NFC-47 Update requestMatchers to match actual static resource folders. Remove unnecessary permitAll matchers for filter-handled auth endpoints. Unify filter registration. Remove cookieFlagsInitializer. Format isMobileDevice block for readability. Rename matcher to requestMatcher in filters for consistency and clarity. Remove unnecessary WebAuthenticationDetails from token in login filter. Remove redundant ChallengeNonceStore from WebEidMobileAuthInitFilter. Fix tests. Use signing cert for ObjectMother.

SanderKondratjevNortal · SanderKondratjevNortal · commit c2c8aa6b533c · 2025-09-04T14:22:53.000+03:00
diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -31,40 +31,37 @@
 import eu.webeid.security.challenge.ChallengeNonceStore;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
-import org.springframework.security.web.csrf.CsrfFilter;
 
 @Configuration
 @EnableWebSecurity
 public class ApplicationConfiguration {
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig, ChallengeNonceGenerator challengeNonceGenerator, ChallengeNonceStore challengeNonceStore) throws Exception {
-
-        var filter = new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager());
-
+    public SecurityFilterChain filterChain(
+        HttpSecurity http,
+        AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider,
+        AuthenticationConfiguration authConfig,
+        ChallengeNonceGenerator challengeNonceGenerator
+    ) throws Exception {
         return http
             .authorizeHttpRequests(auth -> auth
-                .requestMatchers("/css/**", "/js/**", "/images/**", "/webjars/**", "/favicon.*", "/icon-*").permitAll()
+                .requestMatchers("/css/**", "/files/**", "/img/**", "/js/**", "/scripts/**").permitAll()
                 .requestMatchers("/", "/error").permitAll()
-                .requestMatchers(HttpMethod.GET, "/auth/eid/login").permitAll()
-                .requestMatchers("/auth/login").permitAll()
                 .requestMatchers("/welcome").hasRole("USER")
                 .anyRequest().authenticated()
             )
             .authenticationProvider(authTokenDTOAuthenticationProvider)
-            .addFilterBefore(new WebEidLoginPageGeneratingFilter(), UsernamePasswordAuthenticationFilter.class)
-            .addFilterBefore(new WebEidChallengeNonceFilter(challengeNonceGenerator), AuthorizationFilter.class)
-            .addFilterAfter(new WebEidMobileAuthInitFilter(challengeNonceGenerator, challengeNonceStore), CsrfFilter.class)
-            .addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidMobileAuthInitFilter("/auth/mobile/auth/init", challengeNonceGenerator), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidChallengeNonceFilter("/auth/challenge", challengeNonceGenerator), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidLoginPageGeneratingFilter("/auth/mobile/login"), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager()), UsernamePasswordAuthenticationFilter.class)
             .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
             .logout(l -> l.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
             .build();
diff --git a/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java b/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
@@ -24,13 +24,11 @@
 
 import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
 import org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer;
-import org.springframework.boot.web.servlet.ServletContextInitializer;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
-public class SameSiteCookieConfiguration implements WebMvcConfigurer {
+public class SameSiteCookieConfiguration {
 
     @Bean
     public TomcatContextCustomizer configureSameSiteCookies() {
@@ -40,12 +38,4 @@ public TomcatContextCustomizer configureSameSiteCookies() {
             context.setCookieProcessor(cookieProcessor);
         };
     }
-
-    @Bean
-    public ServletContextInitializer cookieFlagsInitializer() {
-        return servletContext -> {
-            servletContext.getSessionCookieConfig().setSecure(true);
-            servletContext.getSessionCookieConfig().setHttpOnly(true);
-        };
-    }
 }
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
@@ -40,7 +40,6 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
-import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
@@ -55,8 +54,8 @@ public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProce
     private final SecurityContextRepository securityContextRepository;
 
     public WebEidAjaxLoginProcessingFilter(
-            String defaultFilterProcessesUrl,
-            AuthenticationManager authenticationManager
+        String defaultFilterProcessesUrl,
+        AuthenticationManager authenticationManager
     ) {
         super(PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, defaultFilterProcessesUrl));
         this.setAuthenticationManager(authenticationManager);
@@ -68,7 +67,7 @@ public WebEidAjaxLoginProcessingFilter(
 
     @Override
     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
-            throws AuthenticationException, IOException {
+        throws AuthenticationException, IOException {
         final String contentType = request.getHeader("Content-type");
         if (contentType == null || !contentType.startsWith("application/json")) {
             LOG.warn("Content type not supported: {}", contentType);
@@ -80,7 +79,6 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
         LOG.info("attemptAuthentication(): Creating token");
         final PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(null, authTokenDTO);
         LOG.info("attemptAuthentication(): Calling authentication manager");
-        token.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
         return getAuthenticationManager().authenticate(token);
     }
 
