From 1658da5371ce0b468bf65813786eb95fbd83b283 Mon Sep 17 00:00:00 2001
From: kamiljarmusik <kamil.jarmusik@gmail.com>
Date: Tue, 9 May 2023 01:02:22 +0200
Subject: [PATCH] #2533 Basic auth by HTTPS for API httpds - update
 spring-security.xml configuration - added auth basic for /httpds by https;
 removed not use PublisherEditDwr.httpSenderTest(); basic auth without
 generate login event;

---
 WebContent/WEB-INF/spring-security.xml          | 17 +++++++++++++++++
 .../mango/web/dwr/PublisherEditDwr.java         |  6 ------
 .../scada_lts/login/LocalBasicAuthFilter.java   |  4 +++-
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/WebContent/WEB-INF/spring-security.xml b/WebContent/WEB-INF/spring-security.xml
index 11f3ff182d..7ba9d85276 100644
--- a/WebContent/WEB-INF/spring-security.xml
+++ b/WebContent/WEB-INF/spring-security.xml
@@ -23,6 +23,23 @@
         <session-management session-fixation-protection="newSession" />
     </http>
 
+    <http use-expressions="true" disable-url-rewriting="true" pattern="/httpds/**"
+          authentication-manager-ref="authenticationManager" entry-point-ref="basicAuthenticationEntryPoint">
+        <headers>
+            <cache-control disabled="true"/>
+            <content-type-options disabled="true"/>
+            <hsts/>
+            <frame-options policy="SAMEORIGIN"/>
+            <xss-protection/>
+            <header ref="headersFromSystemSettingsWriter"/>
+        </headers>
+        <csrf disabled="true"/>
+        <intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" requires-channel="https"/>
+
+        <custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthFilter"/>
+        <session-management session-fixation-protection="newSession" />
+    </http>
+
     <http use-expressions="true" disable-url-rewriting="true"
           authentication-manager-ref="authenticationManager">
         <headers>
diff --git a/src/com/serotonin/mango/web/dwr/PublisherEditDwr.java b/src/com/serotonin/mango/web/dwr/PublisherEditDwr.java
index 6728364d28..57653dfae4 100644
--- a/src/com/serotonin/mango/web/dwr/PublisherEditDwr.java
+++ b/src/com/serotonin/mango/web/dwr/PublisherEditDwr.java
@@ -18,7 +18,6 @@
  */
 package com.serotonin.mango.web.dwr;
 
-import java.net.*;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.Iterator;
@@ -214,11 +213,6 @@ public boolean getIsUseJSON() {
         return p.isUseJSON();
     }
 
-    public void httpSenderTest(String url, boolean usePost, List<KeyValuePair> staticHeaders,
-            List<KeyValuePair> staticParameters) {
-        Common.getUser().setTestingUtility(new HttpSenderTester(url, usePost, staticHeaders, staticParameters));
-    }
-
     public String httpSenderTestUpdate() {
         HttpSenderTester test = Common.getUser().getTestingUtility(HttpSenderTester.class);
         if (test == null)
diff --git a/src/org/scada_lts/login/LocalBasicAuthFilter.java b/src/org/scada_lts/login/LocalBasicAuthFilter.java
index 0184c93650..b9ac931c11 100644
--- a/src/org/scada_lts/login/LocalBasicAuthFilter.java
+++ b/src/org/scada_lts/login/LocalBasicAuthFilter.java
@@ -1,5 +1,6 @@
 package org.scada_lts.login;
 
+import com.serotonin.mango.vo.User;
 import org.scada_lts.mango.service.UserService;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.core.Authentication;
@@ -19,6 +20,7 @@ public LocalBasicAuthFilter(AuthenticationManager authenticationManager) {
     @Override
     protected void onSuccessfulAuthentication(HttpServletRequest request,
                                               HttpServletResponse response, Authentication authentication) {
-        authenticateLocal(request, response, authentication, new UserService());
+        User user = new UserService().getUser(authentication.getName());
+        authenticateLocal(request, response, authentication, user);
     }
 }