rest - Why is my spring boot stateless filter being called twice? -


i'm trying implement stateless token-based authentication on rest api i've developed using spring boot. idea client includes jwt token request, , filter extracts request, , sets securitycontext relevant authentication object based on contents of token. request routed normal, , secured using @preauthorize on mapped method.

my security config follows :

@configuration @enablewebsecurity @enableglobalmethodsecurity(prepostenabled = true) public class securityconfig extends websecurityconfigureradapter {  @autowired private jwttokenauthenticationservice authenticationservice;  @override protected void configure(httpsecurity http) throws exception {     http         .csrf().disable()         .headers().addheaderwriter(new xframeoptionsheaderwriter(xframeoptionsmode.sameorigin))         .and()         .authorizerequests()             .antmatchers("/auth/**").permitall()             .antmatchers("/api/**").authenticated()             .and()         .addfilterbefore(new statelessauthenticationfilter(authenticationservice), usernamepasswordauthenticationfilter.class); }

with stateless filter extends genericfilterbean defined follows :

public class statelessauthenticationfilter extends genericfilterbean {      private static logger logger = logger.getlogger(statelessauthenticationfilter.class);      private jwttokenauthenticationservice authenticationservice;      public statelessauthenticationfilter(jwttokenauthenticationservice authenticationservice)     {         this.authenticationservice = authenticationservice;     }      @override     public void dofilter(   servletrequest request,                             servletresponse response,                             filterchain chain) throws ioexception, servletexception {          httpservletrequest httprequest = (httpservletrequest) request;         authentication authentication = authenticationservice.getauthentication(httprequest);         securitycontextholder.getcontext().setauthentication(authentication);          logger.info("===== security context before request =====");         logger.info("request for: " + httprequest.getrequesturi());         logger.info(securitycontextholder.getcontext().getauthentication());         logger.info("===========================================");          chain.dofilter(request, response);          securitycontextholder.getcontext().setauthentication(null);         logger.info("===== security context after request =====");         logger.info("request for: " + httprequest.getrequesturi());          logger.info(securitycontextholder.getcontext().getauthentication());         logger.info("===========================================");     }  }

and endpoint defined :

@preauthorize("hasauthority('user')") @requestmapping (   value="/api/attachments/{attachmentid}/{filename:.+}",                     method = requestmethod.get) public responseentity<byte[]> getattacheddocumentendpoint(@pathvariable string attachmentid, @pathvariable string filename) {     logger.info("get called /attachments/" + attachmentid + "/" + filename);      // file, , return responseentity<byte[]> object }

when doing on /api/attachments/someattachment/somefilename, including token, can see filter being invoked twice, once apparently token, , once without. restcontroller mapped request called once.

[info] [06-04-2015 12:26:44,465] [jwttokenauthenticationservice] getauthentication - getting authentication based on token supplied in http header [info] [06-04-2015 12:26:44,473] [statelessauthenticationfilter] dofilter - ===== security context before request ===== [info] [06-04-2015 12:26:44,473] [statelessauthenticationfilter] dofilter - request for: /api/attachments/1674b08b6bbd54a6efaff4a780001a9e/jpg.png [info] [06-04-2015 12:26:44,474] [statelessauthenticationfilter] dofilter - name:iser, principal:user, isauthenticated:true, grantedauthorites:[user] [info] [06-04-2015 12:26:44,474] [statelessauthenticationfilter] dofilter - =========================================== [info] [06-04-2015 12:26:44,476] [attachmentrestcontroller] getattacheddocumentendpoint - called /api/attachments/1674b08b6bbd54a6efaff4a780001a9e/jpg.png [info] [06-04-2015 12:26:44,477] [attachmentdbcontroller] getattachment - getattachment method called attachmentid:1674b08b6bbd54a6efaff4a780001a9e , , filename:jpg.png [info] [06-04-2015 12:26:44,483] [statelessauthenticationfilter] dofilter - ===== security context after request ===== [info] [06-04-2015 12:26:44,484] [statelessauthenticationfilter] dofilter - request for: /api/attachments/1674b08b6bbd54a6efaff4a780001a9e/jpg.png [info] [06-04-2015 12:26:44,484] [statelessauthenticationfilter] dofilter -  [info] [06-04-2015 12:26:44,484] [statelessauthenticationfilter] dofilter - =========================================== [info] [06-04-2015 12:26:44,507] [jwttokenauthenticationservice] getauthentication - no token supplied in http header [info] [06-04-2015 12:26:44,507] [statelessauthenticationfilter] dofilter - ===== security context before request ===== [info] [06-04-2015 12:26:44,507] [statelessauthenticationfilter] dofilter - request for: /api/attachments/1674b08b6bbd54a6efaff4a780001a9e/jpg.png [info] [06-04-2015 12:26:44,507] [statelessauthenticationfilter] dofilter -  [info] [06-04-2015 12:26:44,508] [statelessauthenticationfilter] dofilter - =========================================== [info] [06-04-2015 12:26:44,508] [statelessauthenticationfilter] dofilter - ===== security context after request ===== [info] [06-04-2015 12:26:44,508] [statelessauthenticationfilter] dofilter - request for: /api/attachments/1674b08b6bbd54a6efaff4a780001a9e/jpg.png [info] [06-04-2015 12:26:44,508] [statelessauthenticationfilter] dofilter -  [info] [06-04-2015 12:26:44,508] [statelessauthenticationfilter] dofilter - ===========================================

what's going on here ?

