I can't use getReader() because in some other class getReader() is already used and the logic can't be changed.
How can I read it from interceptor?
I need to persist request, response and status from interceptor. So for this, I need to access request and response.
Trying to call service from preHandle()
Related
As described in the title, the interceptor is only triggered if the request does not contain the required auth token. With the token, the interceptor does not get triggerd...
How can this be prevented so that the interceptor gets triggerd on all requests?
You need to set the order property to the lowest.
Maybe #Order(Ordered.LOWEST_PRECEDENCE) might do the job.
If not, check this out: https://kreepcode.com/spring-boot-define-execution-order-multiple-interceptors/
Basic Spring Security is great as it comes with WebSecurity (preventing malformed URLs) along with setting up authentication and authorization.
As part of authenticating my web request, the digest of the request body needs to be verified against the digest value passed in the http header. Setting up the Spring Security filter, forces my auth filter to process a firewalled request. The firewalled request doesn't seem to expose the request body to the filter.
What is the correct way to set up the Spring Security filter so that I can inspect the request body?
Thanks!
In Spring Security there are many filter classes built in for to be extended and used for specific purposes. As in my experience most of (or all of them) have methods with overloads which have access to,
HttpServletRequest request, HttpServletResponse response
as method arguments, so that those can be used inside the method.
When the filter class is met with any request, these variables are then populated with related data thus the code inside the methods output as expected.
I have a service that gets http request with an authorization header.
When processing the request, I want to use a Feign Client to query another service. The query to the other service should include the same authorization header.
Currently I use a Filter to extract the authorization header from the incoming request, store the header in a ThreadLocal.
When building the Feign Client I use a RequestInterceptor to read the authorization header from the ThreadLocal and put it into the request to the other service.
This approach is not ideal, because when I start using things like RxJava or Hystrix, threads are changed while processing the request and I have to move the authorization header ThreadLocal from one thread to another.
What are other options to solve this?
One way that I am thinking about is to create a new FeignClient for each request, this way I would no longer need to store the authorization in a thread local. But is this a good idea?
I think I found a solution for my problem. Using RequestContextHolder I can get a reference to the original request (also from spawned child threads) and copy the header from there:
public class AuthForwardInterceptor implements RequestInterceptor {
#Override
public void apply(RequestTemplate template) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
template.header(HttpHeaders.AUTHORIZATION, request.getHeader(HttpHeaders.AUTHORIZATION));
}
}
I have a controller method that handles REST requests as well as STOMP/websocket messages. Something like:
#RequestMapping(value="/test")
#MessageMapping(value=".test")
#SendTo(value="/topic/testresponse")
public ResponseEntity<?> test(Principal principal)
{
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
...
return ResponseEntity.ok(principal.getName());
}
When I invoke this method from a REST client, the Principal and Authentication objects are both populated correctly. However, when I invoke this method from a STOMP/websocket client, the Principal object is populated but the Authentication object is null.
Clearly, Spring is able to get the Authentication object somehow, even in the websocket case, because it populated the Principal object. How can I do it in my code?
The reason I want to know this is that I need to do custom authorization checks in code that is NOT invoked as a controller method.
I am using Spring Boot 1.2.2.
Thanks.
I am currently working on a RESTeasy based RESTful service. I have a filter class which serves as a server request filter as well as a server response filter (i.e. it implements ContainerRequestFilter and ContainerResponseFilter interfaces).
At the beginning of the request, I use the filter to put an object into ThreadLocal. This object is used by the resources throughout the request. At the end of the request, before sending out the response, the filter removes the object from ThreadLocal.
My question is that is there a guarantee that the the request filter, the resource and the response filter will all execute in the same thread? Is there a possibility that after the request filter puts the object into ThreadLocal, a different thread will execute the request (and thus not have access to the object)?
I was sure that this was the case but then I saw this http://jersey.576304.n2.nabble.com/Does-filter-method-of-ContainerRequestFilter-run-in-resource-method-thread-td7582648.html (official Jersey forum) and now I have doubts.
javax.ws.rs.container.ContainerRequestContext.setProperty(...)
and
javax.ws.rs.container.ContainerRequestContext.getProperty(...)
are probably the right approach. The javadoc states:
In a Servlet container, the properties are synchronized with the ServletRequest and expose all the attributes available in the ServletRequest. Any modifications of the properties are also reflected in the set of properties of the associated ServletRequest.