diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java index 18501aa22..def478622 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java @@ -27,6 +27,7 @@ import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.security.DmfTenantSecurityToken.FileResource; import org.eclipse.hawkbit.tenancy.TenantAware; import org.eclipse.hawkbit.util.UrlUtils; +import org.slf4j.Logger; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; @@ -39,7 +40,6 @@ import org.springframework.util.AntPathMatcher; * name from the URL and the controller ID from the URL to do security checks * based on this information. */ -@Slf4j public abstract class AbstractHttpControllerAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter { private static final String TENANT_PLACE_HOLDER = "tenant"; @@ -64,14 +64,11 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac private PreAuthenticationFilter abstractControllerAuthenticationFilter; /** - * Constructor for sub-classes. + * Constructor for subclasses. * - * @param tenantConfigurationManagement - * the tenant configuration service - * @param tenantAware - * the tenant aware service - * @param systemSecurityContext - * the system secruity context + * @param tenantConfigurationManagement the tenant configuration service + * @param tenantAware the tenant aware service + * @param systemSecurityContext the system security context */ protected AbstractHttpControllerAuthenticationFilter( final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, @@ -85,6 +82,11 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac @Override public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { + if (SecurityContextHolder.getContext().getAuthentication() != null) { + log().trace("Request is already authenticated. Skip filter"); + chain.doFilter(request, response); + return; + } if (!(request instanceof HttpServletRequest)) { chain.doFilter(request, response); @@ -96,9 +98,10 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac chain.doFilter(request, response); return; } + abstractControllerAuthenticationFilter = createControllerAuthenticationFilter(); - if (abstractControllerAuthenticationFilter.isEnable(securityToken) - && SecurityContextHolder.getContext().getAuthentication() == null) { + if (abstractControllerAuthenticationFilter.isEnable(securityToken)) { + log().debug("Filter is disabled for the tenant {}", securityToken.getTenant()); super.doFilter(request, response, chain); } else { chain.doFilter(request, response); @@ -119,11 +122,12 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac super.successfulAuthentication(request, response, authTokenWithGrantedAuthorities); } + protected abstract Logger log(); + /** * Extracts tenant and controllerId from the request URI as path variables. * - * @param request - * the Http request to extract the path variables. + * @param request the Http request to extract the path variables. * @return the extracted {@link DmfTenantSecurityToken} or {@code null} if the * request does not match the pattern and no variables could be * extracted @@ -132,30 +136,23 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac final String requestURI = request.getRequestURI(); if (pathExtractor.match(request.getContextPath() + CONTROLLER_REQUEST_ANT_PATTERN, requestURI)) { - log.debug("retrieving principal from URI request {}", requestURI); + log().debug("retrieving principal from URI request {}", requestURI); final Map extractUriTemplateVariables = pathExtractor .extractUriTemplateVariables(request.getContextPath() + CONTROLLER_REQUEST_ANT_PATTERN, requestURI); final String controllerId = UrlUtils.decodeUriValue(extractUriTemplateVariables.get(CONTROLLER_ID_PLACE_HOLDER)); final String tenant = UrlUtils.decodeUriValue(extractUriTemplateVariables.get(TENANT_PLACE_HOLDER)); - if (log.isTraceEnabled()) { - log.trace("Parsed tenant {} and controllerId {} from path request {}", tenant, controllerId, - requestURI); - } + log().trace("Parsed tenant {} and controllerId {} from path request {}", tenant, controllerId, requestURI); return createTenantSecurityTokenVariables(request, tenant, controllerId); } else if (pathExtractor.match(request.getContextPath() + CONTROLLER_DL_REQUEST_ANT_PATTERN, requestURI)) { - log.debug("retrieving path variables from URI request {}", requestURI); + log().debug("retrieving path variables from URI request {}", requestURI); final Map extractUriTemplateVariables = pathExtractor.extractUriTemplateVariables( request.getContextPath() + CONTROLLER_DL_REQUEST_ANT_PATTERN, requestURI); final String tenant = UrlUtils.decodeUriValue(extractUriTemplateVariables.get(TENANT_PLACE_HOLDER)); - if (log.isTraceEnabled()) { - log.trace("Parsed tenant {} from path request {}", tenant, requestURI); - } + log().trace("Parsed tenant {} from path request {}", tenant, requestURI); return createTenantSecurityTokenVariables(request, tenant, "anonymous"); } else { - if (log.isTraceEnabled()) { - log.trace("request {} does not match the path pattern {}, request gets ignored", requestURI, + log().trace("request {} does not match the path pattern {}, request gets ignored", requestURI, CONTROLLER_REQUEST_ANT_PATTERN); - } return null; } } diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateAnonymousDownloadFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateAnonymousDownloadFilter.java index 5ba37fdb0..be1281f31 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateAnonymousDownloadFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateAnonymousDownloadFilter.java @@ -9,9 +9,11 @@ */ package org.eclipse.hawkbit.security; +import lombok.extern.slf4j.Slf4j; import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions; import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.tenancy.TenantAware; +import org.slf4j.Logger; /** * An pre-authenticated processing filter which add the @@ -19,19 +21,15 @@ import org.eclipse.hawkbit.tenancy.TenantAware; * security context in case the anonymous download is allowed through * configuration. */ +@Slf4j public class HttpControllerPreAuthenticateAnonymousDownloadFilter extends AbstractHttpControllerAuthenticationFilter { /** * Constructor. * - * @param tenantConfigurationManagement - * the system management service to retrieve configuration - * properties - * @param tenantAware - * the tenant aware service to get configuration for the specific - * tenant - * @param systemSecurityContext - * the system security context + * @param tenantConfigurationManagement the system management service to retrieve configuration properties + * @param tenantAware the tenant aware service to get configuration for the specific tenant + * @param systemSecurityContext the system security context */ public HttpControllerPreAuthenticateAnonymousDownloadFilter( final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware, @@ -45,4 +43,8 @@ public class HttpControllerPreAuthenticateAnonymousDownloadFilter extends Abstra systemSecurityContext); } -} + @Override + protected Logger log() { + return log; + } +} \ No newline at end of file diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java index 649cb473d..4a6f620bc 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateSecurityTokenFilter.java @@ -9,9 +9,11 @@ */ package org.eclipse.hawkbit.security; +import lombok.extern.slf4j.Slf4j; import org.eclipse.hawkbit.repository.ControllerManagement; import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.tenancy.TenantAware; +import org.slf4j.Logger; /** * An pre-authenticated processing filter which extracts (if enabled through @@ -25,10 +27,8 @@ import org.eclipse.hawkbit.tenancy.TenantAware; * custom headers which have then weird side-effects. Furthermore frameworks are * aware of the sensitivity of the Authorization header and do not log it and * store it somewhere. - * - * - * */ +@Slf4j public class HttpControllerPreAuthenticateSecurityTokenFilter extends AbstractHttpControllerAuthenticationFilter { private final ControllerManagement controllerManagement; @@ -61,4 +61,8 @@ public class HttpControllerPreAuthenticateSecurityTokenFilter extends AbstractHt tenantAware, systemSecurityContext); } -} + @Override + protected Logger log() { + return log; + } +} \ No newline at end of file diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java index 2e6db211b..b2c8cf6a3 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedGatewaySecurityTokenFilter.java @@ -9,8 +9,10 @@ */ package org.eclipse.hawkbit.security; +import lombok.extern.slf4j.Slf4j; import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.tenancy.TenantAware; +import org.slf4j.Logger; /** * Extract the {@code Authorization} header is a HTTP standard and reverse proxy @@ -18,10 +20,8 @@ import org.eclipse.hawkbit.tenancy.TenantAware; * maybe custom headers which have then weird side-effects. Furthermore * frameworks are aware of the sensitivity of the Authorization header and do * not log it and store it somewhere. - * - * - * */ +@Slf4j public class HttpControllerPreAuthenticatedGatewaySecurityTokenFilter extends AbstractHttpControllerAuthenticationFilter { @@ -49,4 +49,8 @@ public class HttpControllerPreAuthenticatedGatewaySecurityTokenFilter systemSecurityContext); } -} + @Override + protected Logger log() { + return log; + } +} \ No newline at end of file diff --git a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java index 73adca142..fd4ce3566 100644 --- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java +++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticatedSecurityHeaderFilter.java @@ -9,16 +9,16 @@ */ package org.eclipse.hawkbit.security; +import lombok.extern.slf4j.Slf4j; import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.tenancy.TenantAware; +import org.slf4j.Logger; /** * An pre-authenticated processing filter which extracts the principal from a * request URI and the credential from a request header. - * - * - * */ +@Slf4j public class HttpControllerPreAuthenticatedSecurityHeaderFilter extends AbstractHttpControllerAuthenticationFilter { private final String caCommonNameHeader; @@ -60,4 +60,8 @@ public class HttpControllerPreAuthenticatedSecurityHeaderFilter extends Abstract tenantConfigurationManagement, tenantAware, systemSecurityContext); } -} + @Override + protected Logger log() { + return log; + } +} \ No newline at end of file diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedAnonymousFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedAnonymousFilter.java index 91dbf7b6b..7058f2607 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedAnonymousFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedAnonymousFilter.java @@ -42,5 +42,4 @@ public class ControllerPreAuthenticatedAnonymousFilter implements PreAuthenticat public boolean isEnable(final DmfTenantSecurityToken securityToken) { return ddiSecurityConfiguration.getAuthentication().getAnonymous().isEnabled(); } - -} +} \ No newline at end of file