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidChallengeNonceFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidChallengeNonceFilter.java
@@ -19,22 +19,21 @@
 import java.io.IOException;
 
 public final class WebEidChallengeNonceFilter extends OncePerRequestFilter {
-
     private static final ObjectWriter JSON = new ObjectMapper().writer();
-    private final RequestMatcher matcher =
-            PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, "/auth/challenge");
+    private final RequestMatcher requestMatcher;
 
     private final ChallengeNonceGenerator nonceGenerator;
 
-    public WebEidChallengeNonceFilter(ChallengeNonceGenerator nonceGenerator) {
+    public WebEidChallengeNonceFilter(String path, ChallengeNonceGenerator nonceGenerator) {
+        this.requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, path);
         this.nonceGenerator = nonceGenerator;
     }
 
     @Override
     protected void doFilterInternal(@NonNull HttpServletRequest request,
                                     @NonNull HttpServletResponse response,
                                     @NonNull FilterChain chain) throws ServletException, IOException {
-        if (!matcher.matches(request)) {
+        if (!requestMatcher.matches(request)) {
             chain.doFilter(request, response);
             return;
         }
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java
@@ -24,7 +24,6 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
-import eu.webeid.security.challenge.ChallengeNonceStore;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -43,29 +42,25 @@
 
 public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
-    private final RequestMatcher matcher =
-        PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, "/auth/mobile/auth/init");
+    private final RequestMatcher requestMatcher;
 
     private final ChallengeNonceGenerator nonceGenerator;
-    private final ChallengeNonceStore challengeNonceStore;
 
-    public WebEidMobileAuthInitFilter(ChallengeNonceGenerator nonceGenerator,
-                                      ChallengeNonceStore challengeNonceStore) {
+    public WebEidMobileAuthInitFilter(String path, ChallengeNonceGenerator nonceGenerator) {
+        this.requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, path);
         this.nonceGenerator = nonceGenerator;
-        this.challengeNonceStore = challengeNonceStore;
     }
 
     @Override
     protected void doFilterInternal(@NonNull HttpServletRequest request,
                                     @NonNull HttpServletResponse response,
                                     @NonNull FilterChain chain) throws IOException, ServletException {
-        if (!matcher.matches(request)) {
+        if (!requestMatcher.matches(request)) {
             chain.doFilter(request, response);
             return;
         }
 
         var challenge = nonceGenerator.generateAndStoreNonce();
-        challengeNonceStore.put(challenge);
 
         String loginUri = ServletUriComponentsBuilder.fromCurrentContextPath()
             .path("/auth/eid/login").build().toUriString();
diff --git a/example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java b/example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java
@@ -26,8 +26,6 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpMethod;
 import org.springframework.lang.NonNull;
 import org.springframework.security.web.csrf.CsrfToken;
@@ -38,8 +36,12 @@
 import java.io.IOException;
 
 public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter {
-    private static final Logger LOG = LoggerFactory.getLogger(WebEidLoginPageGeneratingFilter.class);
-    private final RequestMatcher requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, "/auth/eid/login");
+    private final RequestMatcher requestMatcher;
+
+    public WebEidLoginPageGeneratingFilter(String path) {
+        this.requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, path);
+    }
+
     private static final String LOGIN_PAGE_HTML = """
             <!doctype html>
             <html lang="en">
@@ -77,10 +79,7 @@ public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter
               })
               .catch(e => {
                 console.error("Login failed", e);
-                const errorDiv = document.createElement("div");
-                errorDiv.style.color = "red";
-                errorDiv.textContent = "Authentication failed.";
-                document.body.appendChild(errorDiv);
+                window.location.replace("/?mobileAuthError=login_failed");
               });
             })();
             </script>
@@ -97,9 +96,6 @@ protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull Ht
             return;
         }
 
