Commit 9bbff2ed authored by Tom Käsler's avatar Tom Käsler

Merge branch 'auth-bearer-token' into 'master'

Implement RFC 6750 instead of custom header for JWT

See merge request !144
parents f11cadde 640cb652
Pipeline #29752 passed with stages
in 2 minutes and 52 seconds
......@@ -19,6 +19,8 @@
package de.thm.arsnova.security.jwt;
import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
......@@ -27,6 +29,7 @@ import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpHeaders;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
......@@ -34,7 +37,7 @@ import org.springframework.web.filter.GenericFilterBean;
@Component
public class JwtTokenFilter extends GenericFilterBean {
private static final String JWT_HEADER_NAME = "Arsnova-Auth-Token";
private static final Pattern BEARER_TOKEN_PATTERN = Pattern.compile("Bearer (.*)", Pattern.CASE_INSENSITIVE);
private static final Logger logger = LoggerFactory.getLogger(JwtTokenFilter.class);
private JwtAuthenticationProvider jwtAuthenticationProvider;
......@@ -48,19 +51,24 @@ public class JwtTokenFilter extends GenericFilterBean {
filterChain.doFilter(servletRequest, servletResponse);
return;
}
final String jwtHeader = httpServletRequest.getHeader(JWT_HEADER_NAME);
final String jwtHeader = httpServletRequest.getHeader(HttpHeaders.AUTHORIZATION);
if (jwtHeader != null) {
final JwtToken token = new JwtToken(jwtHeader);
try {
final Authentication authenticatedToken = jwtAuthenticationProvider.authenticate(token);
if (authenticatedToken != null) {
logger.debug("Storing JWT to SecurityContext: {}", authenticatedToken);
SecurityContextHolder.getContext().setAuthentication(authenticatedToken);
} else {
logger.debug("Could not authenticate JWT.");
final Matcher tokenMatcher = BEARER_TOKEN_PATTERN.matcher(jwtHeader);
if (tokenMatcher.matches()) {
final JwtToken token = new JwtToken(tokenMatcher.group(1));
try {
final Authentication authenticatedToken = jwtAuthenticationProvider.authenticate(token);
if (authenticatedToken != null) {
logger.debug("Storing JWT to SecurityContext: {}", authenticatedToken);
SecurityContextHolder.getContext().setAuthentication(authenticatedToken);
} else {
logger.debug("Could not authenticate JWT.");
}
} catch (final Exception e) {
logger.debug("JWT authentication failed", e);
}
} catch (final Exception e) {
logger.debug("JWT authentication failed", e);
} else {
logger.debug("Unsupported authentication scheme.");
}
} else {
logger.debug("No authentication header present.");
......
......@@ -46,8 +46,8 @@ public class CorsFilter extends org.springframework.web.filter.CorsFilter {
config.setAllowedOrigins(origins);
config.addAllowedHeader(HttpHeaders.ACCEPT);
config.addAllowedHeader(HttpHeaders.CONTENT_TYPE);
config.addAllowedHeader(HttpHeaders.AUTHORIZATION);
config.addAllowedHeader(X_REQUESTED_WITH);
config.addAllowedHeader(TOKEN_HEADER_NAME);
config.addAllowedMethod(HttpMethod.GET);
config.addAllowedMethod(HttpMethod.POST);
config.addAllowedMethod(HttpMethod.PUT);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment