diff --git a/src/main/java/run/halo/app/security/filter/AbstractAuthenticationFilter.java b/src/main/java/run/halo/app/security/filter/AbstractAuthenticationFilter.java index 20171ea5ffe9662145a68b3e697720b5b0827c17..83113c0f3499f90de1d08a5225ad24bcf09dc153 100644 --- a/src/main/java/run/halo/app/security/filter/AbstractAuthenticationFilter.java +++ b/src/main/java/run/halo/app/security/filter/AbstractAuthenticationFilter.java @@ -6,10 +6,17 @@ import org.springframework.util.AntPathMatcher; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; import run.halo.app.config.properties.HaloProperties; +import run.halo.app.exception.NotInstallException; +import run.halo.app.model.properties.PrimaryProperties; import run.halo.app.security.handler.AuthenticationFailureHandler; import run.halo.app.security.handler.DefaultAuthenticationFailureHandler; +import run.halo.app.service.OptionService; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; import java.util.*; /** @@ -36,8 +43,12 @@ public abstract class AbstractAuthenticationFilter extends OncePerRequestFilter private final HaloProperties haloProperties; - protected AbstractAuthenticationFilter(HaloProperties haloProperties) { + private final OptionService optionService; + + protected AbstractAuthenticationFilter(HaloProperties haloProperties, + OptionService optionService) { this.haloProperties = haloProperties; + this.optionService = optionService; antPathMatcher = new AntPathMatcher(); } @@ -154,4 +165,16 @@ public abstract class AbstractAuthenticationFilter extends OncePerRequestFilter this.failureHandler = failureHandler; } + + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { + // Check whether the blog is installed or not + Boolean isInstalled = optionService.getByPropertyOrDefault(PrimaryProperties.IS_INSTALLED, Boolean.class, false); + + if (!isInstalled) { + // If not installed + getFailureHandler().onFailure(request, response, new NotInstallException("The blog has not been initialized yet!")); + return; + } + } } diff --git a/src/main/java/run/halo/app/security/filter/AdminAuthenticationFilter.java b/src/main/java/run/halo/app/security/filter/AdminAuthenticationFilter.java index 026e244a28c49bb4ab9e96f2f638821646f8087a..d67b10ebf5916d414e94423583a1aa8bbb6478a9 100644 --- a/src/main/java/run/halo/app/security/filter/AdminAuthenticationFilter.java +++ b/src/main/java/run/halo/app/security/filter/AdminAuthenticationFilter.java @@ -4,14 +4,11 @@ import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.springframework.http.HttpHeaders; import org.springframework.lang.NonNull; -import org.springframework.lang.Nullable; import org.springframework.util.Assert; import run.halo.app.cache.StringCacheStore; import run.halo.app.config.properties.HaloProperties; import run.halo.app.exception.AuthenticationException; -import run.halo.app.exception.NotInstallException; import run.halo.app.model.entity.User; -import run.halo.app.model.properties.PrimaryProperties; import run.halo.app.security.authentication.AuthenticationImpl; import run.halo.app.security.context.SecurityContextHolder; import run.halo.app.security.context.SecurityContextImpl; @@ -58,7 +55,7 @@ public class AdminAuthenticationFilter extends AbstractAuthenticationFilter { /** * Admin token param name. */ - public final static String ADMIN_TOKEN_QUERY_NAME = "adminToken"; + public final static String ADMIN_TOKEN_QUERY_NAME = "admin_token"; private final HaloProperties haloProperties; @@ -72,7 +69,7 @@ public class AdminAuthenticationFilter extends AbstractAuthenticationFilter { UserService userService, HaloProperties haloProperties, OptionService optionService) { - super(haloProperties); + super(haloProperties, optionService); this.cacheStore = cacheStore; this.userService = userService; this.haloProperties = haloProperties; @@ -82,59 +79,45 @@ public class AdminAuthenticationFilter extends AbstractAuthenticationFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { - // Check whether the blog is installed or not - Boolean isInstalled = optionService.getByPropertyOrDefault(PrimaryProperties.IS_INSTALLED, Boolean.class, false); + super.doFilterInternal(request, response, filterChain); - if (!isInstalled) { - // If not installed - getFailureHandler().onFailure(request, response, new NotInstallException("The blog has not been initialized yet!")); - return; - } + if (haloProperties.isAuthEnabled()) { + // Get token from request + String token = getTokenFromRequest(request); - if (!haloProperties.isAuthEnabled()) { - userService.getCurrentUser().ifPresent(user -> - SecurityContextHolder.setContext(new SecurityContextImpl(new AuthenticationImpl(new UserDetail(user))))); + if (StringUtils.isBlank(token)) { + if (!shouldSkipAuthenticateFailure(request)) { + getFailureHandler().onFailure(request, response, new AuthenticationException("You have to login before accessing admin api")); + return; + } + } else { + // Get user id from cache + Optional optionalUserId = cacheStore.getAny(SecurityUtils.buildTokenAccessKey(token), Integer.class); - // If authentication disabled - filterChain.doFilter(request, response); - return; - } + if (!optionalUserId.isPresent()) { + getFailureHandler().onFailure(request, response, new AuthenticationException("The token has been expired or not exist").setErrorData(token)); + return; + } - // Get token from request - String token = getTokenFromRequest(request); + // Get the user + User user = userService.getById(optionalUserId.get()); - if (StringUtils.isNotBlank(token)) { + // Build user detail + UserDetail userDetail = new UserDetail(user); - // Get user id from cache - Optional optionalUserId = cacheStore.getAny(SecurityUtils.buildTokenAccessKey(token), Integer.class); - - if (!optionalUserId.isPresent()) { - getFailureHandler().onFailure(request, response, new AuthenticationException("The token has been expired or not exist").setErrorData(token)); - return; + // Set security + SecurityContextHolder.setContext(new SecurityContextImpl(new AuthenticationImpl(userDetail))); } - - // Get the user - User user = userService.getById(optionalUserId.get()); - - // Build user detail - UserDetail userDetail = new UserDetail(user); - + } else { // Set security - SecurityContextHolder.setContext(new SecurityContextImpl(new AuthenticationImpl(userDetail))); - - filterChain.doFilter(request, response); - - return; + userService.getCurrentUser().ifPresent(user -> + SecurityContextHolder.setContext(new SecurityContextImpl(new AuthenticationImpl(new UserDetail(user))))); } - if (shouldSkipAuthenticateFailure(request)) { - // If should skip this authentication failure - log.debug("Skipping authentication failure, url: [{}], method: [{}]", request.getServletPath(), request.getMethod()); - filterChain.doFilter(request, response); - return; - } + filterChain.doFilter(request, response); - getFailureHandler().onFailure(request, response, new AuthenticationException("You have to login before accessing admin api")); + // Clear context + SecurityContextHolder.clearContext(); } @Override diff --git a/src/main/java/run/halo/app/security/filter/ApiAuthenticationFilter.java b/src/main/java/run/halo/app/security/filter/ApiAuthenticationFilter.java index 898b57b5da4b71bf3572ccdab441c710ce1c5906..d0191c9dc540e93a38bfd7ec5ee715bd0ff50042 100644 --- a/src/main/java/run/halo/app/security/filter/ApiAuthenticationFilter.java +++ b/src/main/java/run/halo/app/security/filter/ApiAuthenticationFilter.java @@ -8,9 +8,7 @@ import org.springframework.util.Assert; import run.halo.app.config.properties.HaloProperties; import run.halo.app.exception.AuthenticationException; import run.halo.app.exception.ForbiddenException; -import run.halo.app.exception.NotInstallException; import run.halo.app.model.properties.OtherProperties; -import run.halo.app.model.properties.PrimaryProperties; import run.halo.app.service.OptionService; import javax.servlet.FilterChain; @@ -30,26 +28,20 @@ public class ApiAuthenticationFilter extends AbstractAuthenticationFilter { public final static String API_TOKEN_HEADER_NAME = "API-" + HttpHeaders.AUTHORIZATION; - public final static String API_TOKEN_QUERY_NAME = "apiToken"; + public final static String API_TOKEN_QUERY_NAME = "api_token"; private final OptionService optionService; public ApiAuthenticationFilter(HaloProperties haloProperties, OptionService optionService) { - super(haloProperties); + super(haloProperties, optionService); this.optionService = optionService; } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { - // Check whether the blog is installed or not - Boolean isInstalled = optionService.getByPropertyOrDefault(PrimaryProperties.IS_INSTALLED, Boolean.class, false); - if (!isInstalled) { - // If not installed - getFailureHandler().onFailure(request, response, new NotInstallException("The blog has not been initialized yet!")); - return; - } + super.doFilterInternal(request, response, filterChain); // Get token String token = getTokenFromRequest(request);