Examples with RequestMatcher org.springframework.security.web.util.matcher.RequestMatcher used on opensource projects

Example 61 with RequestMatcher

use of org.springframework.security.web.util.matcher.RequestMatcher in project CzechIdMng by bcvsolutions.

the class AuthenticationFilter method doFilter.

/**
 * Authentication flow implementation.
 */
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = HttpFilterUtils.asHttp(req);
    // 
    boolean isPublicPath = false;
    if (getPublicPathRequestMatchers().stream().anyMatch(requestMatcher -> requestMatcher.matches(request))) {
        LOG.debug("Authentication filter will be optional for public path [{}].", request.getServletPath());
        isPublicPath = true;
    }
    // 
    HttpServletResponse response = HttpFilterUtils.asHttp(res);
    try {
        filters.stream().filter(f -> enabledEvaluator.isEnabled(f)).filter(f -> !f.isDisabled()).filter(f -> isAuthenticated() || res.isCommitted() || f.authorize(request, response) || handleAuthenticationHeader(request, response, f)).findFirst();
    } catch (Exception ex) {
        if (!isPublicPath) {
            // not public => authentication is required
            throw ex;
        }
        // public path => authentication is optional
        LOG.debug("Exception is occured by authentication filters on public page, authentication will not be set.", ex);
    }
    if (!res.isCommitted()) {
        chain.doFilter(req, res);
    }
}

Example 62 with RequestMatcher

use of org.springframework.security.web.util.matcher.RequestMatcher in project flow by vaadin.

the class VaadinWebSecurityConfigurerAdapter method createAccessDeniedHandler.

private AccessDeniedHandler createAccessDeniedHandler() {
    final AccessDeniedHandler defaultHandler = new AccessDeniedHandlerImpl();
    final AccessDeniedHandler http401UnauthorizedHandler = new Http401UnauthorizedAccessDeniedHandler();
    final LinkedHashMap<Class<? extends AccessDeniedException>, AccessDeniedHandler> exceptionHandlers = new LinkedHashMap<>();
    exceptionHandlers.put(CsrfException.class, http401UnauthorizedHandler);
    final LinkedHashMap<RequestMatcher, AccessDeniedHandler> matcherHandlers = new LinkedHashMap<>();
    matcherHandlers.put(requestUtil::isEndpointRequest, new DelegatingAccessDeniedHandler(exceptionHandlers, new AccessDeniedHandlerImpl()));
    return new RequestMatcherDelegatingAccessDeniedHandler(matcherHandlers, defaultHandler);
}

Example 63 with RequestMatcher

use of org.springframework.security.web.util.matcher.RequestMatcher in project BroadleafCommerce by BroadleafCommerce.

the class CsrfFilter method doFilter.

@Override
public void doFilter(ServletRequest baseRequest, ServletResponse baseResponse, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) baseRequest;
    HttpServletResponse response = (HttpServletResponse) baseResponse;
    boolean excludedRequestFound = false;
    if (excludedRequestPatterns != null && excludedRequestPatterns.size() > 0) {
        for (String pattern : excludedRequestPatterns) {
            RequestMatcher matcher = new AntPathRequestMatcher(pattern);
            if (matcher.matches(request)) {
                excludedRequestFound = true;
                break;
            }
        }
    }
    // We only validate CSRF tokens on POST
    if (request.getMethod().equals("POST") && !excludedRequestFound) {
        String requestToken = request.getParameter(exploitProtectionService.getCsrfTokenParameter());
        try {
            exploitProtectionService.compareToken(requestToken);
        } catch (ServiceException e) {
            throw new ServletException(e);
        }
    }
    chain.doFilter(request, response);
}

Example 64 with RequestMatcher

use of org.springframework.security.web.util.matcher.RequestMatcher in project BroadleafCommerce by BroadleafCommerce.

the class SecurityFilter method doFilter.

@Override
public void doFilter(ServletRequest baseRequest, ServletResponse baseResponse, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) baseRequest;
    HttpServletResponse response = (HttpServletResponse) baseResponse;
    boolean excludedRequestFound = false;
    if (excludedRequestPatterns != null && excludedRequestPatterns.size() > 0) {
        for (String pattern : excludedRequestPatterns) {
            RequestMatcher matcher = new AntPathRequestMatcher(pattern);
            if (matcher.matches(request)) {
                excludedRequestFound = true;
                break;
            }
        }
    }
    // We only validate CSRF tokens on POST
    if (request.getMethod().equals("POST") && !excludedRequestFound) {
        String requestToken = request.getParameter(exploitProtectionService.getCsrfTokenParameter());
        try {
            exploitProtectionService.compareToken(requestToken);
        } catch (ServiceException e) {
            throw new ServletException(e);
        }
    }
    if (staleStateProtectionService.isEnabled()) {
        // Catch attempts to update form data from a stale page (i.e. a important state change has taken place for this session)
        if (request.getMethod().equals("POST") && !excludedRequestFound) {
            String requestToken = request.getParameter(staleStateProtectionService.getStateVersionTokenParameter());
            try {
                staleStateProtectionService.compareToken(requestToken);
            } catch (StaleStateServiceException e) {
                throw new ServletException(e);
            }
        }
    }
    chain.doFilter(request, response);
}

Example 65 with RequestMatcher

use of org.springframework.security.web.util.matcher.RequestMatcher in project spring-security by spring-projects.

the class OAuth2LoginConfigurer method getLoginEntryPoint.

private AuthenticationEntryPoint getLoginEntryPoint(B http, String providerLoginPage) {
    RequestMatcher loginPageMatcher = new AntPathRequestMatcher(this.getLoginPage());
    RequestMatcher faviconMatcher = new AntPathRequestMatcher("/favicon.ico");
    RequestMatcher defaultEntryPointMatcher = this.getAuthenticationEntryPointMatcher(http);
    RequestMatcher defaultLoginPageMatcher = new AndRequestMatcher(new OrRequestMatcher(loginPageMatcher, faviconMatcher), defaultEntryPointMatcher);
    RequestMatcher notXRequestedWith = new NegatedRequestMatcher(new RequestHeaderRequestMatcher("X-Requested-With", "XMLHttpRequest"));
    LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPoints = new LinkedHashMap<>();
    entryPoints.put(new AndRequestMatcher(notXRequestedWith, new NegatedRequestMatcher(defaultLoginPageMatcher)), new LoginUrlAuthenticationEntryPoint(providerLoginPage));
    DelegatingAuthenticationEntryPoint loginEntryPoint = new DelegatingAuthenticationEntryPoint(entryPoints);
    loginEntryPoint.setDefaultEntryPoint(this.getAuthenticationEntryPoint());
    return loginEntryPoint;
}