fix security bug

Author: xlorne

pom.xml

@@ -12,7 +12,7 @@
 
     <groupId>com.codingapi.springboot</groupId>
     <artifactId>springboot-parent</artifactId>
-    <version>2.0.0</version>
+    <version>2.0.1</version>
 
     <url>https://github.com/codingapi/springboot-framewrok</url>
     <name>springboot-parent</name>

springboot-starter-data-fast/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>springboot-parent</artifactId>
         <groupId>com.codingapi.springboot</groupId>
-        <version>2.0.0</version>
+        <version>2.0.1</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

springboot-starter-id-generator/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>springboot-parent</artifactId>
         <groupId>com.codingapi.springboot</groupId>
-        <version>2.0.0</version>
+        <version>2.0.1</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

springboot-starter-security-jwt/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <artifactId>springboot-parent</artifactId>
         <groupId>com.codingapi.springboot</groupId>
-        <version>2.0.0</version>
+        <version>2.0.1</version>
     </parent>
 
     <artifactId>springboot-starter-security-jwt</artifactId>

springboot-starter-security-jwt/src/main/java/com/codingapi/springboot/security/AutoConfiguration.java

@@ -58,16 +58,18 @@ public PasswordEncoder passwordEncoder() {
     @ConditionalOnMissingBean
     public SecurityLoginHandler securityLoginHandler(){
         return (request, response, handler) -> {
-
         };
     }
 
+
     @Bean
     @ConditionalOnMissingBean
     public SecurityFilterChain filterChain(HttpSecurity security, Jwt jwt,SecurityLoginHandler loginHandler,
                                            SecurityJwtProperties properties) throws Exception {
-        //before add addCorsMappings to enable cors.
+        //disable basic auth
         security.httpBasic().disable();
+
+        //before add addCorsMappings to enable cors.
         security.cors();
         if(properties.isDisableCsrf() ){
             security.csrf().disable();
@@ -78,9 +80,12 @@ public SecurityFilterChain filterChain(HttpSecurity security, Jwt jwt,SecurityLo
                 .authenticationEntryPoint(new MyUnAuthenticationEntryPoint())
                 .accessDeniedHandler(new MyAccessDeniedHandler())
                 .and()
-                .authorizeHttpRequests()
-                .requestMatchers(properties.getAuthenticatedUrls()).authenticated()
-                .and()
+                .authorizeHttpRequests(
+                        registry -> {
+                            registry.requestMatchers(properties.getAuthenticatedUrls()).authenticated()
+                                    .anyRequest().permitAll();
+                        }
+                )
                 //default login url :/login
                 .formLogin()
                 .loginProcessingUrl(properties.getLoginProcessingUrl())
@@ -90,8 +95,7 @@ public SecurityFilterChain filterChain(HttpSecurity security, Jwt jwt,SecurityLo
                 .logout()
                 .logoutUrl(properties.getLogoutUrl())
                 .addLogoutHandler(new MyLogoutHandler())
-                .logoutSuccessHandler(new MyLogoutSuccessHandler())
-                .permitAll();
+                .logoutSuccessHandler(new MyLogoutSuccessHandler());
 
         return security.build();
     }

springboot-starter-security-jwt/src/main/java/com/codingapi/springboot/security/filter/MyAuthenticationFilter.java

@@ -5,18 +5,23 @@
 import com.codingapi.springboot.security.exception.TokenExpiredException;
 import com.codingapi.springboot.security.jwt.Jwt;
 import com.codingapi.springboot.security.jwt.Token;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.IOUtils;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.www.BasicAuthenticationConverter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
-import jakarta.servlet.FilterChain;
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 
 @Slf4j
@@ -26,15 +31,33 @@ public class MyAuthenticationFilter extends BasicAuthenticationFilter {
 
     private final Jwt jwt;
 
+    private final BasicAuthenticationConverter authenticationConverter = new BasicAuthenticationConverter();
+
     public MyAuthenticationFilter(AuthenticationManager authenticationManager, Jwt jwt) {
         super(authenticationManager);
         this.jwt = jwt;
     }
 
+    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
+        this.authenticationConverter.setAuthenticationDetailsSource(authenticationDetailsSource);
+    }
+
+    public void setCredentialsCharset(String credentialsCharset) {
+        Assert.hasText(credentialsCharset, "credentialsCharset cannot be null or empty");
+        this.authenticationConverter.setCredentialsCharset(Charset.forName(credentialsCharset));
+    }
+
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
         log.debug("token authentication ~");
 
+        UsernamePasswordAuthenticationToken authRequest = authenticationConverter.convert(request);
+        if (authRequest == null) {
+            this.logger.trace("Did not process authentication request since failed to find username and password in Basic Authorization header");
+            chain.doFilter(request, response);
+            return;
+        }
+
         String sign = request.getHeader(TOKEN_KEY);
         if (!StringUtils.hasLength(sign)) {
             writeResponse(response, Response.buildFailure("token.error", "token must not null."));

springboot-starter/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <groupId>com.codingapi.springboot</groupId>
         <artifactId>springboot-parent</artifactId>
-        <version>2.0.0</version>
+        <version>2.0.1</version>
     </parent>
     <artifactId>springboot-starter</artifactId>