Fix #32637: implement CustomHeaderAuthenticationBackend

LEDfan · LEDfan · commit 7f6f0cd62dab · 2025-05-22T16:48:08.000+02:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/AuthenticationBackendFactory.java b/src/main/java/eu/openanalytics/containerproxy/auth/AuthenticationBackendFactory.java
@@ -20,6 +20,7 @@
  */
 package eu.openanalytics.containerproxy.auth;
 
+import eu.openanalytics.containerproxy.auth.impl.CustomHeaderAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.impl.LDAPAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.impl.NoAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.impl.OpenIDAuthenticationBackend;
@@ -72,6 +73,7 @@ protected IAuthenticationBackend createInstance() {
             case LDAPAuthenticationBackend.NAME -> backend = new LDAPAuthenticationBackend();
             case OpenIDAuthenticationBackend.NAME -> backend = new OpenIDAuthenticationBackend();
             case WebServiceAuthenticationBackend.NAME -> backend = new WebServiceAuthenticationBackend(environment);
+            case CustomHeaderAuthenticationBackend.NAME -> backend = new CustomHeaderAuthenticationBackend(environment, applicationEventPublisher);
             case SAMLAuthenticationBackend.NAME -> {
                 return samlBackend;
             }
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/CustomHeaderAuthenticationBackend.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/CustomHeaderAuthenticationBackend.java
@@ -0,0 +1,83 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2025 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl;
+
+import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
+import eu.openanalytics.containerproxy.auth.impl.customHeader.CustomHeaderAuthenticationFilter;
+import eu.openanalytics.containerproxy.auth.impl.customHeader.CustomHeaderAuthenticationProvider;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.core.env.Environment;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+
+public class CustomHeaderAuthenticationBackend implements IAuthenticationBackend {
+
+    public final static String NAME = "customHeader";
+
+    private final static String PROP_CUSTOM_AUTH_USERNAME_HEADER_NAME = "proxy.custom-header.username-header-name";
+    private final static String DEFAULT_USERNAME_HEADER_NAME = "REMOTE_USER";
+
+    private final CustomHeaderAuthenticationFilter filter;
+
+    public CustomHeaderAuthenticationBackend(Environment environment, ApplicationEventPublisher applicationEventPublisher) {
+        String usernameHeaderName = environment.getProperty(PROP_CUSTOM_AUTH_USERNAME_HEADER_NAME, DEFAULT_USERNAME_HEADER_NAME);
+        ProviderManager providerManager = new ProviderManager(new CustomHeaderAuthenticationProvider());
+        filter = new CustomHeaderAuthenticationFilter(providerManager, applicationEventPublisher, usernameHeaderName);
+    }
+
+    @Override
+    public String getName() {
+        return NAME;
+    }
+
+    @Override
+    public boolean hasAuthorization() {
+        return true;
+    }
+
+    @Override
+    public void configureHttpSecurity(HttpSecurity http) throws Exception {
+        http.formLogin(AbstractHttpConfigurer::disable);
+
+        http.addFilterBefore(filter, AnonymousAuthenticationFilter.class)
+            .exceptionHandling(e -> {
+                e.authenticationEntryPoint((request, response, authException) -> {
+                    response.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path("/auth-error").build().toUriString());
+                });
+            });
+    }
+
+    @Override
+    public void configureAuthenticationManagerBuilder(AuthenticationManagerBuilder auth) throws Exception {
+        // Nothing to do.
