Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- package com.astarte.commons.security.apikey;
- import com.astarte.commons.security.TokenAuthenticationSuccessHandler;
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
- import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.AuthenticationException;
- import org.springframework.security.core.context.SecurityContextHolder;
- import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
- import org.springframework.security.web.util.matcher.RequestMatcher;
- import javax.servlet.FilterChain;
- import javax.servlet.ServletException;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import java.io.IOException;
- public class DeviceApiKeyAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
- final static Logger logger = LoggerFactory.getLogger(DeviceApiKeyAuthenticationFilter.class);
- private static final String apiKeyHeader = "X-API-Key";
- private static final String hwIdHeader = "X-Hardware-ID";
- public DeviceApiKeyAuthenticationFilter(RequestMatcher matcher) {
- super(matcher);
- // By default, use our custom success handler.
- setAuthenticationSuccessHandler(new TokenAuthenticationSuccessHandler());
- }
- @Override
- public Authentication attemptAuthentication(HttpServletRequest httpServletRequest,
- HttpServletResponse httpServletResponse)
- throws AuthenticationException, IOException, ServletException {
- // Don't overdo authentication - if we're already in, let's pass by.
- if (SecurityContextHolder.getContext().getAuthentication() != null) {
- return new UsernamePasswordAuthenticationToken(null, null);
- }
- String username = httpServletRequest.getHeader(hwIdHeader);
- String password = httpServletRequest.getHeader(apiKeyHeader);
- if (username == null || password == null) {
- // In this case, we want to skip the filter. To do that, let's return an unauthenticated object,
- // and let our success handler continue the chain.
- return new UsernamePasswordAuthenticationToken(null, null);
- }
- UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
- username, password);
- return this.getAuthenticationManager().authenticate(authRequest);
- }
- @Override
- protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
- Authentication authResult) throws IOException, ServletException {
- if (!authResult.isAuthenticated()) {
- logger.debug("Filter returned an unauthenticated request but threw no exceptions: moving on in the chain.");
- chain.doFilter(request, response);
- return;
- }
- super.successfulAuthentication(request, response, chain, authResult);
- // Move on in the chain - this is an implicit authorization which should carry on the request.
- chain.doFilter(request, response);
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement