/*
* Copyright 1999-2018 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.csp.sentinel.dashboard.auth;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.util.AntPathMatcher;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.List;
/**
* The Servlet filter for authentication.
*
* Note: some urls are excluded as they needn't auth, such as:
*
* - index url: {@code /}
* - authentication request url: {@code /login}, {@code /logout}
* - machine registry: {@code /registry/machine}
* - static resources
*
*
* The excluded urls and urlSuffixes could be configured in {@code application.properties} file.
*
* @author cdfive
* @since 1.6.0
*/
public class DefaultLoginAuthenticationFilter implements LoginAuthenticationFilter {
private static final AntPathMatcher PATH_MATCHER = new AntPathMatcher();
private static final String URL_SUFFIX_DOT = ".";
/**
* Some urls which needn't auth, such as /auth/login, /registry/machine and so on.
*/
@Value("#{'${auth.filter.exclude-urls}'.split(',')}")
private List authFilterExcludeUrls;
/**
* Some urls with suffixes which needn't auth, such as htm, html, js and so on.
*/
@Value("#{'${auth.filter.exclude-url-suffixes}'.split(',')}")
private List authFilterExcludeUrlSuffixes;
/**
* Authentication using AuthService interface.
*/
private final AuthService authService;
public DefaultLoginAuthenticationFilter(AuthService authService) {
this.authService = authService;
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String servletPath = httpRequest.getServletPath();
// Exclude the urls which needn't auth
boolean authFilterExcludeMatch = authFilterExcludeUrls.stream()
.anyMatch(authFilterExcludeUrl -> PATH_MATCHER.match(authFilterExcludeUrl, servletPath));
if (authFilterExcludeMatch) {
chain.doFilter(request, response);
return;
}
// Exclude the urls with suffixes which needn't auth
for (String authFilterExcludeUrlSuffix : authFilterExcludeUrlSuffixes) {
if (StringUtils.isBlank(authFilterExcludeUrlSuffix)) {
continue;
}
// Add . for url suffix so that we needn't add . in property file
if (!authFilterExcludeUrlSuffix.startsWith(URL_SUFFIX_DOT)) {
authFilterExcludeUrlSuffix = URL_SUFFIX_DOT + authFilterExcludeUrlSuffix;
}
if (servletPath.endsWith(authFilterExcludeUrlSuffix)) {
chain.doFilter(request, response);
return;
}
}
AuthService.AuthUser authUser = authService.getAuthUser(httpRequest);
HttpServletResponse httpResponse = (HttpServletResponse) response;
if (authUser == null) {
// If auth fail, set response status code to 401
httpResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
} else {
chain.doFilter(request, response);
}
}
@Override
public void destroy() {
}
}