SUPPORT-8838 fixes

2025-01-13 13:06:29 +03:00 · 2025-01-13 13:06:29 +03:00 · 11f49ae09b
commit 11f49ae09b
parent f8da0c82d6
4 changed files with 52 additions and 14 deletions
--- a/backend/src/main/java/ru/micord/ervu/security/AccessDeniedHandlerImpl.java
+++ b/backend/src/main/java/ru/micord/ervu/security/AccessDeniedHandlerImpl.java
@ -0,0 +1,30 @@
+package ru.micord.ervu.security;
+
+import java.io.IOException;
+import java.lang.invoke.MethodHandles;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+
+public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
+  private static final Logger LOGGER = LoggerFactory.getLogger(
+      MethodHandles.lookup().lookupClass());
+
+  @Override
+  public void handle(HttpServletRequest request, HttpServletResponse response,
+                     AccessDeniedException accessDeniedException) throws IOException {
+
+    if (response.isCommitted()) {
+      LOGGER.trace("Did not write to response since already committed");
+      return;
+    }
+    response.setStatus(HttpStatus.FORBIDDEN.value());
+    response.setContentType("application/json;charset=UTF-8");
+    response.getWriter().write("\"" + HttpStatus.FORBIDDEN.getReasonPhrase() + "\"");
+  }
+}
--- a/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java
+++ b/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java
@ -9,7 +9,6 @@ import org.springframework.security.config.annotation.authentication.configurati
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
-import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
@ -50,7 +49,8 @@ public class SecurityConfig {

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http,
-                                         CookieCsrfTokenRepository tokenRepository)
+                                         CookieCsrfTokenRepository tokenRepository,
+                                         UnauthorizedEntryPoint entryPoint)
      throws Exception {
    XorCsrfTokenRequestAttributeHandler delegate = new XorCsrfTokenRequestAttributeHandler();
    delegate.setCsrfRequestAttributeName(null);
@ -68,7 +68,8 @@ public class SecurityConfig {
        .logout((logout) -> logout.logoutUrl(ESIA_LOGOUT)
            .logoutSuccessHandler(new LogoutSuccessHandler(tokenRepository, esiaAuthService)))
        .exceptionHandling()
-        .authenticationEntryPoint(entryPoint())
+        .authenticationEntryPoint(entryPoint)
+        .accessDeniedHandler(new AccessDeniedHandlerImpl())
        .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
@ -87,8 +88,9 @@ public class SecurityConfig {
    return tokenRepository;
  }

-  public AuthenticationEntryPoint entryPoint() {
-    return new UnauthorizedEntryPoint();
+  @Bean
+  public UnauthorizedEntryPoint entryPoint(SecurityHelper securityHelper) {
+    return new UnauthorizedEntryPoint(securityHelper);
  }

  @Bean
@ -104,9 +106,10 @@ public class SecurityConfig {

  @Bean
  public JwtAuthenticationFilter jwtAuthenticationFilter(SecurityHelper securityHelper,
-                                                         AuthenticationManager manager) {
+                                                         AuthenticationManager manager,
+                                                         UnauthorizedEntryPoint entryPoint) {
    JwtAuthenticationFilter jwtAuthenticationFilter = new JwtAuthenticationFilter(
-        new JwtMatcher("/**", PERMIT_ALL), entryPoint(), securityHelper);
+        new JwtMatcher("/**", PERMIT_ALL), entryPoint, securityHelper);
    jwtAuthenticationFilter.setAuthenticationManager(manager);
    return jwtAuthenticationFilter;
  }
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/UnauthorizedEntryPoint.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/UnauthorizedEntryPoint.java
@ -6,12 +6,19 @@ import javax.servlet.http.HttpServletResponse;

 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
+import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper;

 /**
 * {@link AuthenticationEntryPoint} that rejects all requests with an unauthorized error message.
 */
 public class UnauthorizedEntryPoint implements AuthenticationEntryPoint {

+  private final SecurityHelper securityHelper;
+
+  public UnauthorizedEntryPoint(SecurityHelper securityHelper) {
+    this.securityHelper = securityHelper;
+  }
+
  @Override
  public void commence(HttpServletRequest request, HttpServletResponse response,
                       AuthenticationException exception) throws IOException {
@ -21,9 +28,11 @@ public class UnauthorizedEntryPoint implements AuthenticationEntryPoint {
      response.setStatus(HttpServletResponse.SC_OK);
    }
    else {
-      response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
-          "Unauthorized: Authentication token was either missing or invalid."
-      );
+      securityHelper.clearAccessCookies(response);
+      response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+      response.setContentType("application/json;charset=UTF-8");
+      response.getWriter()
+          .write("\"Unauthorized: Authentication token was either missing or invalid.\"");
    }
  }
 }
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
@ -9,18 +9,14 @@ import javax.servlet.http.HttpServletResponse;

 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.security.authentication.CredentialsExpiredException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.util.matcher.RequestMatcher;
-import ru.micord.ervu.security.esia.token.EsiaTokensStore;
 import ru.micord.ervu.security.webbpm.jwt.JwtAuthentication;
 import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper;
-import ru.micord.ervu.security.webbpm.jwt.model.Token;
-import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService;

 import static ru.micord.ervu.security.webbpm.jwt.util.SecurityUtil.extractAuthToken;