NFC-82 Signing cert conf logic to Auth Init Filter

Signed-off-by: Sander Kondratjev <[email protected]>

Author: SanderKondratjevNortal

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -55,7 +55,8 @@ public SecurityFilterChain filterChain(
         AuthenticationConfiguration authConfig,
         ChallengeNonceGenerator challengeNonceGenerator,
         ITemplateEngine templateEngine,
-        JakartaServletWebApplication webApp
+        JakartaServletWebApplication webApp,
+        WebEidMobileProperties webEidMobileProperties
     ) throws Exception {
         return http
             .authorizeHttpRequests(auth -> auth
@@ -64,7 +65,7 @@ public SecurityFilterChain filterChain(
                 .anyRequest().authenticated()
             )
             .authenticationProvider(webEidAuthenticationProvider)
-            .addFilterBefore(new WebEidMobileAuthInitFilter("/auth/mobile/init", "/auth/mobile/login", challengeNonceGenerator), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidMobileAuthInitFilter("/auth/mobile/init", "/auth/mobile/login", challengeNonceGenerator, webEidMobileProperties), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(new WebEidChallengeNonceFilter("/auth/challenge", challengeNonceGenerator), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(new WebEidLoginPageGeneratingFilter("/auth/mobile/login", "/auth/login", templateEngine, webApp), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager()), UsernamePasswordAuthenticationFilter.class)

example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java

@@ -57,12 +57,10 @@ public class WebEidAuthenticationProvider implements AuthenticationProvider {
 
     private final AuthTokenValidator tokenValidator;
     private final ChallengeNonceStore challengeNonceStore;
-    private final WebEidMobileProperties webEidMobileProperties;
 
     public WebEidAuthenticationProvider(AuthTokenValidator tokenValidator, ChallengeNonceStore challengeNonceStore, WebEidMobileProperties webEidMobileProperties) {
         this.tokenValidator = tokenValidator;
         this.challengeNonceStore = challengeNonceStore;
-        this.webEidMobileProperties = webEidMobileProperties;
     }
 
     @Override
@@ -84,11 +82,6 @@ public Authentication authenticate(Authentication auth) throws AuthenticationExc
                 .map(WebEidAuthToken::getSupportedSignatureAlgorithms)
                 .orElse(null);
 
-            if (webEidMobileProperties.requestSigningCert()) {
-                LOG.info("request-signing-cert=true -> Skipping signing certificate in authentication (demo mode)");
-                return WebEidAuthentication.fromCertificate(userCertificate, null, null, authorities);
-            }
-
             return WebEidAuthentication.fromCertificate(userCertificate, signingCertificate, supportedSignatureAlgorithms, authorities);
         } catch (AuthTokenException e) {
             throw new AuthenticationServiceException("Web eID token validation failed", e);

example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java

@@ -25,6 +25,7 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.ObjectWriter;
+import eu.webeid.example.config.WebEidMobileProperties;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
@@ -47,11 +48,13 @@ public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
     private final RequestMatcher requestMatcher;
     private final ChallengeNonceGenerator nonceGenerator;
     private final String mobileLoginPath;
+    private final WebEidMobileProperties webEidMobileProperties;
 
-    public WebEidMobileAuthInitFilter(String path, String mobileLoginPath, ChallengeNonceGenerator nonceGenerator) {
+    public WebEidMobileAuthInitFilter(String path, String mobileLoginPath, ChallengeNonceGenerator nonceGenerator, WebEidMobileProperties webEidMobileProperties) {
         this.requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, path);
         this.nonceGenerator = nonceGenerator;
         this.mobileLoginPath = mobileLoginPath;
+        this.webEidMobileProperties = webEidMobileProperties;
     }
 
     @Override
@@ -68,8 +71,10 @@ protected void doFilterInternal(@NonNull HttpServletRequest request,
         String loginUri = ServletUriComponentsBuilder.fromCurrentContextPath()
             .path(mobileLoginPath).build().toUriString();
 
+        boolean getSigningCertificate = webEidMobileProperties.requestSigningCert();
+
         String payloadJson = OBJECT_WRITER.writeValueAsString(
-            new AuthPayload(challenge.getBase64EncodedNonce(), loginUri)
+            new AuthPayload(challenge.getBase64EncodedNonce(), loginUri, getSigningCertificate)
         );
         String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
         String eidAuthUri = "web-eid-mobile://auth#" + encoded;
@@ -78,7 +83,10 @@ protected void doFilterInternal(@NonNull HttpServletRequest request,
         OBJECT_WRITER.writeValue(response.getWriter(), new AuthUri(eidAuthUri));
     }
 
-    record AuthPayload(String challenge, @JsonProperty("login_uri") String loginUri) {
+    record AuthPayload(
+        String challenge,
+        @JsonProperty("login_uri") String loginUri,
+        @JsonProperty("get_signing_certificate") boolean getSigningCertificate) {
     }
 
     record AuthUri(@JsonProperty("auth_uri") String authUri) {