-    </param-value>
+    <param-value>/WEB-INF/applicationContext.xml,/WEB-INF/spring-security.xml</param-value>
  </context-param>
  <session-config>
    <session-timeout>30</session-timeout>