fixed URI and paths normalization

Erudika · Oct 26, 2024 · 1e95c49 · 1e95c49
1 parent 822ac29
commit 1e95c49
Show file tree

Hide file tree

Showing 17 changed files with 27 additions and 27 deletions.
diff --git a/para-server/src/main/java/com/erudika/para/server/rest/RestUtils.java b/para-server/src/main/java/com/erudika/para/server/rest/RestUtils.java
@@ -147,11 +147,11 @@ public static String extractDate(HttpServletRequest request) {
 	 * @return the resource path
 	 */
 	public static String extractResourcePath(HttpServletRequest request) {
-		if (request == null || request.getRequestURI().length() <= 3) {
+		if (request == null || request.getServletPath().length() <= 3) {
 			return "";
 		}
 		// get request path, strip first slash '/'
-		String uri = request.getRequestURI().substring(1);
+		String uri = request.getServletPath().substring(1);
 		// skip to the end of API version prefix '/v1/'
 		int start = uri.indexOf('/');
 

diff --git a/para-server/src/main/java/com/erudika/para/server/security/SecurityUtils.java b/para-server/src/main/java/com/erudika/para/server/security/SecurityUtils.java
@@ -415,7 +415,7 @@ public static boolean isValidSignature(HttpServletRequest incoming, String secre
 			params.put(param.getKey(), param.getValue()[0]);
 		}
 
-		String path = incoming.getRequestURI();
+		String path = incoming.getRequestURI(); // DO NOT USE req.getServletPath() here!
 		String endpoint = StringUtils.removeEndIgnoreCase(incoming.getRequestURL().toString(), path);
 		String httpMethod = incoming.getMethod();
 		InputStream entity;
@@ -483,9 +483,9 @@ public static String getAppidFromAuthRequest(HttpServletRequest request) {
 		String appidFromState = request.getParameter("state");
 		String appidFromAppid = request.getParameter(Config._APPID);
 		if (StringUtils.isBlank(appidFromState) && StringUtils.isBlank(appidFromAppid)) {
-			if (StringUtils.startsWith(request.getRequestURI(), SAMLAuthFilter.SAML_ACTION + "/")) {
-				return StringUtils.trimToNull(request.getRequestURI().substring(SAMLAuthFilter.SAML_ACTION.length() + 1));
-			} else if (StringUtils.startsWith(request.getRequestURI(), "/" + PasswordlessAuthFilter.PASSWORDLESS_ACTION)) {
+			if (StringUtils.startsWith(request.getServletPath(), SAMLAuthFilter.SAML_ACTION + "/")) {
+				return StringUtils.trimToNull(request.getServletPath().substring(SAMLAuthFilter.SAML_ACTION.length() + 1));
+			} else if (StringUtils.startsWith(request.getServletPath(), "/" + PasswordlessAuthFilter.PASSWORDLESS_ACTION)) {
 				String token = request.getParameter("token"); // JWT
 				JWTClaimsSet claims = null;
 				try {

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/AmazonAuthFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/AmazonAuthFilter.java
@@ -94,7 +94,7 @@ public AmazonAuthFilter(final String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 
 		if (requestURI.endsWith(AMAZON_ACTION)) {

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java
@@ -90,7 +90,7 @@ public FacebookAuthFilter(String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 
 		if (requestURI.endsWith(FACEBOOK_ACTION)) {

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/GenericOAuth2Filter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/GenericOAuth2Filter.java
@@ -105,7 +105,7 @@ public GenericOAuth2Filter(final String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 		boolean isSecond = requestURI.endsWith(OAUTH2_SECOND_ACTION);
 		boolean isThird = requestURI.endsWith(OAUTH2_THIRD_ACTION);

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/GitHubAuthFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/GitHubAuthFilter.java
@@ -94,7 +94,7 @@ public GitHubAuthFilter(final String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 
 		if (requestURI.endsWith(GITHUB_ACTION)) {

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/GoogleAuthFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/GoogleAuthFilter.java
@@ -92,7 +92,7 @@ public GoogleAuthFilter(final String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 
 		if (requestURI.endsWith(GOOGLE_ACTION)) {

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/LdapAuthFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/LdapAuthFilter.java
@@ -75,7 +75,7 @@ public LdapAuthFilter(final String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 		String username = request.getParameter(Para.getConfig().ldapUsernameParameter());
 		String password = request.getParameter(Para.getConfig().ldapPasswordParameter());

