public void doFilter()

in core/src/main/java/com/alibaba/nacos/core/auth/AbstractWebAuthFilter.java [63:141]

• 77 lines of code
• 17 McCabe index (conditional complexity)

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        if (!isAuthEnabled()) {
            chain.doFilter(request, response);
            return;
        }
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;
        Method method = methodsCache.getMethod(req);
        if (method == null) {
            chain.doFilter(request, response);
            return;
        }
        if (!method.isAnnotationPresent(Secured.class)) {
            chain.doFilter(request, response);
            return;
        }
        
        try {
            Secured secured = method.getAnnotation(Secured.class);
            if (!isMatchFilter(secured)) {
                chain.doFilter(request, response);
                return;
            }
            if (Loggers.AUTH.isDebugEnabled()) {
                Loggers.AUTH.debug("auth start, request: {} {}", req.getMethod(), req.getRequestURI());
            }
            ServerIdentityResult serverIdentityResult = checkServerIdentity(req, secured);
            switch (serverIdentityResult.getStatus()) {
                case FAIL:
                    resp.sendError(HttpServletResponse.SC_FORBIDDEN, serverIdentityResult.getMessage());
                    return;
                case MATCHED:
                    chain.doFilter(request, response);
                    return;
                default:
                    break;
            }
            if (!protocolAuthService.enableAuth(secured)) {
                chain.doFilter(request, response);
                return;
            }
            Resource resource = protocolAuthService.parseResource(req, secured);
            IdentityContext identityContext = protocolAuthService.parseIdentity(req);
            AuthResult result = protocolAuthService.validateIdentity(identityContext, resource);
            RequestContext requestContext = RequestContextHolder.getContext();
            requestContext.getAuthContext().setIdentityContext(identityContext);
            requestContext.getAuthContext().setResource(resource);
            requestContext.getAuthContext().setAuthResult(result);
            if (!result.isSuccess()) {
                throw new AccessException(result.format());
            }
            if (isIdentityOnlyApi(secured)) {
                if (Loggers.AUTH.isDebugEnabled()) {
                    Loggers.AUTH.debug("API is identity only, skip validate authority, request: {} {}", req.getMethod(),
                            req.getRequestURI());
                }
                chain.doFilter(request, response);
                return;
            }
            String action = secured.action().toString();
            result = protocolAuthService.validateAuthority(identityContext, new Permission(resource, action));
            if (!result.isSuccess()) {
                throw new AccessException(result.format());
            }
            chain.doFilter(request, response);
        } catch (AccessException e) {
            if (Loggers.AUTH.isDebugEnabled()) {
                Loggers.AUTH.debug("access denied, request: {} {}, reason: {}", req.getMethod(), req.getRequestURI(),
                        e.getErrMsg());
            }
            resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getErrMsg());
        } catch (IllegalArgumentException e) {
            resp.sendError(HttpServletResponse.SC_BAD_REQUEST, ExceptionUtil.getAllExceptionMsg(e));
        } catch (Exception e) {
            Loggers.AUTH.warn("[AUTH-FILTER] Server failed: ", e);
            
        }
    }