|
|
@ -28,11 +28,15 @@ import org.libresonic.player.domain.User; |
|
|
|
import org.libresonic.player.domain.Version; |
|
|
|
import org.libresonic.player.domain.Version; |
|
|
|
import org.libresonic.player.service.SecurityService; |
|
|
|
import org.libresonic.player.service.SecurityService; |
|
|
|
import org.libresonic.player.util.StringUtil; |
|
|
|
import org.libresonic.player.util.StringUtil; |
|
|
|
|
|
|
|
import org.springframework.context.ApplicationEventPublisher; |
|
|
|
|
|
|
|
import org.springframework.security.authentication.AuthenticationDetailsSource; |
|
|
|
import org.springframework.security.authentication.AuthenticationManager; |
|
|
|
import org.springframework.security.authentication.AuthenticationManager; |
|
|
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; |
|
|
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; |
|
|
|
|
|
|
|
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent; |
|
|
|
import org.springframework.security.core.Authentication; |
|
|
|
import org.springframework.security.core.Authentication; |
|
|
|
import org.springframework.security.core.AuthenticationException; |
|
|
|
import org.springframework.security.core.AuthenticationException; |
|
|
|
import org.springframework.security.core.context.SecurityContextHolder; |
|
|
|
import org.springframework.security.core.context.SecurityContextHolder; |
|
|
|
|
|
|
|
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; |
|
|
|
import org.springframework.security.web.util.matcher.RegexRequestMatcher; |
|
|
|
import org.springframework.security.web.util.matcher.RegexRequestMatcher; |
|
|
|
import org.springframework.security.web.util.matcher.RequestMatcher; |
|
|
|
import org.springframework.security.web.util.matcher.RequestMatcher; |
|
|
|
|
|
|
|
|
|
|
@ -60,7 +64,8 @@ public class RESTRequestParameterProcessingFilter implements Filter { |
|
|
|
private final JAXBWriter jaxbWriter = new JAXBWriter(); |
|
|
|
private final JAXBWriter jaxbWriter = new JAXBWriter(); |
|
|
|
private AuthenticationManager authenticationManager; |
|
|
|
private AuthenticationManager authenticationManager; |
|
|
|
private SecurityService securityService; |
|
|
|
private SecurityService securityService; |
|
|
|
private LoginFailureLogger loginFailureLogger; |
|
|
|
private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource(); |
|
|
|
|
|
|
|
private ApplicationEventPublisher eventPublisher; |
|
|
|
|
|
|
|
|
|
|
|
private static RequestMatcher requiresAuthenticationRequestMatcher = new RegexRequestMatcher("/rest/.+",null); |
|
|
|
private static RequestMatcher requiresAuthenticationRequestMatcher = new RegexRequestMatcher("/rest/.+",null); |
|
|
|
|
|
|
|
|
|
|
@ -110,15 +115,12 @@ public class RESTRequestParameterProcessingFilter implements Filter { |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
if (errorCode == null) { |
|
|
|
if (errorCode == null) { |
|
|
|
errorCode = authenticate(username, password, salt, token, previousAuth); |
|
|
|
errorCode = authenticate(httpRequest, username, password, salt, token, previousAuth); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
if (errorCode == null) { |
|
|
|
if (errorCode == null) { |
|
|
|
chain.doFilter(request, response); |
|
|
|
chain.doFilter(request, response); |
|
|
|
} else { |
|
|
|
} else { |
|
|
|
if (errorCode == RESTController.ErrorCode.NOT_AUTHENTICATED) { |
|
|
|
|
|
|
|
loginFailureLogger.log(request.getRemoteAddr(), username); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
SecurityContextHolder.getContext().setAuthentication(null); |
|
|
|
SecurityContextHolder.getContext().setAuthentication(null); |
|
|
|
sendErrorXml(httpRequest, httpResponse, errorCode); |
|
|
|
sendErrorXml(httpRequest, httpResponse, errorCode); |
|
|
|
} |
|
|
|
} |
|
|
@ -138,7 +140,7 @@ public class RESTRequestParameterProcessingFilter implements Filter { |
|
|
|
return null; |
|
|
|
return null; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private RESTController.ErrorCode authenticate(String username, String password, String salt, String token, Authentication previousAuth) { |
|
|
|
private RESTController.ErrorCode authenticate(HttpServletRequest httpRequest, String username, String password, String salt, String token, Authentication previousAuth) { |
|
|
|
|
|
|
|
|
|
|
|
// Previously authenticated and username not overridden?
|
|
|
|
// Previously authenticated and username not overridden?
|
|
|
|
if (username == null && previousAuth != null) { |
|
|
|
if (username == null && previousAuth != null) { |
|
|
@ -159,12 +161,14 @@ public class RESTRequestParameterProcessingFilter implements Filter { |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
if (password != null) { |
|
|
|
if (password != null) { |
|
|
|
try { |
|
|
|
|
|
|
|
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); |
|
|
|
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); |
|
|
|
|
|
|
|
authRequest.setDetails(authenticationDetailsSource.buildDetails(httpRequest)); |
|
|
|
|
|
|
|
try { |
|
|
|
Authentication authResult = authenticationManager.authenticate(authRequest); |
|
|
|
Authentication authResult = authenticationManager.authenticate(authRequest); |
|
|
|
SecurityContextHolder.getContext().setAuthentication(authResult); |
|
|
|
SecurityContextHolder.getContext().setAuthentication(authResult); |
|
|
|
return null; |
|
|
|
return null; |
|
|
|
} catch (AuthenticationException x) { |
|
|
|
} catch (AuthenticationException x) { |
|
|
|
|
|
|
|
eventPublisher.publishEvent(new AuthenticationFailureBadCredentialsEvent(authRequest, x)); |
|
|
|
return RESTController.ErrorCode.NOT_AUTHENTICATED; |
|
|
|
return RESTController.ErrorCode.NOT_AUTHENTICATED; |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
@ -213,8 +217,7 @@ public class RESTRequestParameterProcessingFilter implements Filter { |
|
|
|
this.securityService = securityService; |
|
|
|
this.securityService = securityService; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public void setEventPublisher(ApplicationEventPublisher eventPublisher) { |
|
|
|
public void setLoginFailureLogger(LoginFailureLogger loginFailureLogger) { |
|
|
|
this.eventPublisher = eventPublisher; |
|
|
|
this.loginFailureLogger = loginFailureLogger; |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|