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/LinkedInAuthFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/LinkedInAuthFilter.java
@@ -98,7 +98,7 @@ public LinkedInAuthFilter(final String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 
 		if (requestURI.endsWith(LINKEDIN_ACTION)) {

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/MicrosoftAuthFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/MicrosoftAuthFilter.java
@@ -95,7 +95,7 @@ public MicrosoftAuthFilter(final String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 
 		if (requestURI.endsWith(MICROSOFT_ACTION)) {

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/PasswordAuthFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/PasswordAuthFilter.java
@@ -66,7 +66,7 @@ public PasswordAuthFilter(String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException, ServletException {
-		String requestURI = request.getRequestURI();
+		String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 		User user = null;
 

diff --git a/...server/src/main/java/com/erudika/para/server/security/filters/PasswordlessAuthFilter.java b/...server/src/main/java/com/erudika/para/server/security/filters/PasswordlessAuthFilter.java
@@ -72,7 +72,7 @@ public PasswordlessAuthFilter(String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException, ServletException {
-		String requestURI = request.getRequestURI();
+		String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 		boolean redirect = !"false".equals(request.getParameter("redirect"));
 		User user = null;

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/SAMLAuthFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/SAMLAuthFilter.java
@@ -99,7 +99,7 @@ public SAMLAuthFilter(final String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 
 		String appid;

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/SAMLMetadataFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/SAMLMetadataFilter.java
@@ -58,7 +58,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
 		HttpServletRequest request = (HttpServletRequest) req;
 		HttpServletResponse response = (HttpServletResponse) res;
 
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		String appid;
 
 		if (requestURI.startsWith(SAML_ACTION)) {

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/SlackAuthFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/SlackAuthFilter.java
@@ -95,7 +95,7 @@ public SlackAuthFilter(final String defaultFilterProcessesUrl) {
 	@SuppressWarnings("unchecked")
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 
 		if (requestURI.endsWith(SLACK_ACTION)) {

diff --git a/para-server/src/main/java/com/erudika/para/server/security/filters/TwitterAuthFilter.java b/para-server/src/main/java/com/erudika/para/server/security/filters/TwitterAuthFilter.java
@@ -97,7 +97,7 @@ public TwitterAuthFilter(final String defaultFilterProcessesUrl) {
 	@Override
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws IOException {
-		final String requestURI = request.getRequestURI();
+		final String requestURI = request.getServletPath();
 		UserAuthentication userAuth = null;
 
 		if (requestURI.endsWith(TWITTER_ACTION)) {

diff --git a/para-server/src/test/java/com/erudika/para/rest/RestUtilsTest.java b/para-server/src/test/java/com/erudika/para/rest/RestUtilsTest.java
@@ -188,27 +188,27 @@ public void testExtractAccessKey() {
 	@Test
 	public void testExtractResourcePath() {
 		HttpServletRequest req = Mockito.mock(HttpServletRequest.class);
-		Mockito.when(req.getRequestURI()).thenReturn("");
+		Mockito.when(req.getServletPath()).thenReturn("");
 		assertEquals(extractResourcePath(null), "");
 		assertEquals(extractResourcePath(req), "");
 
-		Mockito.when(req.getRequestURI()).thenReturn("/v1");
+		Mockito.when(req.getServletPath()).thenReturn("/v1");
 		assertEquals("", extractResourcePath(req));
 
-		Mockito.when(req.getRequestURI()).thenReturn("/v1/");
+		Mockito.when(req.getServletPath()).thenReturn("/v1/");
 		assertEquals("", extractResourcePath(req));
 
-		Mockito.when(req.getRequestURI()).thenReturn("/v1/_");
+		Mockito.when(req.getServletPath()).thenReturn("/v1/_");
 		assertEquals("_", extractResourcePath(req));
 
-		Mockito.when(req.getRequestURI()).thenReturn("/v1/_test");
+		Mockito.when(req.getServletPath()).thenReturn("/v1/_test");
 		assertEquals("_test", extractResourcePath(req));
 
-		Mockito.when(req.getRequestURI()).thenReturn("/v1/_test/path/id");
+		Mockito.when(req.getServletPath()).thenReturn("/v1/_test/path/id");
 		assertEquals("_test/path/id", extractResourcePath(req));
 
 		// new feature - specific resource paths
-		Mockito.when(req.getRequestURI()).thenReturn("/v2.0/posts/123");
+		Mockito.when(req.getServletPath()).thenReturn("/v2.0/posts/123");
 		assertEquals("posts/123", extractResourcePath(req));
 	}