From f86a8afd2f5c06da85d8a18340433534d053c6f4 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Tue, 24 Dec 2024 20:11:53 +0300 Subject: [PATCH 1/6] SUPPORT-8755: Fix --- .../micord/ervu/security/esia/token/TokensStore.java | 11 ++++++++++- .../webbpm/jwt/filter/JwtAuthenticationFilter.java | 2 ++ .../security/webbpm/jwt/service/JwtTokenService.java | 8 -------- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java index 9804b80..f202cb3 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java @@ -3,6 +3,8 @@ package ru.micord.ervu.security.esia.token; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.springframework.security.authentication.CredentialsExpiredException; + /** * @author Eduard Tihomirov */ @@ -18,7 +20,14 @@ public class TokensStore { } public static String getAccessToken(String prnOid) { - return accessTokensMap.get(prnOid).getAccessToken(); + ExpiringToken token = accessTokensMap.get(prnOid); + if (token == null) { + throw new CredentialsExpiredException("No access token for prnOid: " + prnOid); + } + else if (token.isExpired()) { + throw new CredentialsExpiredException("Access token expired for prnOid: " + prnOid); + } + return token.getAccessToken(); } public static void removeExpiredAccessToken() { diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java index c4f60f7..eedbebe 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java @@ -16,6 +16,7 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; import org.springframework.security.web.util.matcher.RequestMatcher; +import ru.micord.ervu.security.esia.token.TokensStore; import ru.micord.ervu.security.webbpm.jwt.JwtAuthentication; import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper; import ru.micord.ervu.security.webbpm.jwt.model.Token; @@ -64,6 +65,7 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil if (ids.length != 2) { throw new CredentialsExpiredException("Invalid token. User has no ervuId"); } + TokensStore.getAccessToken(token.getUserAccountId()); } } catch (CredentialsExpiredException e) { diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java index 5478da2..8b8c5d9 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java @@ -34,9 +34,6 @@ public class JwtTokenService { ResourceMetadataUtils.PROJECT_GROUP_ID + "." + ResourceMetadataUtils.PROJECT_ARTIFACT_ID; private final SecretKey SIGNING_KEY; - @Autowired - private HttpServletRequest request; - @Autowired public JwtTokenService(@Value("${webbpm.security.token.secret.key:ZjE5ZjMxNmYtODViZC00ZTQ5LWIxZmYtOGEzYzE3Yjc1MDVk}") String secretKey) { @@ -79,11 +76,6 @@ public class JwtTokenService { return new Token(claims.getSubject(), claims.getIssuer(), claims.getExpiration(), token); } - public String getErvuId() { - String extractAuthToken = extractAuthToken(request); - return getToken(extractAuthToken).getUserAccountId().split(":")[1]; - } - public String getAccessToken(HttpServletRequest request) { return TokensStore.getAccessToken(getUserAccountId(request)); } From 1a1ca85a63545523997037aefd7079a76866be3e Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Tue, 24 Dec 2024 20:26:17 +0300 Subject: [PATCH 2/6] SUPPORT-8755: Fix --- .../micord/ervu/security/esia/token/TokensStore.java | 10 +++++++--- .../webbpm/jwt/filter/JwtAuthenticationFilter.java | 5 ++++- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java index f202cb3..9dd98e1 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java @@ -20,14 +20,18 @@ public class TokensStore { } public static String getAccessToken(String prnOid) { + return accessTokensMap.get(prnOid).getAccessToken(); + } + + public static boolean validateAccessToken(String prnOid) { ExpiringToken token = accessTokensMap.get(prnOid); if (token == null) { - throw new CredentialsExpiredException("No access token for prnOid: " + prnOid); + throw new CredentialsExpiredException("No ESIA access token for prnOid: " + prnOid); } else if (token.isExpired()) { - throw new CredentialsExpiredException("Access token expired for prnOid: " + prnOid); + throw new CredentialsExpiredException("ESIA access token expired for prnOid: " + prnOid); } - return token.getAccessToken(); + return token.getAccessToken() != null; } public static void