From f993296b0be3737c6e10fecf9cae2fa6f7a1997f Mon Sep 17 00:00:00 2001 From: Hamid Reza Sharifi Date: Thu, 25 May 2023 13:17:53 +0330 Subject: [PATCH] Bael 5711: Securing Spring Boot API with API key and secret (#14102) * #bael-5711: add source * #bael-5711: remove extra space * #bael-5711: remove extra space * #bael-5711: remove extra space * #bael-5711: add custom message * #bael-5711: refactor return null --------- Co-authored-by: h_sharifi --- .../configuration/AuthenticationFilter.java | 18 ++++++++++++++++-- .../configuration/AuthenticationService.java | 7 ++++--- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationFilter.java b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationFilter.java index 6c82f9c9ef..aa4badcfb0 100644 --- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationFilter.java +++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationFilter.java @@ -1,5 +1,6 @@ package com.baeldung.apikeyauthentication.configuration; +import org.springframework.http.MediaType; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.web.filter.GenericFilterBean; @@ -8,15 +9,28 @@ import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import java.io.IOException; +import java.io.PrintWriter; public class AuthenticationFilter extends GenericFilterBean { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { - Authentication authentication = AuthenticationService.getAuthentication((HttpServletRequest) request); - SecurityContextHolder.getContext().setAuthentication(authentication); + try { + Authentication authentication = AuthenticationService.getAuthentication((HttpServletRequest) request); + SecurityContextHolder.getContext().setAuthentication(authentication); + } catch (Exception exp) { + HttpServletResponse httpResponse = (HttpServletResponse) response; + httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + httpResponse.setContentType(MediaType.APPLICATION_JSON_VALUE); + PrintWriter writer = httpResponse.getWriter(); + writer.print(exp.getMessage()); + writer.flush(); + writer.close(); + } + filterChain.doFilter(request, response); } } diff --git a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationService.java b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationService.java index 14183f9f62..c788f7cdd8 100644 --- a/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationService.java +++ b/spring-security-modules/spring-security-web-boot-4/src/main/java/com/baeldung/apikeyauthentication/configuration/AuthenticationService.java @@ -1,5 +1,6 @@ package com.baeldung.apikeyauthentication.configuration; +import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; import javax.servlet.http.HttpServletRequest; @@ -11,10 +12,10 @@ public class AuthenticationService { public static Authentication getAuthentication(HttpServletRequest request) { String apiKey = request.getHeader(AUTH_TOKEN_HEADER_NAME); - if (apiKey != null && apiKey.equals(AUTH_TOKEN)) { - return new ApiKeyAuthentication(apiKey, AuthorityUtils.NO_AUTHORITIES); + if (apiKey == null || !apiKey.equals(AUTH_TOKEN)) { + throw new BadCredentialsException("Invalid API Key"); } - return null; + return new ApiKeyAuthentication(apiKey, AuthorityUtils.NO_AUTHORITIES); } }