fix: enforce html auth redirect at runtime

2026-03-25 09:13:12 +08:00
parent d81750aaf9
commit 923302ca78
3 changed files with 30 additions and 18 deletions
--- a/src/main/java/com/example/demo/security/LearningJwtFilter.java
+++ b/src/main/java/com/example/demo/security/LearningJwtFilter.java
@@ -28,21 +28,14 @@ public class LearningJwtFilter extends OncePerRequestFilter {
    @Override
    protected boolean shouldNotFilter(HttpServletRequest request) {
        String uri = request.getRequestURI();
-        boolean learnRoute = "/learn".equals(uri) || uri.startsWith("/learn/");
-        boolean protectedPage = "/".equals(uri)
-            || "/home".equals(uri)
-            || "/index.html".equals(uri)
-            || "/users.html".equals(uri)
-            || "/aop.html".equals(uri)
-            || "/events.html".equals(uri);
-        return !(protectedPage
+        return !(isProtectedPage(uri)
            || uri.startsWith("/api/secure/")
            || uri.equals("/api/users")
            || uri.startsWith("/api/users/")
            || "/aop".equals(uri)
            || uri.startsWith("/aop/")
            || uri.startsWith("/api/lab/")
-            || learnRoute);
+            || isLearnRoute(uri));
    }

    @Override
@@ -61,9 +54,28 @@ public class LearningJwtFilter extends OncePerRequestFilter {
            SecurityContextHolder.getContext().setAuthentication(authToken);
        }

+        if (isProtectedPage(request.getRequestURI())
+            && SecurityContextHolder.getContext().getAuthentication() == null) {
+            response.sendRedirect("/access.html");
+            return;
+        }
+
        filterChain.doFilter(request, response);
    }

+    private boolean isProtectedPage(String uri) {
+        return "/".equals(uri)
+            || "/home".equals(uri)
+            || "/index.html".equals(uri)
+            || "/users.html".equals(uri)
+            || "/aop.html".equals(uri)
+            || "/events.html".equals(uri);
+    }
+
+    private boolean isLearnRoute(String uri) {
+        return "/learn".equals(uri) || uri.startsWith("/learn/");
+    }
+
    private String resolveToken(HttpServletRequest request) {
        String authorization = request.getHeader("Authorization");
        if (StringUtils.hasText(authorization) && authorization.startsWith("Bearer ")) {