removeExpiredAccessToken() { diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java index eedbebe..c9e91b8 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java @@ -65,7 +65,10 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil if (ids.length != 2) { throw new CredentialsExpiredException("Invalid token. User has no ervuId"); } - TokensStore.getAccessToken(token.getUserAccountId()); + boolean hasEsiaAccessToken = TokensStore.validateAccessToken(token.getUserAccountId()); + if (!hasEsiaAccessToken) { + throw new CredentialsExpiredException("ESIA access token is null"); + } } } catch (CredentialsExpiredException e) { From 1f6595b9549aea22f854bf7c1a9af6413019ea4b Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Tue, 24 Dec 2024 20:28:52 +0300 Subject: [PATCH 3/6] SUPPORT-8755: Fix --- .../security/webbpm/jwt/filter/JwtAuthenticationFilter.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java index c9e91b8..6a722ce 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java @@ -65,8 +65,8 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil if (ids.length != 2) { throw new CredentialsExpiredException("Invalid token. User has no ervuId"); } - boolean hasEsiaAccessToken = TokensStore.validateAccessToken(token.getUserAccountId()); - if (!hasEsiaAccessToken) { + boolean esiaAccessTokenIsValid = TokensStore.validateAccessToken(token.getUserAccountId()); + if (!esiaAccessTokenIsValid) { throw new CredentialsExpiredException("ESIA access token is null"); } } From 44bcba2faf50fed348a73bdb0ca96d4a90bf04b5 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Tue, 24 Dec 2024 20:45:19 +0300 Subject: [PATCH 4/6] SUPPORT-8755: Fix --- .../security/esia/service/EsiaAuthService.java | 14 +++++++------- .../{TokensStore.java => EsiaTokensStore.java} | 7 +++---- .../esia/token/TokensClearShedulerService.java | 4 ++-- .../webbpm/jwt/filter/JwtAuthenticationFilter.java | 7 ++----- .../webbpm/jwt/service/JwtTokenService.java | 6 +++--- 5 files changed, 17 insertions(+), 21 deletions(-) rename backend/src/main/java/ru/micord/ervu/security/esia/token/{TokensStore.java => EsiaTokensStore.java} (93%) diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index 08c9f82..f8ae592 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -27,7 +27,7 @@ import ru.micord.ervu.kafka.model.Document; import ru.micord.ervu.kafka.model.Person; import ru.micord.ervu.kafka.model.Response; import ru.micord.ervu.kafka.service.ReplyingKafkaService; -import ru.micord.ervu.security.esia.token.TokensStore; +import ru.micord.ervu.security.esia.token.EsiaTokensStore; import ru.micord.ervu.security.esia.config.EsiaConfig; import ru.micord.ervu.security.esia.model.FormUrlencoded; import ru.micord.ervu.security.esia.model.EsiaAccessToken; @@ -199,8 +199,8 @@ public class EsiaAuthService { EsiaAccessToken esiaAccessToken = personalDataService.readToken(esiaAccessTokenStr); String prnOid = esiaAccessToken.getSbj_id(); Long expiresIn = tokenResponse.getExpires_in(); - TokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn); - TokensStore.addRefreshToken(prnOid, esiaRefreshTokenStr, expiresIn); + EsiaTokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn); + EsiaTokensStore.addRefreshToken(prnOid, esiaRefreshTokenStr, expiresIn); Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr); Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId()); int expiry = tokenResponse.getExpires_in().intValue(); @@ -276,8 +276,8 @@ public class EsiaAuthService { EsiaAccessToken esiaAccessToken = personalDataService.readToken(esiaAccessTokenStr); String prnOid = esiaAccessToken.getSbj_id(); Long expiresIn = tokenResponse.getExpires_in(); - TokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn); - TokensStore.addRefreshToken(prnOid, esiaNewRefreshTokenStr, expiresIn); + EsiaTokensStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn); + EsiaTokensStore.addRefreshToken(prnOid, esiaNewRefreshTokenStr, expiresIn); Response ervuIdResponse = getErvuIdResponse(esiaAccessTokenStr); Token token = jwtTokenService.createAccessToken(esiaAccessToken.getSbj_id(), expiresIn, ervuIdResponse.getErvuId()); int expiry = tokenResponse.getExpires_in().intValue(); @@ -335,8 +335,8 @@ public