diff --git a/src/main/java/run/halo/app/security/filter/AbstractAuthenticationFilter.java b/src/main/java/run/halo/app/security/filter/AbstractAuthenticationFilter.java index 83113c0f3..12818c370 100644 --- a/src/main/java/run/halo/app/security/filter/AbstractAuthenticationFilter.java +++ b/src/main/java/run/halo/app/security/filter/AbstractAuthenticationFilter.java @@ -8,6 +8,7 @@ import org.springframework.web.filter.OncePerRequestFilter; import run.halo.app.config.properties.HaloProperties; import run.halo.app.exception.NotInstallException; import run.halo.app.model.properties.PrimaryProperties; +import run.halo.app.security.context.SecurityContextHolder; import run.halo.app.security.handler.AuthenticationFailureHandler; import run.halo.app.security.handler.DefaultAuthenticationFailureHandler; import run.halo.app.service.OptionService; @@ -75,6 +76,7 @@ public abstract class AbstractAuthenticationFilter extends OncePerRequestFilter * @param request http servlet request must not be null. * @return true if the request should skip authentication failure; false otherwise */ + @Deprecated protected boolean shouldSkipAuthenticateFailure(@NonNull HttpServletRequest request) { Assert.notNull(request, "Http servlet request must not be null"); @@ -126,6 +128,7 @@ public abstract class AbstractAuthenticationFilter extends OncePerRequestFilter * @param url url must not be blank * @param method method must not be blank */ + @Deprecated public void addTryAuthUrlMethodPattern(@NonNull String url, @NonNull String method) { Assert.hasText(url, "Try authenticating url must not be blank"); Assert.hasText(method, "Try authenticating method must not be blank"); @@ -176,5 +179,19 @@ public abstract class AbstractAuthenticationFilter extends OncePerRequestFilter getFailureHandler().onFailure(request, response, new NotInstallException("The blog has not been initialized yet!")); return; } + + if (shouldNotFilter(request)) { + filterChain.doFilter(request, response); + return; + } + + try { + // Do authenticate + doAuthenticate(request, response, filterChain); + } finally { + SecurityContextHolder.clearContext(); + } } + + protected abstract void doAuthenticate(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException; } diff --git a/src/main/java/run/halo/app/security/filter/AdminAuthenticationFilter.java b/src/main/java/run/halo/app/security/filter/AdminAuthenticationFilter.java index d67b10ebf..b7b39cfc2 100644 --- a/src/main/java/run/halo/app/security/filter/AdminAuthenticationFilter.java +++ b/src/main/java/run/halo/app/security/filter/AdminAuthenticationFilter.java @@ -77,47 +77,45 @@ public class AdminAuthenticationFilter extends AbstractAuthenticationFilter { } @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { + protected void doAuthenticate(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { - super.doFilterInternal(request, response, filterChain); - - if (haloProperties.isAuthEnabled()) { - // Get token from request - String token = getTokenFromRequest(request); - - if (StringUtils.isBlank(token)) { - if (!shouldSkipAuthenticateFailure(request)) { - getFailureHandler().onFailure(request, response, new AuthenticationException("You have to login before accessing admin api")); - return; - } - } else { - // Get user id from cache - Optional optionalUserId = cacheStore.getAny(SecurityUtils.buildTokenAccessKey(token), Integer.class); - - if (!optionalUserId.isPresent()) { - getFailureHandler().onFailure(request, response, new AuthenticationException("The token has been expired or not exist").setErrorData(token)); - return; - } - - // Get the user - User user = userService.getById(optionalUserId.get()); - - // Build user detail - UserDetail userDetail = new UserDetail(user); - - // Set security - SecurityContextHolder.setContext(new SecurityContextImpl(new AuthenticationImpl(userDetail))); - } - } else { + if (!haloProperties.isAuthEnabled()) { // Set security userService.getCurrentUser().ifPresent(user -> SecurityContextHolder.setContext(new SecurityContextImpl(new AuthenticationImpl(new UserDetail(user))))); + + // Do filter + filterChain.doFilter(request, response); + return; } - filterChain.doFilter(request, response); + // Get token from request + String token = getTokenFromRequest(request); - // Clear context - SecurityContextHolder.clearContext(); + if (StringUtils.isBlank(token)) { + getFailureHandler().onFailure(request, response, new AuthenticationException("You have to login before accessing admin api")); + return; + } + + // Get user id from cache + Optional optionalUserId = cacheStore.getAny(SecurityUtils.buildTokenAccessKey(token), Integer.class); + + if (!optionalUserId.isPresent()) { + getFailureHandler().onFailure(request, response, new AuthenticationException("The token has been expired or not exist").setErrorData(token)); + return; + } + + // Get the user + User user = userService.getById(optionalUserId.get()); + + // Build user detail + UserDetail userDetail = new UserDetail(user); + + // Set security + SecurityContextHolder.setContext(new SecurityContextImpl(new AuthenticationImpl(userDetail))); + + // Do filter + filterChain.doFilter(request, response); } @Override diff --git a/src/main/java/run/halo/app/security/filter/ApiAuthenticationFilter.java b/src/main/java/run/halo/app/security/filter/ApiAuthenticationFilter.java index d0191c9dc..a15f9c947 100644 --- a/src/main/java/run/halo/app/security/filter/ApiAuthenticationFilter.java +++ b/src/main/java/run/halo/app/security/filter/ApiAuthenticationFilter.java @@ -39,9 +39,7 @@ public class ApiAuthenticationFilter extends AbstractAuthenticationFilter { } @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { - - super.doFilterInternal(request, response, filterChain); + protected void doAuthenticate(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { // Get token String token = getTokenFromRequest(request);