edit :

it's stranger first thought - implementing simple endpoint returns simple message displays expected behaviour - it's seems when try return data responseentity above problem occur.

endpoint :

@preauthorize("hasauthority('user')") @requestmapping("/api/userhelloworld") public string userhelloworld() {     return "hello secure user world"; }

output, showing single call filter (with debug on):

[info] [06-04-2015 19:43:25,831] [jwttokenauthenticationservice] getauthentication - getting authentication based on token supplied in http header [info] [06-04-2015 19:43:25,844] [statelessauthenticationfilter] dofilterinternal - ===== security context before request ===== [info] [06-04-2015 19:43:25,844] [statelessauthenticationfilter] dofilterinternal - request for: /api/userhelloworld [info] [06-04-2015 19:43:25,844] [statelessauthenticationfilter] dofilterinternal - response = null 200 [info] [06-04-2015 19:43:25,844] [statelessauthenticationfilter] dofilterinternal - name:user, principal:user, isauthenticated:true, grantedauthorites:[user] [info] [06-04-2015 19:43:25,845] [statelessauthenticationfilter] dofilterinternal - =========================================== [debug] [06-04-2015 19:43:25,845] [dispatcherservlet] doservice - dispatcherservlet name 'dispatcherservlet' processing request [/api/userhelloworld] [debug] [06-04-2015 19:43:25,847] [abstracthandlermethodmapping] gethandlerinternal - looking handler method path /api/userhelloworld [debug] [06-04-2015 19:43:25,848] [abstracthandlermethodmapping] gethandlerinternal - returning handler method [public java.lang.string restcontroller.userhelloworld()] [debug] [06-04-2015 19:43:25,849] [dispatcherservlet] dodispatch - last-modified value [/api/userhelloworld] is: -1 [debug] [06-04-2015 19:43:25,851] [abstractmessageconvertermethodprocessor] writewithmessageconverters - written [hello secure user world] "text/plain;charset=utf-8" using [org.springframework.http.converter.stringhttpmessageconverter@3eaf6fe7] [debug] [06-04-2015 19:43:25,852] [dispatcherservlet] processdispatchresult - null modelandview returned dispatcherservlet name 'dispatcherservlet': assuming handleradapter completed request handling [debug] [06-04-2015 19:43:25,852] [frameworkservlet] processrequest - completed request [info] [06-04-2015 19:43:25,852] [statelessauthenticationfilter] dofilterinternal - ===== security context after request ===== [info] [06-04-2015 19:43:25,853] [statelessauthenticationfilter] dofilterinternal - request for: /api/userhelloworld [info] [06-04-2015 19:43:25,853] [statelessauthenticationfilter] dofilterinternal - response = text/plain;charset=utf-8 200 [info] [06-04-2015 19:43:25,853] [statelessauthenticationfilter] dofilterinternal -  [info] [06-04-2015 19:43:25,853] [statelessauthenticationfilter] dofilterinternal - ===========================================

okay - pretty ridiculous, seems it's issue way invoking request (via postman chrome extension)

postman seems fire in 2 requests, 1 headers, 1 without. there's open bug report describing here : https://github.com/a85/postman-chrome-extension/issues/615

the behaviour not seen if request invoked using curl, or straight browser.


Comments

Post a Comment

Popular posts from this blog

Magento/PHP - Get phones on all members in a customer group -

i working on custom magento extension. working around adminhtml part , i've created custom form there. here form code: <?php class vivasindustries_smsnotification_block_adminhtml_sms_sendmass_edit_form extends mage_adminhtml_block_widget_form { public function _preparelayout() { $extensionpath = mage::getmoduledir('js', 'vivasindustries_smsnotification'); $head = $this->getlayout()->getblock('head'); $head->addjs('jquery.js'); $head->addjs('vivas.js'); return parent::_preparelayout(); } protected function _prepareform() { $form = new varien_data_form(array( 'id' => 'edit_form', 'action' => $this->geturl('*/*/save', array('id' => $this->getrequest()->get...
Read more

php - Bypass Geo Redirect for specific directories -

i'm trying bypass redirect specific url within site. wondering if might able help. the code below code use, original urls replaces example.com i'd able access http://example.com/admin without redirect occuring. is there way this, , there way using own ip? function country_geo_redirect() { $country = getenv('http_geoip_country_code'); if ($country == "us" ) { wp_redirect("http://usa.example.com/"); exit; } else if ($country == "gb" ) { wp_redirect("http://uk.example.com/"); exit; } } add_action('init', 'country_geo_redirect'); you can bypass redirection code if server found ip address. if ip address == <my ip address> ' nothing here else country_georedirect() end if
Read more

php - .htaccess mod_rewrite for dynamic url which has domain names -

i want convert url ex:( example.com/link.php?url=facebook.com ) ( example.com/facebook.com.php ) how can using .htaccess. or there other process make job easier ? i tried adding script .htaccess file options +followsymlinks rewriteengine on rewriterule url-(.*)\.htm$ link.php?url=$1 but converting url adding "url-" ( example.com/url-facebook.com.php ) i want remove "url-" , want make ( example.com/facebook.com.php ) rewriteengine on rewritecond %{the_request} ^get.*link\.php\?url\= [nc] rewritecond %{request_uri} !/system/.* [nc] rewriterule (.*?)link\.php\?url\=/*(.*) /$1$2 [r=301,ne,l] not sure how above work edit of used use remove index.php url
Read more