class EsiaAuthService { try { securityHelper.clearAccessCookies(response); String userId = jwtTokenService.getUserAccountId(request); - TokensStore.removeAccessToken(userId); - TokensStore.removeRefreshToken(userId); + EsiaTokensStore.removeAccessToken(userId); + EsiaTokensStore.removeRefreshToken(userId); String logoutUrl = esiaConfig.getEsiaBaseUri() + esiaConfig.getEsiaLogoutUrl(); String redirectUrl = esiaConfig.getRedirectUrl(); URL url = new URL(logoutUrl); diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java similarity index 93% rename from backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java rename to backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java index 9dd98e1..40b0d8f 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java @@ -8,7 +8,7 @@ import org.springframework.security.authentication.CredentialsExpiredException; /** * @author Eduard Tihomirov */ -public class TokensStore { +public class EsiaTokensStore { private static final Map accessTokensMap = new ConcurrentHashMap<>(); private static final Map refreshTokensMap = new ConcurrentHashMap<>(); @@ -23,15 +23,14 @@ public class TokensStore { return accessTokensMap.get(prnOid).getAccessToken(); } - public static boolean validateAccessToken(String prnOid) { + public static void validateAccessToken(String prnOid) { ExpiringToken token = accessTokensMap.get(prnOid); - if (token == null) { + if (token == null || token.getAccessToken() == null) { throw new CredentialsExpiredException("No ESIA access token for prnOid: " + prnOid); } else if (token.isExpired()) { throw new CredentialsExpiredException("ESIA access token expired for prnOid: " + prnOid); } - return token.getAccessToken() != null; } public static void removeExpiredAccessToken() { diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java index 4665295..89c9db4 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensClearShedulerService.java @@ -14,7 +14,7 @@ public class TokensClearShedulerService { @SchedulerLock(name = "clearToken") @Transactional public void load() { - TokensStore.removeExpiredRefreshToken(); - TokensStore.removeExpiredAccessToken(); + EsiaTokensStore.removeExpiredRefreshToken(); + EsiaTokensStore.removeExpiredAccessToken(); } } diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java index 6a722ce..eea559e 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java @@ -16,7 +16,7 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; import org.springframework.security.web.util.matcher.RequestMatcher; -import ru.micord.ervu.security.esia.token.TokensStore; +import ru.micord.ervu.security.esia.token.EsiaTokensStore; import ru.micord.ervu.security.webbpm.jwt.JwtAuthentication; import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper; import ru.micord.ervu.security.webbpm.jwt.model.Token; @@ -65,10 +65,7 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil if (ids.length != 2) { throw new CredentialsExpiredException("Invalid token. User has no ervuId"); } - boolean esiaAccessTokenIsValid = TokensStore.validateAccessToken(token.getUserAccountId()); - if (!esiaAccessTokenIsValid) { - throw new CredentialsExpiredException("ESIA access token is null"); - } + EsiaTokensStore.validateAccessToken(token.getUserAccountId()); } } catch (CredentialsExpiredException e) { diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java index 8b8c5d9..328fffd 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java @@ -14,7 +14,7 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Component; -import ru.micord.ervu.security.esia.token.TokensStore; +import ru.micord.ervu.security.esia.token.EsiaTokensStore; import ru.micord.ervu.security.webbpm.jwt.model.Token; import ru.cg.webbpm.modules.resources.api.ResourceMetadataUtils; @@ -77,11 +77,11 @@ public class JwtTokenService { } public String getAccessToken(HttpServletRequest request) { - return TokensStore.getAccessToken(getUserAccountId(request)); + return EsiaTokensStore.getAccessToken(getUserAccountId(request)); } public String getRefreshToken(HttpServletRequest request) { - return TokensStore.getRefreshToken(getUserAccountId(request)); + return EsiaTokensStore.getRefreshToken(getUserAccountId(request)); } public