diff --git a/src/main/java/de/thm/arsnova/security/jwt/JwtTokenFilter.java b/src/main/java/de/thm/arsnova/security/jwt/JwtTokenFilter.java
index 22a5bce913827ca55f2036eaf5f286df0e7ed131..b90d3a60d0b20c0e8b423ad8aa8c239a16fa5683 100644
--- a/src/main/java/de/thm/arsnova/security/jwt/JwtTokenFilter.java
+++ b/src/main/java/de/thm/arsnova/security/jwt/JwtTokenFilter.java
@@ -19,6 +19,8 @@
package de.thm.arsnova.security.jwt;
import java.io.IOException;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
@@ -27,6 +29,7 @@ import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpHeaders;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
@@ -34,7 +37,7 @@ import org.springframework.web.filter.GenericFilterBean;
@Component
public class JwtTokenFilter extends GenericFilterBean {
- private static final String JWT_HEADER_NAME = "Arsnova-Auth-Token";
+ private static final Pattern BEARER_TOKEN_PATTERN = Pattern.compile("Bearer (.*)", Pattern.CASE_INSENSITIVE);
private static final Logger logger = LoggerFactory.getLogger(JwtTokenFilter.class);
private JwtAuthenticationProvider jwtAuthenticationProvider;
@@ -48,19 +51,24 @@ public class JwtTokenFilter extends GenericFilterBean {
filterChain.doFilter(servletRequest, servletResponse);
return;
}
- final String jwtHeader = httpServletRequest.getHeader(JWT_HEADER_NAME);
+ final String jwtHeader = httpServletRequest.getHeader(HttpHeaders.AUTHORIZATION);
if (jwtHeader != null) {
- final JwtToken token = new JwtToken(jwtHeader);
- try {
- final Authentication authenticatedToken = jwtAuthenticationProvider.authenticate(token);
- if (authenticatedToken != null) {
- logger.debug("Storing JWT to SecurityContext: {}", authenticatedToken);
- SecurityContextHolder.getContext().setAuthentication(authenticatedToken);
- } else {
- logger.debug("Could not authenticate JWT.");
+ final Matcher tokenMatcher = BEARER_TOKEN_PATTERN.matcher(jwtHeader);
+ if (tokenMatcher.matches()) {
+ final JwtToken token = new JwtToken(tokenMatcher.group(1));
+ try {
+ final Authentication authenticatedToken = jwtAuthenticationProvider.authenticate(token);
+ if (authenticatedToken != null) {
+ logger.debug("Storing JWT to SecurityContext: {}", authenticatedToken);
+ SecurityContextHolder.getContext().setAuthentication(authenticatedToken);
+ } else {
+ logger.debug("Could not authenticate JWT.");
+ }
+ } catch (final Exception e) {
+ logger.debug("JWT authentication failed", e);
}
- } catch (final Exception e) {
- logger.debug("JWT authentication failed", e);
+ } else {
+ logger.debug("Unsupported authentication scheme.");
}
} else {
logger.debug("No authentication header present.");
diff --git a/src/main/java/de/thm/arsnova/web/CorsFilter.java b/src/main/java/de/thm/arsnova/web/CorsFilter.java
index e04810f0d25e4d8c9032eba57cee7726f1dcf4c3..7d7f18ff760f18afac5acbdeac8f281c3bf4d3fd 100644
--- a/src/main/java/de/thm/arsnova/web/CorsFilter.java
+++ b/src/main/java/de/thm/arsnova/web/CorsFilter.java
@@ -46,8 +46,8 @@ public class CorsFilter extends org.springframework.web.filter.CorsFilter {
config.setAllowedOrigins(origins);
config.addAllowedHeader(HttpHeaders.ACCEPT);
config.addAllowedHeader(HttpHeaders.CONTENT_TYPE);
+ config.addAllowedHeader(HttpHeaders.AUTHORIZATION);
config.addAllowedHeader(X_REQUESTED_WITH);
- config.addAllowedHeader(TOKEN_HEADER_NAME);
config.addAllowedMethod(HttpMethod.GET);
config.addAllowedMethod(HttpMethod.POST);
config.addAllowedMethod(HttpMethod.PUT);