Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Provide extension points for authentication-related web filters (#5386)
#### What type of PR is this? /kind feature /area core /area plugin /milestone 2.13.x #### What this PR does / why we need it: See #5379 for more. This PR provides three extension points: - FormLoginSecurityWebFilter - AuthenticationSecurityWebFilter - AnonymousAuthenticationSecurityWebFilter which could be extended by plugins easily. #### Which issue(s) this PR fixes: Fixes #5379 #### Special notes for your reviewer: TBD. #### Does this PR introduce a user-facing change? ```release-note None ```
- Loading branch information
Showing
8 changed files
with
204 additions
and
0 deletions.
There are no files selected for viewing
13 changes: 13 additions & 0 deletions
13
api/src/main/java/run/halo/app/security/AnonymousAuthenticationSecurityWebFilter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package run.halo.app.security; | ||
|
||
import org.pf4j.ExtensionPoint; | ||
import org.springframework.web.server.WebFilter; | ||
|
||
/** | ||
* Security web filter for anonymous authentication. | ||
* | ||
* @author johnniang | ||
*/ | ||
public interface AnonymousAuthenticationSecurityWebFilter extends WebFilter, ExtensionPoint { | ||
|
||
} |
13 changes: 13 additions & 0 deletions
13
api/src/main/java/run/halo/app/security/AuthenticationSecurityWebFilter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package run.halo.app.security; | ||
|
||
import org.pf4j.ExtensionPoint; | ||
import org.springframework.web.server.WebFilter; | ||
|
||
/** | ||
* Security web filter for normal authentication. | ||
* | ||
* @author johnniang | ||
*/ | ||
public interface AuthenticationSecurityWebFilter extends WebFilter, ExtensionPoint { | ||
|
||
} |
13 changes: 13 additions & 0 deletions
13
api/src/main/java/run/halo/app/security/FormLoginSecurityWebFilter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package run.halo.app.security; | ||
|
||
import org.pf4j.ExtensionPoint; | ||
import org.springframework.web.server.WebFilter; | ||
|
||
/** | ||
* Security web filter for form login. | ||
* | ||
* @author johnniang | ||
*/ | ||
public interface FormLoginSecurityWebFilter extends WebFilter, ExtensionPoint { | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
68 changes: 68 additions & 0 deletions
68
application/src/main/java/run/halo/app/security/SecurityWebFiltersConfigurer.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
package run.halo.app.security; | ||
|
||
import static org.springframework.security.config.web.server.SecurityWebFiltersOrder.ANONYMOUS_AUTHENTICATION; | ||
import static org.springframework.security.config.web.server.SecurityWebFiltersOrder.AUTHENTICATION; | ||
import static org.springframework.security.config.web.server.SecurityWebFiltersOrder.FORM_LOGIN; | ||
|
||
import lombok.Setter; | ||
import org.pf4j.ExtensionPoint; | ||
import org.springframework.core.annotation.AnnotationAwareOrderComparator; | ||
import org.springframework.security.config.web.server.ServerHttpSecurity; | ||
import org.springframework.security.web.server.WebFilterChainProxy; | ||
import org.springframework.stereotype.Component; | ||
import org.springframework.web.server.ServerWebExchange; | ||
import org.springframework.web.server.WebFilter; | ||
import org.springframework.web.server.WebFilterChain; | ||
import reactor.core.publisher.Mono; | ||
import run.halo.app.plugin.extensionpoint.ExtensionGetter; | ||
import run.halo.app.security.authentication.SecurityConfigurer; | ||
|
||
@Component | ||
public class SecurityWebFiltersConfigurer implements SecurityConfigurer { | ||
|
||
private final ExtensionGetter extensionGetter; | ||
|
||
