Merge branch 'master' into stage

DDH-RD · May 31, 2024 · 0f4a2b7 · 0f4a2b7
2 parents 963f66b + f127b1c
commit 0f4a2b7
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 44 deletions.
diff --git a/paladins-webservice/src/main/java/dev/luzifer/spring/config/ApiKeyAuthFilter.java b/paladins-webservice/src/main/java/dev/luzifer/spring/config/ApiKeyAuthFilter.java
@@ -12,14 +12,15 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 @Slf4j
 public class ApiKeyAuthFilter extends AbstractAuthenticationProcessingFilter {
 
   private final String headerName;
 
   public ApiKeyAuthFilter(String headerName, AuthenticationManager authenticationManager) {
-    super("/*");
+    super(new AntPathRequestMatcher("/api/**"));
 
     this.headerName = headerName;
     setAuthenticationManager(authenticationManager);
@@ -51,7 +52,9 @@ protected void successfulAuthentication(
   }
 
   @Override
-  protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
+  protected void unsuccessfulAuthentication(
+      HttpServletRequest request, HttpServletResponse response, AuthenticationException failed)
+      throws IOException, ServletException {
     SecurityContextHolder.clearContext();
     super.unsuccessfulAuthentication(request, response, failed);
   }

diff --git a/paladins-webservice/src/main/java/dev/luzifer/spring/config/WebSecurityConfig.java b/paladins-webservice/src/main/java/dev/luzifer/spring/config/WebSecurityConfig.java
@@ -1,29 +1,21 @@
 package dev.luzifer.spring.config;
 
-import jakarta.servlet.FilterChain;
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
+import jakarta.annotation.PostConstruct;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.core.Ordered;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
-import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-import org.springframework.web.filter.OncePerRequestFilter;
-
-import java.io.IOException;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 @Configuration
 @EnableWebSecurity
@@ -34,7 +26,7 @@ public class WebSecurityConfig {
   private final String apiKeyHeader;
 
   public WebSecurityConfig(
-          @Value("${api.key}") String apiKey, @Value("${api.key.header}") String apiKeyHeader) {
+      @Value("${api.key}") String apiKey, @Value("${api.key.header}") String apiKeyHeader) {
     this.apiKey = apiKey;
     this.apiKeyHeader = apiKeyHeader;
   }
@@ -45,34 +37,18 @@ public ApiKeyAuthFilter apiKeyAuthFilter(AuthenticationManager authenticationMan
   }
 
   @Bean
-  public FilterRegistrationBean<OncePerRequestFilter> apiKeyAuthFilterRegistrationBean(AuthenticationManager authenticationManager) {
-    FilterRegistrationBean<OncePerRequestFilter> registrationBean = new FilterRegistrationBean<>();
-
-    registrationBean.setFilter(new OncePerRequestFilter() {
-      @Override
-      protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
-        if (SecurityContextHolder.getContext().getAuthentication() == null) {
-          ApiKeyAuthFilter apiKeyAuthFilter = new ApiKeyAuthFilter(apiKeyHeader, authenticationManager);
-          apiKeyAuthFilter.doFilter(request, response, filterChain);
-        } else {
-          filterChain.doFilter(request, response);
-        }
-      }
-    });
-
-    registrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);
-
-    return registrationBean;
-  }
+  public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+    AuthenticationManager authenticationManager =
+        http.getSharedObject(AuthenticationConfiguration.class).getAuthenticationManager();
 
-  @Bean
-  public SecurityFilterChain securityFilterChain(
-          HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
     http.csrf(AbstractHttpConfigurer::disable)
-            .formLogin(AbstractHttpConfigurer::disable)
-            .anonymous(AbstractHttpConfigurer::disable)
-            .authorizeHttpRequests(authorize -> authorize.anyRequest().authenticated())
-            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
+        .formLogin(AbstractHttpConfigurer::disable)
+        .anonymous(AbstractHttpConfigurer::disable)
+        .authorizeHttpRequests(authorize -> authorize.anyRequest().authenticated())
+        .sessionManagement(
+            session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+        .addFilterBefore(
+            apiKeyAuthFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class);
 
     log.debug("API key: {}", apiKey);
     log.debug("API key header: {}", apiKeyHeader);
@@ -82,7 +58,7 @@ public SecurityFilterChain securityFilterChain(
 
   @Bean
   public AuthenticationManager authenticationManager(
-          AuthenticationConfiguration authenticationConfiguration) throws Exception {
+      AuthenticationConfiguration authenticationConfiguration) throws Exception {
     return authenticationConfiguration.getAuthenticationManager();
   }
 
@@ -93,8 +69,26 @@ public ApiKeyAuthenticationProvider apiKeyAuthenticationProvider() {
 
   @Autowired
   public void configureGlobal(
-          AuthenticationManagerBuilder auth,
-          ApiKeyAuthenticationProvider apiKeyAuthenticationProvider) {
+      AuthenticationManagerBuilder auth,
+      ApiKeyAuthenticationProvider apiKeyAuthenticationProvider) {
     auth.authenticationProvider(apiKeyAuthenticationProvider);
   }
-}
+
+  @Autowired private FilterChainProxy springSecurityFilterChain;
+
+  @PostConstruct
+  public void printSecurityFilters() {
+    log.debug("Security Filter Chain: ");
+    springSecurityFilterChain
+        .getFilterChains()
+        .forEach(
+            chain -> {
+              chain
+                  .getFilters()
+                  .forEach(
+                      filter -> {
+                        log.debug("Filter: " + filter.getClass().getName());
+                      });
+            });
+  }
+}