Merge pull request #2534 from SCADA-LTS/feature/#2533_Basic_auth_by_H…

…TTPS_for_API_httpds #2533 Basic auth by HTTPS for API httpds - update spring-security.xml…
SCADA-LTS · May 8, 2023 · 9ab97a2 · 9ab97a2
2 parents 5fe07da + 1658da5
commit 9ab97a2
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 7 deletions.
diff --git a/WebContent/WEB-INF/spring-security.xml b/WebContent/WEB-INF/spring-security.xml
@@ -23,6 +23,23 @@
         <session-management session-fixation-protection="newSession" />
     </http>
 
+    <http use-expressions="true" disable-url-rewriting="true" pattern="/httpds/**"
+          authentication-manager-ref="authenticationManager" entry-point-ref="basicAuthenticationEntryPoint">
+        <headers>
+            <cache-control disabled="true"/>
+            <content-type-options disabled="true"/>
+            <hsts/>
+            <frame-options policy="SAMEORIGIN"/>
+            <xss-protection/>
+            <header ref="headersFromSystemSettingsWriter"/>
+        </headers>
+        <csrf disabled="true"/>
+        <intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" requires-channel="https"/>
+
+        <custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthFilter"/>
+        <session-management session-fixation-protection="newSession" />
+    </http>
+
     <http use-expressions="true" disable-url-rewriting="true"
           authentication-manager-ref="authenticationManager">
         <headers>

diff --git a/src/com/serotonin/mango/web/dwr/PublisherEditDwr.java b/src/com/serotonin/mango/web/dwr/PublisherEditDwr.java
@@ -18,7 +18,6 @@
  */
 package com.serotonin.mango.web.dwr;
 
-import java.net.*;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.Iterator;
@@ -214,11 +213,6 @@ public boolean getIsUseJSON() {
         return p.isUseJSON();
     }
 
-    public void httpSenderTest(String url, boolean usePost, List<KeyValuePair> staticHeaders,
-            List<KeyValuePair> staticParameters) {
-        Common.getUser().setTestingUtility(new HttpSenderTester(url, usePost, staticHeaders, staticParameters));
-    }
-
     public String httpSenderTestUpdate() {
         HttpSenderTester test = Common.getUser().getTestingUtility(HttpSenderTester.class);
         if (test == null)

diff --git a/src/org/scada_lts/login/LocalBasicAuthFilter.java b/src/org/scada_lts/login/LocalBasicAuthFilter.java
@@ -1,5 +1,6 @@
 package org.scada_lts.login;
 
+import com.serotonin.mango.vo.User;
 import org.scada_lts.mango.service.UserService;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.core.Authentication;
@@ -19,6 +20,7 @@ public LocalBasicAuthFilter(AuthenticationManager authenticationManager) {
     @Override
     protected void onSuccessfulAuthentication(HttpServletRequest request,
                                               HttpServletResponse response, Authentication authentication) {
-        authenticateLocal(request, response, authentication, new UserService());
+        User user = new UserService().getUser(authentication.getName());
+        authenticateLocal(request, response, authentication, user);
     }
 }