[Application] Use Spring Security for API Key validation. #30
Assignees
Labels
Milestone
Comments
binchoo
added
hotfix
|
Change Impact
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${auth.apikey}")
private String expectedApiKey;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/ikakao/**")
.authorizeRequests().anyRequest().permitAll()
.and()
.addFilterBefore(new ApiKeyValidationFilter(expectedApiKey), BasicAuthenticationFilter.class)
.csrf().disable();
}
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
var httpRequest = (HttpServletRequest) request;
var httpResponse = (HttpServletResponse) response;
String actualApiKey = httpRequest.getHeader(HEADER_X_API_KEY);
if (expectedApiKey.equals(actualApiKey)) {
chain.doFilter(request, response);
} else {
httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
String clientIp = httpRequest.getHeader(HEADER_X_FORWARDED_FOR);
logger.warn("[Security] Unauthorized api-key: {} from {}", actualApiKey, clientIp);
}
} |
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As-is:
No API keys are required for calling the
paimonganyu-skillendpoints.If an attacker who uses a fake KakaoTalk chatbot sends a request to our endpoints via the ikakao skill connectors, he may find a botUserId matching one in the PaimonGanyu system with a very low probability.
To-be:
Although the probability is significantly low, I do not want to have this vulnerability affect my system. So I'll implement an API key validation using Spring Security filter chain.
The text was updated successfully, but these errors were encountered: