From f1441981e77e3463f12c10241b9e6c90307141d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Dall=27Asta?= Date: Thu, 27 Apr 2023 00:45:27 -0300 Subject: [PATCH 1/2] refactor guest routes --- .../security/config/JwtAuthenticationFilter.java | 13 ++++++++----- .../security/config/SecurityConfiguration.java | 4 ++-- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/main/java/com/alibou/security/config/JwtAuthenticationFilter.java b/src/main/java/com/alibou/security/config/JwtAuthenticationFilter.java index d6e55d1..1431d7b 100644 --- a/src/main/java/com/alibou/security/config/JwtAuthenticationFilter.java +++ b/src/main/java/com/alibou/security/config/JwtAuthenticationFilter.java @@ -9,6 +9,7 @@ import java.beans.Transient; import java.io.IOException; import java.security.Security; +import java.util.Arrays; import jakarta.transaction.TransactionScoped; import jakarta.transaction.Transactional; @@ -36,17 +37,19 @@ protected void doFilterInternal( @NonNull HttpServletResponse response, @NonNull FilterChain filterChain ) throws ServletException, IOException { - if (request.getServletPath().contains("/api/v1/auth")) { - filterChain.doFilter(request, response); - return; - } final String authHeader = request.getHeader("Authorization"); final String jwt; final String userEmail; - if (authHeader == null ||!authHeader.startsWith("Bearer ")) { + + if( + Arrays.asList(SecurityConfiguration.whiteListedRoutes).contains(request.getServletPath()) || + authHeader == null || + !authHeader.startsWith("Bearer ") + ) { filterChain.doFilter(request, response); return; } + jwt = authHeader.substring(7); userEmail = jwtService.extractUsername(jwt); if (userEmail != null && SecurityContextHolder.getContext().getAuthentication() == null) { diff --git a/src/main/java/com/alibou/security/config/SecurityConfiguration.java b/src/main/java/com/alibou/security/config/SecurityConfiguration.java index ba4d13a..252590e 100644 --- a/src/main/java/com/alibou/security/config/SecurityConfiguration.java +++ b/src/main/java/com/alibou/security/config/SecurityConfiguration.java @@ -1,6 +1,5 @@ package com.alibou.security.config; -import jakarta.servlet.Filter; import lombok.RequiredArgsConstructor; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -21,6 +20,7 @@ public class SecurityConfiguration { private final JwtAuthenticationFilter jwtAuthFilter; private final AuthenticationProvider authenticationProvider; private final LogoutHandler logoutHandler; + public static final String[] whiteListedRoutes = new String[]{"/api/v1/auth/**"}; @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { @@ -28,7 +28,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti .csrf() .disable() .authorizeHttpRequests() - .requestMatchers("/api/v1/auth/**") + .requestMatchers(whiteListedRoutes) .permitAll() .anyRequest() .authenticated() From 089e5dd0a8046953b2951bab5ba0fdb6cebad279 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Dall=27Asta?= Date: Sat, 6 May 2023 17:18:40 -0300 Subject: [PATCH 2/2] fix broken whitelistt route filtering --- .../com/alibou/security/config/JwtAuthenticationFilter.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/alibou/security/config/JwtAuthenticationFilter.java b/src/main/java/com/alibou/security/config/JwtAuthenticationFilter.java index 1431d7b..a1c87cc 100644 --- a/src/main/java/com/alibou/security/config/JwtAuthenticationFilter.java +++ b/src/main/java/com/alibou/security/config/JwtAuthenticationFilter.java @@ -22,6 +22,7 @@ import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter; +import org.springframework.util.AntPathMatcher; @Component @RequiredArgsConstructor @@ -31,6 +32,8 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter { private final UserDetailsService userDetailsService; private final TokenRepository tokenRepository; + private final AntPathMatcher antPathMatcher = new AntPathMatcher(); + @Override protected void doFilterInternal( @NonNull HttpServletRequest request, @@ -42,7 +45,7 @@ protected void doFilterInternal( final String userEmail; if( - Arrays.asList(SecurityConfiguration.whiteListedRoutes).contains(request.getServletPath()) || + Arrays.stream(SecurityConfiguration.whiteListedRoutes).anyMatch(route -> antPathMatcher.match(route, req.getServletPath())) || authHeader == null || !authHeader.startsWith("Bearer ") ) {