Prevent basic authentication from popping up (#4556)

#### What type of PR is this? /kind improvement /kind api-change /area core /milestone 2.10.x #### What this PR does / why we need it: See https://github.com/halo-dev/halo/issues/4547 for more. This PR creates header `WWW-Authenticate` like `FormLogin realm="console"` instead of `Basic realm="realm"` while unauthorized. #### Which issue(s) this PR fixes: Fixes https://github.com/halo-dev/halo/issues/4547 #### Special notes for your reviewer: ```bash curl --head 'http://localhost:8090/actuator/info' HTTP/1.1 401 Unauthorized transfer-encoding: chunked Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers WWW-Authenticate: FormLogin realm="console" Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 0 Referrer-Policy: no-referrer ``` #### Does this PR introduce a user-facing change? ```release-note 防止浏览器弹出基础认证弹窗 ```
2023-09-07 16:52:10 +08:00 · 2023-09-07 16:52:10 +08:00 · 0098654344
parent f3cf3ca283
commit 0098654344
3 changed files with 70 additions and 1 deletions
--- a/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
+++ b/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
@ -29,6 +29,7 @@ import run.halo.app.core.extension.service.UserService;
 import run.halo.app.infra.AnonymousUserConst;
 import run.halo.app.infra.properties.HaloProperties;
 import run.halo.app.plugin.extensionpoint.ExtensionGetter;
+import run.halo.app.security.DefaultServerAuthenticationEntryPoint;
 import run.halo.app.security.DefaultUserDetailService;
 import run.halo.app.security.DynamicMatcherSecurityWebFilterChain;
 import run.halo.app.security.authentication.SecurityConfigurer;
@ -66,7 +67,9 @@ public class WebServerSecurityConfig {
                spec.principal(AnonymousUserConst.PRINCIPAL);
            })
            .securityContextRepository(securityContextRepository)
-            .httpBasic(withDefaults());
+            .httpBasic(withDefaults())
+            .exceptionHandling(
+                spec -> spec.authenticationEntryPoint(new DefaultServerAuthenticationEntryPoint()));

        // Integrate with other configurers separately
        securityConfigurers.orderedStream()
--- a/application/src/main/java/run/halo/app/security/DefaultServerAuthenticationEntryPoint.java
+++ b/application/src/main/java/run/halo/app/security/DefaultServerAuthenticationEntryPoint.java
@ -0,0 +1,31 @@
+package run.halo.app.security;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+/**
+ * Default authentication entry point.
+ * See <a href="https://datatracker.ietf.org/doc/html/rfc7235#section-4.1">
+ * https://datatracker.ietf.org/doc/html/rfc7235#section-4.1</a>
+ * for more.
+ *
+ * @author johnniang
+ */
+public class DefaultServerAuthenticationEntryPoint implements ServerAuthenticationEntryPoint {
+
+    @Override
+    public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException ex) {
+        return Mono.defer(() -> {
+            var response = exchange.getResponse();
+            var wwwAuthenticate = "FormLogin realm=\"console\"";
+            response.getHeaders().set(HttpHeaders.WWW_AUTHENTICATE, wwwAuthenticate);
+            response.setStatusCode(HttpStatus.UNAUTHORIZED);
+            return response.setComplete();
+        });
+    }
+
+}
--- a/application/src/test/java/run/halo/app/security/DefaultServerAuthenticationEntryPointTest.java
+++ b/application/src/test/java/run/halo/app/security/DefaultServerAuthenticationEntryPointTest.java
@ -0,0 +1,35 @@
+package run.halo.app.security;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.springframework.http.HttpHeaders.WWW_AUTHENTICATE;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.mock.web.server.MockServerWebExchange;
+import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
+import reactor.test.StepVerifier;
+
+@ExtendWith(MockitoExtension.class)
+class DefaultServerAuthenticationEntryPointTest {
+
+    @InjectMocks
+    DefaultServerAuthenticationEntryPoint entryPoint;
+
+    @Test
+    void commence() {
+        var mockReq = MockServerHttpRequest.get("/protected")
+            .build();
+        var mockExchange = MockServerWebExchange.builder(mockReq)
+            .build();
+        var commenceMono = entryPoint.commence(mockExchange,
+            new AuthenticationCredentialsNotFoundException("Not Found"));
+        StepVerifier.create(commenceMono)
+            .verifyComplete();
+        var headers = mockExchange.getResponse().getHeaders();
+        assertEquals("FormLogin realm=\"console\"", headers.getFirst(WWW_AUTHENTICATE));
+    }
+
+}