0

I was using spring security to handle authentication via jwt that is passed in the request`s header:

public class JwtAuthConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .authorizeRequests()
                .anyRequest().authenticated().and()
                .oauth2ResourceServer().jwt();
    }

}

Now the JWT token is passed to my application in a cookie. I wrote a filter that takes the jwt from the cookie and adds it to the request`s header :

@Component
public class JwtCookieFilter implements Filter {
    
    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse)res;
        Cookie[] cookies = request.getCookies();
        String jwt = this.getTokenFromCookie(cookies); // Inner method 
        if(jwt == null)
        {
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            return;
        }
        HttpRequestWithHeaders requestWithHeaders = new HttpRequestWithHeaders (request);
        HttpRequestWithHeaders .addHeader("Authorization",jwt);
        chain.doFilter(requestWithHeaders, response);
    }

Now I'm not sure after what step my filter should run (configure method in springSecurity). I tried using the following but I keep getting 401 error (Unathorized) :

http.addFilterBefore(new JwtCookieFilter(), UsernamePasswordAuthenticationFilter.class);
JeyJ
  • 3,582
  • 4
  • 35
  • 83

1 Answers1

1

I suggest to those of you who aren't familiar with Spring Security read the following Stack Overflow post.

The bottom line is that Spring Security is like a firewall that contains a chain of filters. Your request is going into the chain and trying to pass the filters there.

The filter that I created searches for a cookie and sets the cookie's value in the request's header. Since the class ServletRequest doesn't have a setter methods you need to wrap it with a wrapper class.

After doing all this, the last thing that is left is adding the filter in the configure method:

@Configuration
public class AuthSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //configuring strategy
        http.sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .authorizeRequests()
                .anyRequest().authenticated().and()
                .oauth2ResourceServer().jwt();
        http.addFilterBefore(new JwtCookieFilter(), UsernamePasswordAuthenticationFilter.class);
    }

Please notice, all those calls in the configure don't actually run anything, they just set the "chain"/"filters" that spring will use for incoming requests.

halfer
  • 19,824
  • 17
  • 99
  • 186
JeyJ
  • 3,582
  • 4
  • 35
  • 83