Reregister AuthCheckFilter exclusion when certificates change

Fishbowler · Fishbowler · commit cf17248deb94 · 2026-03-04T22:44:33.000Z
The AdminConsole restarts when the certificates change, clearing previously registered AuthCheckFilter exclusions
diff --git a/src/java/org/jivesoftware/openfire/plugin/rest/RESTServicePlugin.java b/src/java/org/jivesoftware/openfire/plugin/rest/RESTServicePlugin.java
@@ -19,8 +19,11 @@
 import org.jivesoftware.admin.AuthCheckFilter;
 import org.jivesoftware.openfire.container.Plugin;
 import org.jivesoftware.openfire.container.PluginManager;
+import org.jivesoftware.openfire.keystore.CertificateStore;
 import org.jivesoftware.openfire.plugin.rest.service.JerseyWrapper;
 import org.jivesoftware.openfire.stats.StatisticsManager;
+import org.jivesoftware.util.CertificateEventListener;
+import org.jivesoftware.util.CertificateManager;
 import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.util.PropertyEventDispatcher;
 import org.jivesoftware.util.PropertyEventListener;
@@ -32,7 +35,7 @@
 /**
  * The Class RESTServicePlugin.
  */
-public class RESTServicePlugin implements Plugin, PropertyEventListener {
+public class RESTServicePlugin implements Plugin, PropertyEventListener, CertificateEventListener {
 
     private static final String CUSTOM_AUTH_FILTER_PROPERTY_NAME = "plugin.restapi.customAuthFilter";
     public static final String SERVICE_LOGGING_ENABLED = "plugin.restapi.serviceLoggingEnabled";
@@ -99,6 +102,9 @@ public void initializePlugin(PluginManager manager, File pluginDirectory) {
         // Listen to system property events
         PropertyEventDispatcher.addListener(this);
 
+        // Re-register the URL exclusion if the admin console restarts (e.g. on certificate change)
+        CertificateManager.addListener(this);
+
         // Exclude this servlet from requering the user to login
         AuthCheckFilter.addExclude(JerseyWrapper.SERVLET_URL);
     }
@@ -118,6 +124,17 @@ public void destroyPlugin() {
         AuthCheckFilter.removeExclude(JerseyWrapper.SERVLET_URL);
         // Stop listening to system property events
         PropertyEventDispatcher.removeListener(this);
+        CertificateManager.removeListener(this);
+    }
+
+    /**
+     * Re-registers the URL exclusion with the admin console's AuthCheckFilter after a certificate
+     * store change, which triggers an admin console restart that would otherwise clear plugin-
+     * registered excludes.
+     */
+    @Override
+    public void storeContentChanged(CertificateStore store) {
+        AuthCheckFilter.addExclude(JerseyWrapper.SERVLET_URL);
     }
 
     /**
