Update the excludedPaths from portalCheckFilter in web.xml to be sharable for other configs (#8769)

* Update AudienceAccessTokenValidator.java

Fix logic

* Refactor excluded path to be accessible from other config

* add missing import

Author: xiechangning20

core/src/main/java/org/fao/geonet/kernel/security/keycloak/KeycloakPreAuthActionsLoginFilter.java

@@ -35,17 +35,24 @@
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.csrf.CsrfFilter;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
+import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.net.URLEncoder;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.web.context.ServletContextAware;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
 
-public class KeycloakPreAuthActionsLoginFilter extends KeycloakPreAuthActionsFilter {
+/**
+ * This class extends the KeycloakPreAuthActionsFilter to handle pre-authentication actions
+ * specific to Keycloak integration in GeoNetwork.
+ */
+public class KeycloakPreAuthActionsLoginFilter extends KeycloakPreAuthActionsFilter implements ServletContextAware {
 
     @Autowired
     LoginUrlAuthenticationEntryPoint loginUrlAuthenticationEntryPoint;
@@ -63,6 +70,38 @@ public KeycloakPreAuthActionsLoginFilter(UserSessionManagement userSessionManage
         csrfFilter.setRequireCsrfProtectionMatcher(csrfRequestMatcher);
     }
 
+    /**
+     * The servlet context parameter name that contains the excluded URL paths.
+     * This is used to configure which paths should be ignored by the filter.
+     * Based on the GeoNetworkPortalFilter configured in web.xml
+     */
+    private static final String EXCLUDED_URL_PATHS = "excludedPaths";
+
+    /**
+     * RequestMatchers for the ignored application paths.
+     */
+    private List<AntPathRequestMatcher> excludedPathsMatchers = new ArrayList<>();
+
+    /**
+     * The Method to set the servlet context from the web.xml.
+     * It also sets the request matchers for the excluded paths.
+     */
+    public void setServletContext(ServletContext servletContext) {
+        //get excluded paths from servlet context in web.xml
+        String excludedPathsValue = servletContext.getInitParameter(EXCLUDED_URL_PATHS);
+
+        if (StringUtils.isNotEmpty(excludedPathsValue)) {
+            excludedPathsMatchers = Arrays.stream(excludedPathsValue.split(","))
+                .map(StringUtils::trimToEmpty)
+                .filter(StringUtils::isNotEmpty)
+                .map(AntPathRequestMatcher::new)
+                .collect(Collectors.toList());
+        }
+
+        // add the jwks endpoint to the excluded paths
+        excludedPathsMatchers.add(new AntPathRequestMatcher("/.well-known/jwks.json"));
+    }
+
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
         throws IOException, ServletException {
@@ -76,6 +115,8 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         //       No sign in page required for api calls.
         //     - and it is not an internal k_* request which should be processed by keycloak adapter and also don't required login page.
         if (servletRequest.getPathInfo() != null &&
+            excludedPathsMatchers.stream()
+                .noneMatch(matcher -> matcher.matches(servletRequest)) &&
             !KeycloakAuthenticationProcessingFilter.DEFAULT_REQUEST_MATCHER.matches(servletRequest) &&
             !isAuthenticated() &&
             !(servletRequest.getContextPath() + KeycloakUtil.getSigninPath()).equals(servletRequest.getRequestURI()) &&

core/src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOidcPreAuthActionsLoginFilter.java

@@ -34,12 +34,20 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.net.URLEncoder;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.web.context.ServletContextAware;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
+
 
 /**
  * Filter implementation for handling pre-authentication actions for OpenID Connect (OIDC) login.
  * This filter checks if the user is authenticated and redirects unauthenticated users to the login page.
  */
-public class GeonetworkOidcPreAuthActionsLoginFilter  implements Filter {
+public class GeonetworkOidcPreAuthActionsLoginFilter  implements Filter, ServletContextAware {
 
     /**
      * Repository for managing client registrations for OpenID Connect.
@@ -49,10 +57,40 @@ public class GeonetworkOidcPreAuthActionsLoginFilter  implements Filter {
     private  ClientRegistrationRepository clientRegistrationRepository;
 
 
+    /**
+     * The servlet context parameter name that contains the excluded URL paths.
+     * This is used to configure which paths should be ignored by the filter.
+     * Based on the GeoNetworkPortalFilter configured in web.xml
+     */
+    private static final String EXCLUDED_URL_PATHS = "excludedPaths";
 
-    @Override
-    public void init(FilterConfig filterConfig) throws ServletException {
+    /**
+     * RequestMatchers for the ignored application paths.
+     */
+    private List<AntPathRequestMatcher> excludedPathsMatchers = new ArrayList<>();
 