public SecurityWebFiltersConfigurer(ExtensionGetter extensionGetter) { | ||
this.extensionGetter = extensionGetter; | ||
} | ||
|
||
@Override | ||
public void configure(ServerHttpSecurity http) { | ||
http | ||
.addFilterAt( | ||
new SecurityWebFilterChainProxy(FormLoginSecurityWebFilter.class), FORM_LOGIN | ||
) | ||
.addFilterAt( | ||
new SecurityWebFilterChainProxy(AuthenticationSecurityWebFilter.class), | ||
AUTHENTICATION | ||
) | ||
.addFilterAt( | ||
new SecurityWebFilterChainProxy(AnonymousAuthenticationSecurityWebFilter.class), | ||
ANONYMOUS_AUTHENTICATION | ||
); | ||
} | ||
|
||
public class SecurityWebFilterChainProxy implements WebFilter { | ||
|
||
@Setter | ||
private WebFilterChainProxy.WebFilterChainDecorator filterChainDecorator; | ||
|
||
private final Class<? extends ExtensionPoint> extensionPointClass; | ||
|
||
public SecurityWebFilterChainProxy(Class<? extends ExtensionPoint> extensionPointClass) { | ||
this.extensionPointClass = extensionPointClass; | ||
this.filterChainDecorator = new WebFilterChainProxy.DefaultWebFilterChainDecorator(); | ||
} | ||
|
||
@Override | ||
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) { | ||
return extensionGetter.getExtensions(this.extensionPointClass) | ||
.sort(AnnotationAwareOrderComparator.INSTANCE) | ||
.cast(WebFilter.class) | ||
.collectList() | ||
.map(filters -> filterChainDecorator.decorate(chain, filters)) | ||
.flatMap(decoratedChain -> decoratedChain.filter(exchange)); | ||
} | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# Halo 认证扩展点 | ||
|
||
此前,Halo 提供了 AdditionalWebFilter 作为扩展点供插件扩展认证相关的功能。但是近期我们明确了 AdditionalWebFilter | ||
的使用用途,故不再作为认证的扩展点。 | ||
|
||
目前,Halo 提供了三种认证扩展点:表单登录认证、普通认证和匿名认证。 | ||
|
||
## 表单登录(FormLogin) | ||
|
||
示例如下: | ||
|
||
```java | ||
import org.springframework.stereotype.Component; | ||
import org.springframework.web.server.ServerWebExchange; | ||
import org.springframework.web.server.WebFilterChain; | ||
import reactor.core.publisher.Mono; | ||
import run.halo.app.security.FormLoginSecurityWebFilter; | ||
|
||
@Component | ||
public class MyFormLoginSecurityWebFilter implements FormLoginSecurityWebFilter { | ||
|
||
@Override | ||
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) { | ||
// Do your logic here | ||
return chain.filter(exchange); | ||
} | ||
} | ||
|
||
``` | ||
## 普通认证(Authentication) | ||
|
||
示例如下: | ||
|
||
```java | ||
import org.springframework.stereotype.Component; | ||
import org.springframework.web.server.ServerWebExchange; | ||
import org.springframework.web.server.WebFilterChain; | ||
import reactor.core.publisher.Mono; | ||
import run.halo.app.security.AuthenticationSecurityWebFilter; | ||
|
||
@Component | ||
public class MyAuthenticationSecurityWebFilter implements AuthenticationSecurityWebFilter { | ||
|
||
@Override | ||
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) { | ||
// Do your logic here | ||
return chain.filter(exchange); | ||
} | ||
} | ||
``` | ||
|
||
## 匿名认证(Anonymous Authentication | ||
|
||
示例如下: | ||
|
||
```java | ||
import org.springframework.stereotype.Component; | ||
import org.springframework.web.server.ServerWebExchange; | ||
import org.springframework.web.server.WebFilterChain; | ||
import reactor.core.publisher.Mono; | ||
import run.halo.app.security.AnonymousAuthenticationSecurityWebFilter; | ||
|
||
@Component | ||
public class MyAnonymousAuthenticationSecurityWebFilter | ||
implements AnonymousAuthenticationSecurityWebFilter { | ||
|
||
@Override | ||
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) { | ||
// Do your logic here | ||
return chain.filter(exchange); | ||
} | ||
} | ||
``` | ||
|
||
我们在实现扩展点的时候需要注意:如果当前请求不满足认证条件,请一定要调用 `chain.filter(exchange)`,给其他 filter 留下机会。 | ||
|
||
后续会根据需求实现其他认证相关的扩展点。 |