1 |
e111342b
|
Jakub Smid
|
package cz.zcu.kiv.backendapi.security.jwt;
|
2 |
|
|
|
3 |
|
|
import com.auth0.jwt.JWT;
|
4 |
|
|
import com.auth0.jwt.JWTVerifier;
|
5 |
|
|
import com.auth0.jwt.algorithms.Algorithm;
|
6 |
|
|
import com.auth0.jwt.interfaces.DecodedJWT;
|
7 |
|
|
import com.google.common.base.Strings;
|
8 |
|
|
import lombok.RequiredArgsConstructor;
|
9 |
|
|
import lombok.extern.slf4j.Slf4j;
|
10 |
|
|
import org.springframework.http.HttpHeaders;
|
11 |
4afeda3d
|
Jakub Smid
|
import org.springframework.http.HttpMethod;
|
12 |
e111342b
|
Jakub Smid
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
13 |
|
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
14 |
|
|
import org.springframework.security.core.context.SecurityContextHolder;
|
15 |
|
|
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
16 |
|
|
import org.springframework.web.filter.OncePerRequestFilter;
|
17 |
|
|
|
18 |
|
|
import javax.servlet.FilterChain;
|
19 |
|
|
import javax.servlet.ServletException;
|
20 |
|
|
import javax.servlet.http.HttpServletRequest;
|
21 |
|
|
import javax.servlet.http.HttpServletResponse;
|
22 |
|
|
import java.io.IOException;
|
23 |
c1e7e376
|
Jakub Šmíd
|
import java.util.Collection;
|
24 |
|
|
import java.util.List;
|
25 |
4afeda3d
|
Jakub Smid
|
import java.util.Map;
|
26 |
e111342b
|
Jakub Smid
|
import java.util.stream.Collectors;
|
27 |
|
|
|
28 |
|
|
|
29 |
|
|
/**
|
30 |
|
|
* Class that verifies JWT per request
|
31 |
|
|
*/
|
32 |
|
|
@Slf4j
|
33 |
|
|
@RequiredArgsConstructor
|
34 |
|
|
public class JwtTokenVerifier extends OncePerRequestFilter {
|
35 |
|
|
|
36 |
|
|
/**
|
37 |
|
|
* JWT utils
|
38 |
|
|
*/
|
39 |
|
|
private final JwtUtils jwtUtils;
|
40 |
|
|
|
41 |
|
|
/**
|
42 |
4afeda3d
|
Jakub Smid
|
* Map of permitted endpoints with HTTP method (user does not need to be authenticated perform the request)
|
43 |
e111342b
|
Jakub Smid
|
*/
|
44 |
4afeda3d
|
Jakub Smid
|
private final Map<String, HttpMethod> skipFilterEndpoints;
|
45 |
e111342b
|
Jakub Smid
|
|
46 |
|
|
/**
|
47 |
|
|
* Filters request - checks for JWT token and validates it
|
48 |
|
|
*
|
49 |
|
|
* @param request request
|
50 |
|
|
* @param response response
|
51 |
|
|
* @param filterChain filter chain
|
52 |
|
|
* @throws ServletException servlet exception
|
53 |
|
|
* @throws IOException I/O exception
|
54 |
|
|
*/
|
55 |
|
|
@Override
|
56 |
|
|
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
|
57 |
|
|
String authorizationHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
|
58 |
|
|
if (Strings.isNullOrEmpty(authorizationHeader) || !authorizationHeader.startsWith(jwtUtils.getTokenPrefix())) {
|
59 |
|
|
filterChain.doFilter(request, response);
|
60 |
|
|
return;
|
61 |
|
|
}
|
62 |
|
|
|
63 |
|
|
try {
|
64 |
|
|
String token = authorizationHeader.substring(jwtUtils.getTokenPrefix().length());
|
65 |
|
|
Algorithm algorithm = jwtUtils.getAlgorithm(); //TODO secure
|
66 |
|
|
JWTVerifier verifier = JWT.require(algorithm).build();
|
67 |
|
|
DecodedJWT decodedJWT = verifier.verify(token);
|
68 |
|
|
String username = decodedJWT.getSubject();
|
69 |
|
|
List<String> authorities = decodedJWT.getClaim(jwtUtils.getClaimAuthoritiesName()).asList(String.class);
|
70 |
|
|
Collection<SimpleGrantedAuthority> simpleGrantedAuthorities = authorities.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
|
71 |
|
|
|
72 |
|
|
UsernamePasswordAuthenticationToken authenticationToken =
|
73 |
|
|
new UsernamePasswordAuthenticationToken(username, null, simpleGrantedAuthorities);
|
74 |
|
|
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
|
75 |
|
|
} catch (Exception e) {
|
76 |
|
|
log.error("Error logging in: " + e.getMessage());
|
77 |
|
|
jwtUtils.writeErrorToResponse(response, e);
|
78 |
|
|
}
|
79 |
|
|
filterChain.doFilter(request, response);
|
80 |
|
|
}
|
81 |
|
|
|
82 |
|
|
/**
|
83 |
|
|
* Tells filter whether given request should not be scanned for JWT
|
84 |
|
|
*
|
85 |
|
|
* @param request request
|
86 |
|
|
* @return true if given request should not be scanned for JWT, false otherwise
|
87 |
|
|
*/
|
88 |
|
|
@Override
|
89 |
4afeda3d
|
Jakub Smid
|
protected boolean shouldNotFilter(HttpServletRequest request) {
|
90 |
|
|
return skipFilterEndpoints.entrySet().stream().anyMatch(e -> new AntPathRequestMatcher(e.getKey(), e.getValue().toString()).matches(request));
|
91 |
e111342b
|
Jakub Smid
|
}
|
92 |
|
|
}
|