Remove security context after every api request

2019-04-30 11:38:36 +08:00 · 2019-04-30 11:38:36 +08:00 · 57172cdf55
parent 03b7c33297
commit 57172cdf55
3 changed files with 42 additions and 5 deletions
--- a/src/main/java/run/halo/app/config/HaloConfiguration.java
+++ b/src/main/java/run/halo/app/config/HaloConfiguration.java
@ -16,6 +16,7 @@ import run.halo.app.cache.InMemoryCacheStore;
 import run.halo.app.cache.StringCacheStore;
 import run.halo.app.config.properties.HaloProperties;
 import run.halo.app.filter.CorsFilter;
+import run.halo.app.filter.GuardFilter;
 import run.halo.app.filter.LogFilter;
 import run.halo.app.security.filter.AdminAuthenticationFilter;
 import run.halo.app.security.filter.ApiAuthenticationFilter;
@ -75,6 +76,15 @@ public class HaloConfiguration {
        return corsFilter;
    }

+    @Bean
+    public FilterRegistrationBean<GuardFilter> guardFilter() {
+        FilterRegistrationBean<GuardFilter> guardFilter = new FilterRegistrationBean<>();
+        guardFilter.setOrder(Ordered.HIGHEST_PRECEDENCE);
+        guardFilter.setFilter(new GuardFilter());
+        guardFilter.addUrlPatterns("/api/*");
+        return guardFilter;
+    }
+
    /**
     * Creates a LogFilter.
     *
--- a/src/main/java/run/halo/app/filter/GuardFilter.java
+++ b/src/main/java/run/halo/app/filter/GuardFilter.java
@ -0,0 +1,27 @@
+package run.halo.app.filter;
+
+import org.springframework.web.filter.GenericFilterBean;
+import run.halo.app.security.context.SecurityContextHolder;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import java.io.IOException;
+
+/**
+ * @author johnniang
+ * @date 19-4-30
+ */
+public class GuardFilter extends GenericFilterBean {
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+        // Do filter
+        chain.doFilter(request, response);
+
+        // Clear security context
+        SecurityContextHolder.clearContext();
+    }
+}
--- a/src/main/java/run/halo/app/service/impl/AdminServiceImpl.java
+++ b/src/main/java/run/halo/app/service/impl/AdminServiceImpl.java
@ -77,11 +77,6 @@ public class AdminServiceImpl implements AdminService {
    public AuthToken authenticate(LoginParam loginParam) {
        Assert.notNull(loginParam, "Login param must not be null");

-        if (SecurityContextHolder.getContext().isAuthenticated()) {
-            // If the user has been logged in
-            throw new BadRequestException("You have been logged in, do not log in repeatedly please");
-        }
-
        String username = loginParam.getUsername();
        User user = Validator.isEmail(username) ?
                userService.getByEmailOfNonNull(username) : userService.getByUsernameOfNonNull(username);
@ -93,6 +88,11 @@ public class AdminServiceImpl implements AdminService {
            throw new BadRequestException("Username or password is incorrect");
        }

+        if (SecurityContextHolder.getContext().isAuthenticated()) {
+            // If the user has been logged in
+            throw new BadRequestException("You have been logged in, do not log in repeatedly please");
+        }
+
        // Generate new token
        return buildAuthToken(user);
    }