-        var session = request.getSession(false);
-        LOG.info("LOGIN PAGE: rendering login page for sessionId={}", session != null ? session.getId() : "null");
-
         var csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
         if (csrf == null) {
             csrf = (CsrfToken) request.getAttribute("_csrf");
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
@@ -272,12 +272,13 @@ <h3><a id="for-developers"></a>For developers</h3>
                         [csrfHeaderName]: csrfToken,
                     },
                     credentials: "include"
-            });
-            await checkHttpError(resp);
-            const { eidAuthUri } = await resp.json();
-            window.location.href = eidAuthUri;
-            return;
-          }
+                });
+
+                await checkHttpError(resp);
+                const { eidAuthUri } = await resp.json();
+                window.location.href = eidAuthUri;
+                return;
+            }
 
           const challengeResponse = await fetch("/auth/challenge", {
                 method: "POST",
diff --git a/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java b/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
@@ -38,7 +38,6 @@
 import static eu.webeid.security.challenge.ChallengeNonceGenerator.NONCE_LENGTH;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -55,7 +54,9 @@ class AuthenticationEndpointsFilterTest {
 
     @Test
     void challengeReturnsNonceWithExpectedBase64Length() throws Exception {
-        MvcResult result = mvc.perform(get("/auth/challenge").accept(MediaType.APPLICATION_JSON))
+        MvcResult result = mvc.perform(post("/auth/challenge")
+                .with(csrf())
+                .accept(MediaType.APPLICATION_JSON))
             .andExpect(status().isOk())
             .andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON))
             .andReturn();
@@ -77,7 +78,7 @@ void mobileInitBuildsDeepLinkWithEmbeddedChallenge() throws Exception {
             .andReturn();
 
         JsonNode json = mapper.readTree(result.getResponse().getContentAsByteArray());
-        String eidAuthUri = json.get("eidAuthUri").asText();
+        String eidAuthUri = json.get("auth_uri").asText();
 
         assertThat(eidAuthUri).startsWith("web-eid-mobile://auth#");
 
diff --git a/example/src/test/java/eu/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -22,9 +22,6 @@
 
 package eu.webeid.example;
 
-import eu.webeid.example.service.SigningService;
-import eu.webeid.example.service.dto.FileDTO;
-import eu.webeid.example.service.dto.SignatureDTO;
 import eu.webeid.example.testutil.Dates;
 import eu.webeid.example.testutil.HttpHelper;
 import eu.webeid.example.testutil.ObjectMother;
@@ -47,9 +44,6 @@
 import eu.webeid.example.service.dto.DigestDTO;
 import eu.webeid.security.challenge.ChallengeNonce;
 import eu.webeid.security.util.DateAndTime;
-import eu.webeid.security.validator.certvalidators.SubjectCertificateNotRevokedValidator;
-
-import java.security.cert.X509Certificate;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -86,30 +80,13 @@ public void testRoot() throws Exception {
 
     @Test
     public void testHappyFlow_LoginPrepareSignDownload() throws Exception {
-
-        // Arrange
-        new MockUp<SubjectCertificateNotRevokedValidator>() {
-            @Mock
-            public void validateCertificateNotRevoked(X509Certificate subjectCertificate) {
-                // Do not call real OCSP service in tests.
-            }
-        };
-
         new MockUp<AsicSignatureFinalizer>() {
             @Mock
             public void validateOcspResponse(XadesSignature xadesSignature) {
                 // Do not call real OCSP service in tests.
             }
         };
 
-        new MockUp<SigningService>() {
-            @Mock
-            public FileDTO signContainer(SignatureDTO signatureDTO) {
-                // Return a dummy FileDTO in tests
-                return new FileDTO("example-for-signing.asice");
-            }
-        };
-
         MockHttpSession session = new MockHttpSession();
         session.setAttribute("challenge-nonce", new ChallengeNonce(ObjectMother.VALID_CHALLENGE_NONCE, DateAndTime.utcNow().plusMinutes(1)));
 
@@ -146,28 +123,13 @@ public static MockMultipartFile mockMultipartFile() {
 
     @Test
     public void testHappyFlow_V11LoginAuthToken() throws Exception {
-        new MockUp<SubjectCertificateNotRevokedValidator>() {
-            @Mock
-            public void validateCertificateNotRevoked(X509Certificate subjectCertificate) {
-                // Do not call real OCSP service in tests.
-            }
-        };
-
         new MockUp<AsicSignatureFinalizer>() {
             @Mock
             public void validateOcspResponse(XadesSignature xadesSignature) {
                 // Do not call real OCSP service in tests.
             }
         };
 
-        new MockUp<SigningService>() {
-            @Mock
-            public FileDTO signContainer(SignatureDTO signatureDTO) {
-                // Return a dummy FileDTO in tests
-                return new FileDTO("example-for-signing.asice");
-            }
-        };
-
         MockHttpSession session = new MockHttpSession();
         session.setAttribute("challenge-nonce", new ChallengeNonce(ObjectMother.VALID_CHALLENGE_NONCE, DateAndTime.utcNow().plusMinutes(1)));
 
diff --git a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
