1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.syncope.core.spring.security;
20
21 import java.io.IOException;
22 import javax.servlet.Filter;
23 import javax.servlet.FilterChain;
24 import javax.servlet.FilterConfig;
25 import javax.servlet.ServletException;
26 import javax.servlet.ServletRequest;
27 import javax.servlet.ServletResponse;
28 import org.apache.syncope.common.lib.types.IdRepoEntitlement;
29 import org.springframework.security.access.AccessDeniedException;
30 import org.springframework.security.core.context.SecurityContextHolder;
31 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper;
32
33 public class MustChangePasswordFilter implements Filter {
34
35 @Override
36 public void init(final FilterConfig filterConfig) throws ServletException {
37
38 }
39
40 @Override
41 public void destroy() {
42
43 }
44
45 @Override
46 public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
47 throws IOException, ServletException {
48
49 if (request instanceof SecurityContextHolderAwareRequestWrapper) {
50 boolean isMustChangePassword =
51 SecurityContextHolder.getContext().getAuthentication().getAuthorities().stream().anyMatch(
52 authority -> IdRepoEntitlement.MUST_CHANGE_PASSWORD.equals(authority.getAuthority()));
53
54 SecurityContextHolderAwareRequestWrapper wrappedRequest =
55 SecurityContextHolderAwareRequestWrapper.class.cast(request);
56 if (isMustChangePassword && !"POST".equalsIgnoreCase(wrappedRequest.getMethod())
57 && !"/users/self/changePassword".equals(wrappedRequest.getPathInfo())) {
58
59 throw new AccessDeniedException("Please change your password first");
60 }
61 }
62
63 chain.doFilter(request, response);
64 }
65 }