galovics commented on code in PR #2308: URL: https://github.com/apache/fineract/pull/2308#discussion_r863650606
########## fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/filters/HttpMethodFilter.java: ########## @@ -0,0 +1,81 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.fineract.infrastructure.core.filters; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.ext.Provider; +import org.apache.fineract.infrastructure.core.config.FineractProperties; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; +import org.springframework.web.filter.GenericFilterBean; + +@Provider +@Component +@Scope("singleton") +public class HttpMethodFilter extends GenericFilterBean { Review Comment: Can we rename the class to represent what it does instead of how it's implemented? Instead of HttpMethodFilter, we could do let's say InstanceTypeApiFilter or something. ########## fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/filters/HttpMethodFilter.java: ########## @@ -0,0 +1,81 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.fineract.infrastructure.core.filters; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.ext.Provider; +import org.apache.fineract.infrastructure.core.config.FineractProperties; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; +import org.springframework.web.filter.GenericFilterBean; + +@Provider +@Component +@Scope("singleton") +public class HttpMethodFilter extends GenericFilterBean { + + private static final Logger LOG = LoggerFactory.getLogger(HttpMethodFilter.class); + + private final String DEFAULT_HTTP_METHODS_READ = "GET"; + private final String DEFAULT_HTTP_METHODS_WRITE = "POST,PUT,DELETE,OPTIONS"; + private final String DEFAULT_HTTP_METHODS_ALL = "GET,POST,PUT,DELETE,OPTIONS"; + + private final String fineractInstanceType; + private final List<String> httpMethodsAllowedList; + + @Autowired + public HttpMethodFilter(final FineractProperties fineractProperties) { Review Comment: Yeah, this is not the way, especially with the String checks and stuff. ########## fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java: ########## @@ -80,6 +87,11 @@ protected void configure(HttpSecurity http) throws Exception { .addFilterAfter(tenantAwareBasicAuthenticationFilter(), SecurityContextPersistenceFilter.class) // .addFilterAfter(twoFactorAuthenticationFilter, BasicAuthenticationFilter.class); // + // Apply the HTTP method Filter only If the instance is Read or Write + if (fineractProperties.getMode().isReadOnlyMode() || fineractProperties.getMode().isWriteEnabled()) { Review Comment: Nah, let's apply the filter everytime. No need to exclude it when it's not running in in a certain mode. ########## fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/filters/HttpMethodFilter.java: ########## @@ -0,0 +1,81 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.fineract.infrastructure.core.filters; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.ext.Provider; +import org.apache.fineract.infrastructure.core.config.FineractProperties; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; +import org.springframework.web.filter.GenericFilterBean; + +@Provider +@Component +@Scope("singleton") +public class HttpMethodFilter extends GenericFilterBean { + + private static final Logger LOG = LoggerFactory.getLogger(HttpMethodFilter.class); + + private final String DEFAULT_HTTP_METHODS_READ = "GET"; + private final String DEFAULT_HTTP_METHODS_WRITE = "POST,PUT,DELETE,OPTIONS"; Review Comment: Please don't. If we want to represent a Set structure, let's use a set. ########## fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/filters/HttpMethodFilter.java: ########## @@ -0,0 +1,81 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.fineract.infrastructure.core.filters; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.ext.Provider; +import org.apache.fineract.infrastructure.core.config.FineractProperties; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; +import org.springframework.web.filter.GenericFilterBean; + +@Provider +@Component +@Scope("singleton") +public class HttpMethodFilter extends GenericFilterBean { + + private static final Logger LOG = LoggerFactory.getLogger(HttpMethodFilter.class); + + private final String DEFAULT_HTTP_METHODS_READ = "GET"; Review Comment: Yeah, this is not gonna fly with me, hardcoding these. There's an HttpMethod enum for this reason both in Spring and in the Apache Commons lib. ########## fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/filters/HttpMethodFilter.java: ########## @@ -0,0 +1,81 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.fineract.infrastructure.core.filters; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.ext.Provider; +import org.apache.fineract.infrastructure.core.config.FineractProperties; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; +import org.springframework.web.filter.GenericFilterBean; + +@Provider +@Component +@Scope("singleton") +public class HttpMethodFilter extends GenericFilterBean { Review Comment: Also, any reason you didn't use a OncePerRequestFilter but a GenericFilterBean? ########## fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/filters/HttpMethodFilter.java: ########## @@ -0,0 +1,81 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.fineract.infrastructure.core.filters; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.ext.Provider; +import org.apache.fineract.infrastructure.core.config.FineractProperties; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; +import org.springframework.web.filter.GenericFilterBean; + +@Provider +@Component +@Scope("singleton") +public class HttpMethodFilter extends GenericFilterBean { + + private static final Logger LOG = LoggerFactory.getLogger(HttpMethodFilter.class); Review Comment: Lombok `@Slf4j` annotation please. ########## fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/filters/HttpMethodFilter.java: ########## @@ -0,0 +1,81 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.fineract.infrastructure.core.filters; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.ext.Provider; +import org.apache.fineract.infrastructure.core.config.FineractProperties; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; +import org.springframework.web.filter.GenericFilterBean; + +@Provider +@Component +@Scope("singleton") Review Comment: Why the Scope annotation? ########## fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/filters/HttpMethodFilter.java: ########## @@ -0,0 +1,81 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.fineract.infrastructure.core.filters; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.ext.Provider; +import org.apache.fineract.infrastructure.core.config.FineractProperties; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; +import org.springframework.web.filter.GenericFilterBean; + +@Provider +@Component +@Scope("singleton") +public class HttpMethodFilter extends GenericFilterBean { + + private static final Logger LOG = LoggerFactory.getLogger(HttpMethodFilter.class); + + private final String DEFAULT_HTTP_METHODS_READ = "GET"; + private final String DEFAULT_HTTP_METHODS_WRITE = "POST,PUT,DELETE,OPTIONS"; + private final String DEFAULT_HTTP_METHODS_ALL = "GET,POST,PUT,DELETE,OPTIONS"; + + private final String fineractInstanceType; + private final List<String> httpMethodsAllowedList; + + @Autowired + public HttpMethodFilter(final FineractProperties fineractProperties) { + if (fineractProperties.getMode().isReadOnlyMode()) { + this.fineractInstanceType = "Read"; + this.httpMethodsAllowedList = Arrays.asList(DEFAULT_HTTP_METHODS_READ.toUpperCase().split(",")); + } else if (fineractProperties.getMode().isWriteEnabled()) { + this.fineractInstanceType = "Write"; + this.httpMethodsAllowedList = Arrays.asList(DEFAULT_HTTP_METHODS_WRITE.toUpperCase().split(",")); + } else { + this.fineractInstanceType = "Read/Write"; + this.httpMethodsAllowedList = Arrays.asList(DEFAULT_HTTP_METHODS_ALL.toUpperCase().split(",")); + } + LOG.info("Fineract Instance type: {} {} methods", this.fineractInstanceType, this.httpMethodsAllowedList.size()); + } + + @Override + public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) Review Comment: A pseudo code for this doFilter would look the following: ``` doFilter { if (isGetMethod() && isReadInstance()) { proceed() } else if (isAnythingElse() && isWriteInstance()) { proceed() } else { error() } } ``` And later on if we need an exception list we could have a list of API paths like: ``` Set<String> EXCEPTION_API_PATHS = Sets.of( "/loans", ...) // just as an example of course ``` Then the doFilter's beginning gets extended with ``` if (EXCEPTION_API_PATHS.contains(currentApiPath)) { proceed() } ``` ########## fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/filters/HttpMethodFilter.java: ########## @@ -0,0 +1,81 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.fineract.infrastructure.core.filters; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.ext.Provider; +import org.apache.fineract.infrastructure.core.config.FineractProperties; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; +import org.springframework.web.filter.GenericFilterBean; + +@Provider +@Component +@Scope("singleton") +public class HttpMethodFilter extends GenericFilterBean { + + private static final Logger LOG = LoggerFactory.getLogger(HttpMethodFilter.class); + + private final String DEFAULT_HTTP_METHODS_READ = "GET"; + private final String DEFAULT_HTTP_METHODS_WRITE = "POST,PUT,DELETE,OPTIONS"; + private final String DEFAULT_HTTP_METHODS_ALL = "GET,POST,PUT,DELETE,OPTIONS"; + + private final String fineractInstanceType; Review Comment: Why is this needed as a String? I don't get it. You could just get a reference to the FineractProperties (which exactly tells you which instance type you're running) and use it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
