From 290c4bf4b39c8a08f75c19b51d8d436f0e3a63d6 Mon Sep 17 00:00:00 2001 From: Dario Seidl Date: Sun, 1 Apr 2018 21:42:32 +0200 Subject: [PATCH 1/4] Prevent ArrayIndexOutOfBoundsException in JwtTokenFilter.getTokenString --- .../java/io/spring/api/security/JwtTokenFilter.java | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/main/java/io/spring/api/security/JwtTokenFilter.java b/src/main/java/io/spring/api/security/JwtTokenFilter.java index 87ad73d..2873650 100644 --- a/src/main/java/io/spring/api/security/JwtTokenFilter.java +++ b/src/main/java/io/spring/api/security/JwtTokenFilter.java @@ -48,10 +48,15 @@ public class JwtTokenFilter extends OncePerRequestFilter { } private Optional getTokenString(String header) { - if (header == null || header.split("").length < 2) { + if (header == null) return Optional.empty(); - } else { - return Optional.ofNullable(header.split(" ")[1]); + else { + String[] split = header.split(" "); + if (split.length < 2) { + return Optional.empty(); + } else { + return Optional.ofNullable(split[1]); + } } } } From 3f7a756746c01400b6aa1e67f9b87c3768c924d8 Mon Sep 17 00:00:00 2001 From: Dario Seidl Date: Sun, 1 Apr 2018 21:46:07 +0200 Subject: [PATCH 2/4] Add braces --- src/main/java/io/spring/api/security/JwtTokenFilter.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/io/spring/api/security/JwtTokenFilter.java b/src/main/java/io/spring/api/security/JwtTokenFilter.java index 2873650..2d1dba3 100644 --- a/src/main/java/io/spring/api/security/JwtTokenFilter.java +++ b/src/main/java/io/spring/api/security/JwtTokenFilter.java @@ -48,9 +48,9 @@ public class JwtTokenFilter extends OncePerRequestFilter { } private Optional getTokenString(String header) { - if (header == null) + if (header == null) { return Optional.empty(); - else { + } else { String[] split = header.split(" "); if (split.length < 2) { return Optional.empty(); From 7e9b018d7e61ad96a058f39d6b00e125efc864c7 Mon Sep 17 00:00:00 2001 From: Dario Seidl Date: Sun, 1 Apr 2018 22:50:30 +0200 Subject: [PATCH 3/4] Enable and allow access to h2-console --- src/main/java/io/spring/api/security/WebSecurityConfig.java | 6 +++++- src/main/resources/application.properties | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/main/java/io/spring/api/security/WebSecurityConfig.java b/src/main/java/io/spring/api/security/WebSecurityConfig.java index a404af0..ed34d30 100644 --- a/src/main/java/io/spring/api/security/WebSecurityConfig.java +++ b/src/main/java/io/spring/api/security/WebSecurityConfig.java @@ -36,7 +36,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { .antMatchers(HttpMethod.GET, "/articles/feed").authenticated() .antMatchers(HttpMethod.POST, "/users", "/users/login").permitAll() .antMatchers(HttpMethod.GET, "/articles/**", "/profiles/**", "/tags").permitAll() - .anyRequest().authenticated(); + .antMatchers("/h2-console", "/h2-console/**") + .permitAll() + .anyRequest().authenticated() + .and() + .headers().frameOptions().sameOrigin(); http.addFilterBefore(jwtTokenFilter(), UsernamePasswordAuthenticationFilter.class); } diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 418eeaa..d35287c 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -4,4 +4,5 @@ jwt.secret=nRvyYC4soFxBdZ-F-5Nnzz5USXstR1YylsTd-mA0aKtI9HUlriGrtkf-TiuDapkLiUCog jwt.sessionTime=86400 mybatis.config-location=classpath:mybatis-config.xml mybatis.mapper-locations=mapper/*.xml -logging.level.io.spring.infrastructure.mybatis.readservice.ArticleReadService=DEBUG \ No newline at end of file +logging.level.io.spring.infrastructure.mybatis.readservice.ArticleReadService=DEBUG +spring.h2.console.enabled=true \ No newline at end of file From 8ff2ebdf5e9b365cfd1fb056ccd22cba1dbd83c9 Mon Sep 17 00:00:00 2001 From: Dario Seidl Date: Tue, 10 Apr 2018 11:31:51 +0200 Subject: [PATCH 4/4] Only enable security config for h2-console when property is set --- .../spring/api/security/WebSecurityConfig.java | 18 +++++++++++++----- src/main/resources/application.properties | 3 ++- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/src/main/java/io/spring/api/security/WebSecurityConfig.java b/src/main/java/io/spring/api/security/WebSecurityConfig.java index ed34d30..336d190 100644 --- a/src/main/java/io/spring/api/security/WebSecurityConfig.java +++ b/src/main/java/io/spring/api/security/WebSecurityConfig.java @@ -1,5 +1,6 @@ package io.spring.api.security; +import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -18,6 +19,10 @@ import static java.util.Arrays.asList; @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + + @Value("${spring.h2.console.enabled:false}") + private boolean h2ConsoleEnabled; + @Bean public JwtTokenFilter jwtTokenFilter() { return new JwtTokenFilter(); @@ -25,6 +30,13 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { + + if (h2ConsoleEnabled) + http.authorizeRequests() + .antMatchers("/h2-console", "/h2-console/**").permitAll() + .and() + .headers().frameOptions().sameOrigin(); + http.csrf().disable() .cors() .and() @@ -36,11 +48,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { .antMatchers(HttpMethod.GET, "/articles/feed").authenticated() .antMatchers(HttpMethod.POST, "/users", "/users/login").permitAll() .antMatchers(HttpMethod.GET, "/articles/**", "/profiles/**", "/tags").permitAll() - .antMatchers("/h2-console", "/h2-console/**") - .permitAll() - .anyRequest().authenticated() - .and() - .headers().frameOptions().sameOrigin(); + .anyRequest().authenticated(); http.addFilterBefore(jwtTokenFilter(), UsernamePasswordAuthenticationFilter.class); } diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index d35287c..245b6db 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -5,4 +5,5 @@ jwt.sessionTime=86400 mybatis.config-location=classpath:mybatis-config.xml mybatis.mapper-locations=mapper/*.xml logging.level.io.spring.infrastructure.mybatis.readservice.ArticleReadService=DEBUG -spring.h2.console.enabled=true \ No newline at end of file +# Uncomment the following line to enable and allow access to the h2-console +#spring.h2.console.enabled=true