String getUserAccountId(HttpServletRequest request) { From 69f1094bbfe991536eac07c968efb672b23d4172 Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 25 Dec 2024 11:06:49 +0300 Subject: [PATCH 5/6] SUPPORT-8755: Fix --- .../micord/ervu/security/SecurityConfig.java | 6 ++-- .../security/esia/token/EsiaTokensStore.java | 14 ++++++--- .../webbpm/jwt/JwtAuthenticationProvider.java | 30 ++++++++++++++----- .../jwt/filter/JwtAuthenticationFilter.java | 18 ++--------- .../webbpm/jwt/service/JwtTokenService.java | 2 +- 5 files changed, 38 insertions(+), 32 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java b/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java index 5f088ea..e497c26 100644 --- a/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java +++ b/backend/src/main/java/ru/micord/ervu/security/SecurityConfig.java @@ -25,7 +25,6 @@ import ru.micord.ervu.security.webbpm.jwt.JwtMatcher; import ru.micord.ervu.security.webbpm.jwt.UnauthorizedEntryPoint; import ru.micord.ervu.security.webbpm.jwt.filter.JwtAuthenticationFilter; import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper; -import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService; import static ru.micord.ervu.security.SecurityConstants.ESIA_LOGOUT; @@ -105,10 +104,9 @@ public class SecurityConfig { @Bean public JwtAuthenticationFilter jwtAuthenticationFilter(SecurityHelper securityHelper, - AuthenticationManager manager, - JwtTokenService jwtTokenService) { + AuthenticationManager manager) { JwtAuthenticationFilter jwtAuthenticationFilter = new JwtAuthenticationFilter( - new JwtMatcher("/**", PERMIT_ALL), entryPoint(), securityHelper, jwtTokenService); + new JwtMatcher("/**", PERMIT_ALL), entryPoint(), securityHelper); jwtAuthenticationFilter.setAuthenticationManager(manager); return jwtAuthenticationFilter; } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java index 40b0d8f..7f56cc4 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/EsiaTokensStore.java @@ -1,14 +1,17 @@ package ru.micord.ervu.security.esia.token; +import java.lang.invoke.MethodHandles; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; -import org.springframework.security.authentication.CredentialsExpiredException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * @author Eduard Tihomirov */ public class EsiaTokensStore { + private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private static final Map accessTokensMap = new ConcurrentHashMap<>(); private static final Map refreshTokensMap = new ConcurrentHashMap<>(); @@ -23,14 +26,17 @@ public class EsiaTokensStore { return accessTokensMap.get(prnOid).getAccessToken(); } - public static void validateAccessToken(String prnOid) { + public static boolean validateAccessToken(String prnOid) { ExpiringToken token = accessTokensMap.get(prnOid); if (token == null || token.getAccessToken() == null) { - throw new CredentialsExpiredException("No ESIA access token for prnOid: " + prnOid); + LOGGER.error("No ESIA access token for prnOid: " + prnOid); + return false; } else if (token.isExpired()) { - throw new CredentialsExpiredException("ESIA access token expired for prnOid: " + prnOid); + LOGGER.error("ESIA access token expired for prnOid: " + prnOid); + return false; } + return true; } public static void removeExpiredAccessToken() { diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java index f709679..122cd60 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java @@ -2,6 +2,8 @@ package ru.micord.ervu.security.webbpm.jwt; import java.util.Collections; +import javax.servlet.http.HttpServletRequest; + import io.jsonwebtoken.ExpiredJwtException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AuthenticationProvider; @@ -11,9 +13,13 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.stereotype.Component; +import org.springframework.web.context.request.RequestAttributes; +import org.springframework.web.context.request.RequestContextHolder; import ru.micord.ervu.security.webbpm.jwt.model.Token; import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService; +import static org.springframework.web.context.request.RequestAttributes.REFERENCE_REQUEST; + @Component public class JwtAuthenticationProvider