Remove security context after every api request

57172cdf · johnniang · 03b7c332 · 57172cdf · 57172cdf · 57172cdf
3 changed file
--- a/src/main/java/run/halo/app/config/HaloConfiguration.java
+++ b/src/main/java/run/halo/app/config/HaloConfiguration.java
@@ -16,6 +16,7 @@ import run.halo.app.cache.InMemoryCacheStore;
 import run.halo.app.cache.StringCacheStore;
 import run.halo.app.config.properties.HaloProperties;
 import run.halo.app.filter.CorsFilter;
+import run.halo.app.filter.GuardFilter;
 import run.halo.app.filter.LogFilter;
 import run.halo.app.security.filter.AdminAuthenticationFilter;
 import run.halo.app.security.filter.ApiAuthenticationFilter;
@@ -75,6 +76,15 @@ public class HaloConfiguration {
        return corsFilter;
    }
+    @Bean
+    public FilterRegistrationBean<GuardFilter> guardFilter() {
+        FilterRegistrationBean<GuardFilter> guardFilter = new FilterRegistrationBean<>();
+        guardFilter.setOrder(Ordered.HIGHEST_PRECEDENCE);
+        guardFilter.setFilter(new GuardFilter());
+        guardFilter.addUrlPatterns("/api/*");
+        return guardFilter;
+    }
    /**
     * Creates a LogFilter.
     *

--- a/src/main/java/run/halo/app/filter/GuardFilter.java
+++ b/src/main/java/run/halo/app/filter/GuardFilter.java
+package run.halo.app.filter;
+import org.springframework.web.filter.GenericFilterBean;
+import run.halo.app.security.context.SecurityContextHolder;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import java.io.IOException;
+/**
+ * @author johnniang
+ * @date 19-4-30
+ */
+public class GuardFilter extends GenericFilterBean {
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        // Do filter
+        chain.doFilter(request, response);
+        // Clear security context
+        SecurityContextHolder.clearContext();
+    }
+}
--- a/src/main/java/run/halo/app/service/impl/AdminServiceImpl.java
+++ b/src/main/java/run/halo/app/service/impl/AdminServiceImpl.java
@@ -77,11 +77,6 @@ public class AdminServiceImpl implements AdminService {
    public AuthToken authenticate(LoginParam loginParam) {
        Assert.notNull(loginParam, "Login param must not be null");
-        if (SecurityContextHolder.getContext().isAuthenticated()) {
-            // If the user has been logged in
-            throw new BadRequestException("You have been logged in, do not log in repeatedly please");
-        }
        String username = loginParam.getUsername();
        User user = Validator.isEmail(username) ?
                userService.getByEmailOfNonNull(username) : userService.getByUsernameOfNonNull(username);
@@ -93,6 +88,11 @@ public class AdminServiceImpl implements AdminService {
            throw new BadRequestException("Username or password is incorrect");
        }
+        if (SecurityContextHolder.getContext().isAuthenticated()) {
+            // If the user has been logged in
+            throw new BadRequestException("You have been logged in, do not log in repeatedly please");
+        }
        // Generate new token
        return buildAuthToken(user);
    }