+    /**
+     * The Method to set the servlet context from the web.xml.
+     * It also sets the request matchers for the excluded paths.
+     */
+    public void setServletContext(ServletContext servletContext) {
+        //get excluded paths from servlet context in web.xml
+        String excludedPathsValue = servletContext.getInitParameter(EXCLUDED_URL_PATHS);
+
+        if (StringUtils.isNotEmpty(excludedPathsValue)) {
+            excludedPathsMatchers = Arrays.stream(excludedPathsValue.split(","))
+                .map(StringUtils::trimToEmpty)
+                .filter(StringUtils::isNotEmpty)
+                .map(AntPathRequestMatcher::new)
+                .collect(Collectors.toList());
+        }
+
+        // add the jwks endpoint to the excluded paths
+        excludedPathsMatchers.add(new AntPathRequestMatcher("/.well-known/jwks.json"));
+    }
+
+    @Override
+    public void init(FilterConfig config) {
     }
 
     /**
@@ -82,8 +120,8 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             SecurityContextHolder.getContext().getAuthentication().isAuthenticated() &&
             !(SecurityContextHolder.getContext().getAuthentication() instanceof AnonymousAuthenticationToken);
 
-        boolean isPublicEndpoint =
-            requestUri.endsWith("/.well-known/jwks.json");
+        boolean isPublicEndpoint = excludedPathsMatchers.stream()
+            .anyMatch(matcher -> matcher.matches(servletRequest));
 
         if (!isAuthenticated && !isLoginRequest && !isPublicEndpoint && !isBearerTokenAccess) {
             String returningUrl = requestUri +

core/src/main/java/org/fao/geonet/web/GeoNetworkPortalFilter.java

@@ -58,7 +58,8 @@ public class GeoNetworkPortalFilter implements javax.servlet.Filter {
 
     @Override
     public void init(FilterConfig config) {
-        String excludedPathsValue = config.getInitParameter(EXCLUDED_URL_PATHS);
+        ServletContext context = config.getServletContext();
+        String excludedPathsValue = context.getInitParameter(EXCLUDED_URL_PATHS);
         if (StringUtils.isNotEmpty(excludedPathsValue)) {
             excludedPathsMatchers = Arrays.stream(excludedPathsValue.split(","))
                 .map(StringUtils::trimToEmpty)

web/src/main/webResources/WEB-INF/web.xml

@@ -82,43 +82,45 @@
     <url-pattern>/*</url-pattern>
   </filter-mapping>
 
+
   <!-- Filter to verify the portal parameter in the URL is a valid portal defined in GeoNetwork.
        If a non-valid value is provided, it redirects to the same URL in the default portal (srv).
   -->
   <filter>
     <filter-name>portalCheckFilter</filter-name>
     <filter-class>org.fao.geonet.web.GeoNetworkPortalFilter</filter-class>
-    <init-param>
+  </filter>
+
+  <context-param>
+    <param-name>excludedPaths</param-name>
+    <param-value>
       <!-- List of Ant style patterns that should be not checked for application URL paths -->
       <!-- https://docs.spring.io/spring-security/site/docs/5.7.3/api/org/springframework/security/web/util/matcher/AntPathRequestMatcher.html -->
-      <param-name>excludedPaths</param-name>
-      <param-value>
-        /catalog/**,
-        /api/**,
-        /static/**,
-        /images/**,
-        /index/features/**,
-        /htmlcache/**,
-        /config/**,
-        /jolokia/**,
-        /dashboards/**,
-        /criticalhealthcheck/**,
-        /warninghealthcheck/**,
-        /expensivehealthcheck/**,
-        /monitor/**,
-        /doc/**,
-        /map/**,
-        /pdf/**,
-        /xml/**,
-        /xsl/**,
-        /read/**,
-        /opensearch/**,
-        /.*.jsp,
-        /*.html,
-        /*.css
-      </param-value>
-    </init-param>
-  </filter>
+      /catalog/**,
+      /api/**,
+      /static/**,
+      /images/**,
+      /index/features/**,
+      /htmlcache/**,
+      /config/**,
+      /jolokia/**,
+      /dashboards/**,
+      /criticalhealthcheck/**,
+      /warninghealthcheck/**,
+      /expensivehealthcheck/**,
+      /monitor/**,
+      /doc/**,
+      /map/**,
+      /pdf/**,
+      /xml/**,
+      /xsl/**,
+      /read/**,
+      /opensearch/**,
+      /.*.jsp,
+      /*.html,
+      /*.css
+    </param-value>
+  </context-param>
 
   <filter-mapping>
     <filter-name>portalCheckFilter</filter-name>