From a3ea397a5b57ccfaa713c0841c36a9a59fa4b484 Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@z.dgerhardt.net>
Date: Fri, 19 May 2017 20:02:20 +0200
Subject: [PATCH] Improve handling of context path prefix

Consistently prioritize the `api.path` setting before falling back to
`servletContext.getContextPath()`.
---
 .../de/thm/arsnova/config/SecurityConfig.java | 19 ++++++++++++-------
 .../arsnova/controller/LoginController.java   | 18 ++++++++++++------
 2 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/config/SecurityConfig.java b/src/main/java/de/thm/arsnova/config/SecurityConfig.java
index 73b719285..5ba03fa32 100644
--- a/src/main/java/de/thm/arsnova/config/SecurityConfig.java
+++ b/src/main/java/de/thm/arsnova/config/SecurityConfig.java
@@ -34,6 +34,7 @@ import org.scribe.up.provider.impl.Google2Provider.Google2Scope;
 import org.scribe.up.provider.impl.TwitterProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -73,8 +74,8 @@ import org.springframework.security.web.authentication.logout.LogoutSuccessHandl
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.security.web.header.writers.HstsHeaderWriter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-import org.springframework.web.context.ServletContextAware;
 
+import javax.annotation.PostConstruct;
 import javax.servlet.ServletContext;
 import java.util.ArrayList;
 import java.util.List;
@@ -86,12 +87,14 @@ import java.util.List;
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 @EnableWebSecurity
 @Profile("!test")
-public class SecurityConfig extends WebSecurityConfigurerAdapter implements ServletContextAware {
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
 	private static final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);
 
+	@Autowired
 	private ServletContext servletContext;
 
 	@Value("${root-url}") private String rootUrl;
+	@Value("${api.path:}") private String apiPath;
 
 	@Value("${security.user-db.enabled}") private boolean dbAuthEnabled;
 
@@ -119,6 +122,13 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter implements Serv
 	@Value("${security.google.key}") private String googleKey;
 	@Value("${security.google.secret}") private String googleSecret;
 
+	@PostConstruct
+	private void init() {
+		if ("".equals(apiPath)) {
+			apiPath = servletContext.getContextPath();
+		}
+	}
+
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http.exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint());
@@ -465,9 +475,4 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter implements Serv
 
 		return authProvider;
 	}
-
-	@Override
-	public void setServletContext(ServletContext servletContext) {
-		this.servletContext = servletContext;
-	}
 }
diff --git a/src/main/java/de/thm/arsnova/controller/LoginController.java b/src/main/java/de/thm/arsnova/controller/LoginController.java
index 090ac6067..031eb3810 100644
--- a/src/main/java/de/thm/arsnova/controller/LoginController.java
+++ b/src/main/java/de/thm/arsnova/controller/LoginController.java
@@ -53,6 +53,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.servlet.View;
 import org.springframework.web.servlet.view.RedirectView;
 
+import javax.annotation.PostConstruct;
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -117,6 +119,9 @@ public class LoginController extends AbstractController {
 	@Value("${security.twitter.allowed-roles:speaker,student}") private String[] twitterRoles;
 	@Value("${security.twitter.order}") private int twitterOrder;
 
+	@Autowired
+	private ServletContext servletContext;
+
 	@Autowired(required = false)
 	private DaoAuthenticationProvider daoProvider;
 
@@ -143,6 +148,13 @@ public class LoginController extends AbstractController {
 
 	private static final Logger logger = LoggerFactory.getLogger(LoginController.class);
 
+	@PostConstruct
+	private void init() {
+		if ("".equals(apiPath)) {
+			apiPath = servletContext.getContextPath();
+		}
+	}
+
 	@RequestMapping(value = { "/auth/login", "/doLogin" }, method = { RequestMethod.POST, RequestMethod.GET })
 	public void doLogin(
 			@RequestParam("type") final String type,
@@ -302,9 +314,6 @@ public class LoginController extends AbstractController {
 		request.getSession().invalidate();
 		SecurityContextHolder.clearContext();
 		if (auth instanceof CasAuthenticationToken) {
-			if ("".equals(apiPath)) {
-				apiPath = request.getContextPath();
-			}
 			return new RedirectView(apiPath + "/j_spring_cas_security_logout");
 		}
 		return new RedirectView(request.getHeader("referer") != null ? request.getHeader("referer") : "/");
@@ -315,9 +324,6 @@ public class LoginController extends AbstractController {
 	public List<ServiceDescription> getServices(final HttpServletRequest request) {
 		List<ServiceDescription> services = new ArrayList<>();
 
-		if ("".equals(apiPath)) {
-			apiPath = request.getContextPath();
-		}
 		/* The first parameter is replaced by the backend, the second one by the frondend */
 		String dialogUrl = apiPath + "/auth/dialog?type={0}&successurl='{0}'";
 
-- 
GitLab