+    }
+
+    @Override
+    public String getLogoutSuccessURL() {
+        return "/logout-success";
+    }
+
+
+}
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationException.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationException.java
@@ -0,0 +1,31 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2025 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl.customHeader;
+
+import org.springframework.security.access.AccessDeniedException;
+
+public class CustomHeaderAuthenticationException extends AccessDeniedException {
+
+    public CustomHeaderAuthenticationException(String explanation) {
+        super(explanation);
+    }
+
+}
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationFilter.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationFilter.java
@@ -0,0 +1,102 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2025 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl.customHeader;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.annotation.Nonnull;
+import java.io.IOException;
+
+public class CustomHeaderAuthenticationFilter extends OncePerRequestFilter {
+
+    private final Logger logger = LoggerFactory.getLogger(getClass());
+    private final AuthenticationManager authenticationManager;
+    private final ApplicationEventPublisher eventPublisher;
+
+    // prevent re-login on logout-success page
+    private static final RequestMatcher REQUEST_MATCHER = new NegatedRequestMatcher(new OrRequestMatcher(
+        new AntPathRequestMatcher("/logout-success"),
+        new AntPathRequestMatcher("/webjars/**"),
+        new AntPathRequestMatcher("/css/**"))
+    );
+
+    private final String usernameHeaderName;
+
+    public CustomHeaderAuthenticationFilter(AuthenticationManager authenticationManager, ApplicationEventPublisher eventPublisher, String usernameHeaderName) {
+        this.authenticationManager = authenticationManager;
+        this.eventPublisher = eventPublisher;
+        this.usernameHeaderName = usernameHeaderName;
+    }
+
+    @Override
+    protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull HttpServletResponse response, @Nonnull FilterChain chain) throws ServletException, IOException, AuthenticationException {
+        if (!REQUEST_MATCHER.matches(request)) {
+            chain.doFilter(request, response);
+            return;
+        }
+        try {
+            String remoteUser = request.getHeader(usernameHeaderName);
+            if (remoteUser == null) {
+                throw new CustomHeaderAuthenticationException(String.format("Missing username header '%s'", usernameHeaderName));
+            }
+
+            Authentication existingAuthentication = SecurityContextHolder.getContext().getAuthentication();
+            if (existingAuthentication instanceof CustomHeaderAuthenticationToken) {
+                if (!existingAuthentication.getPrincipal().equals(remoteUser)) {
+                    throw new CustomHeaderAuthenticationException(String.format("Username in header '%s' does not match existing session '%s'", remoteUser, existingAuthentication.getPrincipal()));
+                } else {
+                    chain.doFilter(request, response);
+                    return;
+                }
+            }
+
+            Authentication authRequest = new CustomHeaderAuthenticationToken(remoteUser, false);
+            Authentication authResult = authenticationManager.authenticate(authRequest);
+            if (authResult == null) {
+                throw new CustomHeaderAuthenticationException("No authentication");
+            }
+
+            SecurityContextHolder.getContext().setAuthentication(authResult);
+            eventPublisher.publishEvent(new AuthenticationSuccessEvent(authResult));
+        } catch (CustomHeaderAuthenticationException e) {
+            logger.warn("Authentication failed", e);
+            SecurityContextHolder.clearContext();
+        }
+        chain.doFilter(request, response);
+    }
+
+}
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationProvider.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationProvider.java
@@ -0,0 +1,45 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2025 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl.customHeader;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+
+public class CustomHeaderAuthenticationProvider implements AuthenticationProvider {
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        CustomHeaderAuthenticationToken authRequest = (CustomHeaderAuthenticationToken) authentication;
+
+        if (authRequest.isValid()) {
+            return new CustomHeaderAuthenticationToken(authRequest.getPrincipal().toString(), true);
+        }
+
+        throw new CustomHeaderAuthenticationException("Invalid username");
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return CustomHeaderAuthenticationToken.class.isAssignableFrom(authentication);
+    }
+
+}
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationToken.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationToken.java
@@ -0,0 +1,59 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2025 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl.customHeader;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+
+public class CustomHeaderAuthenticationToken extends AbstractAuthenticationToken {
+
+    private final String username;
+
+    public CustomHeaderAuthenticationToken(String username, boolean isAuthenticated) {
+        super(null);
+        this.username = username;
+        super.setAuthenticated(isAuthenticated);
+    }
+
+    public boolean isValid() {
+        return username != null && !username.isBlank();
+    }
+
+    @Override
+    public Object getPrincipal() {
+        return username;
+    }
+
+    @Override
+    public Object getCredentials() {
+        return null;
+    }
+
+    @Override
+    public String getName() {
+        return this.username;
+    }
+
+    @Override
+    public void setAuthenticated(boolean isAuthenticated) {
+        throw new CustomHeaderAuthenticationException("Cannot change authenticated after initialization!");
+    }
+
+}