implements AuthenticationProvider { @@ -42,16 +48,24 @@ public class JwtAuthenticationProvider implements AuthenticationProvider { throw new BadCredentialsException("Authentication Failed.", e); } - if (!jwtTokenService.isValid(token)) { - throw new BadCredentialsException("Auth token is not valid for user " + token.getUserAccountId()); + if (jwtTokenService.isValid(token)) { + RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes(); + HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference( + REFERENCE_REQUEST); + String[] ids = token.getUserAccountId().split(":"); + if (request != null && (request.getRequestURI() + .endsWith("esia/logout") || ids.length == 2)) { + UsernamePasswordAuthenticationToken pwdToken = + UsernamePasswordAuthenticationToken.authenticated(token.getUserAccountId(), null, + Collections.emptyList() + ); + + return new JwtAuthentication(pwdToken, token.getUserAccountId(), token.getValue()); + } } - UsernamePasswordAuthenticationToken pwdToken = - UsernamePasswordAuthenticationToken.authenticated(token.getUserAccountId(), null, - Collections.emptyList() - ); - - return new JwtAuthentication(pwdToken, token.getUserAccountId(), token.getValue()); + throw new BadCredentialsException( + "Auth token is not valid for user " + token.getUserAccountId()); } @Override diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java index eea559e..5ea0c82 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java @@ -36,16 +36,12 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil private final SecurityHelper securityHelper; - private final JwtTokenService jwtTokenService; - public JwtAuthenticationFilter(RequestMatcher requestMatcher, AuthenticationEntryPoint entryPoint, - SecurityHelper securityHelper, - JwtTokenService jwtTokenService) { + SecurityHelper securityHelper) { super(requestMatcher); this.entryPoint = entryPoint; this.securityHelper = securityHelper; - this.jwtTokenService = jwtTokenService; } @Override @@ -59,19 +55,11 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil } try { authentication = getAuthenticationManager().authenticate(authentication); - if (!httpServletRequest.getRequestURI().endsWith("esia/logout")) { - Token token = jwtTokenService.getToken(tokenStr); - String[] ids = token.getUserAccountId().split(":"); - if (ids.length != 2) { - throw new CredentialsExpiredException("Invalid token. User has no ervuId"); - } - EsiaTokensStore.validateAccessToken(token.getUserAccountId()); - } } - catch (CredentialsExpiredException e) { + catch (AuthenticationException e) { + LOGGER.warn(e.getMessage()); securityHelper.clearAccessCookies(httpServletResponse); httpServletResponse.setStatus(401); - LOGGER.warn(e.getMessage()); return null; } return authentication; diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java index 328fffd..579d72f 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java @@ -64,7 +64,7 @@ public class JwtTokenService { LOGGER.info("Token {} is expired ", token.getValue()); return false; } - return true; + return EsiaTokensStore.validateAccessToken(token.getUserAccountId()); } public Token getToken(String token) { From 3f0a7fa5c1056f48c2bf0d2302c613be5d4cfffa Mon Sep 17 00:00:00 2001 From: Eduard Tihomirov Date: Wed, 25 Dec 2024 12:46:10 +0300 Subject: [PATCH 6/6] SUPPORT-8755: Fix --- .../ervu/security/webbpm/jwt/JwtAuthenticationProvider.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java index 122cd60..05fb495 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/JwtAuthenticationProvider.java @@ -53,8 +53,10 @@ public class JwtAuthenticationProvider implements AuthenticationProvider { HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference( REFERENCE_REQUEST); String[] ids = token.getUserAccountId().split(":"); - if (request != null && (request.getRequestURI() - .endsWith("esia/logout") || ids.length == 2)) { + if (request == null) { + throw new IllegalStateException("No request found in request attributes"); + } + if (request.getRequestURI().endsWith("esia/logout") || ids.length == 2) { UsernamePasswordAuthenticationToken pwdToken = UsernamePasswordAuthenticationToken.authenticated(token.getUserAccountId(), null, Collections.emptyList()