|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.springframework.web.filter.GenericFilterBean org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
public abstract class AbstractAuthenticationProcessingFilter
Abstract processor of browser-based HTTP-based authentication requests.
This filter will intercept a request and attempt to perform authentication from that request if
the request URL matches the value of the filterProcessesUrl property. This behaviour can modified by
overriding the method requiresAuthentication
.
Authentication is performed by the attemptAuthentication
method, which must be implemented by subclasses.
Authentication
object will be placed into the
SecurityContext
for the current thread, which is guaranteed to have already been created by an earlier
filter.
The configured AuthenticationSuccessHandler
will
then be called to take the redirect to the appropriate destination after a successful login. The default behaviour
is implemented in a SavedRequestAwareAuthenticationSuccessHandler
which will make use of any
DefaultSavedRequest set by the ExceptionTranslationFilter and redirect the user to the URL contained
therein. Otherwise it will redirect to the webapp root "/". You can customize this behaviour by injecting a
differently configured instance of this class, or by using a different implementation.
See the successfulAuthentication
method for more information.
SPRING_SECURITY_LAST_EXCEPTION_KEY
. It will then delegate to the configured
AuthenticationFailureHandler
to allow the failure information to be conveyed to the client.
The default implementation is SimpleUrlAuthenticationFailureHandler
, which sends a 401 error code to the
client. It may also be configured with a failure URL as an alternative. Again you can inject whatever
behaviour you require here.
InteractiveAuthenticationSuccessEvent
will be published via the application context. No events will be published if
authentication was unsuccessful, because this would generally be recorded via an
AuthenticationManager-specific application event.
The filter has an optional attribute invalidateSessionOnSuccessfulAuthentication that will invalidate the current session on successful authentication. This is to protect against session fixation attacks (see this Wikipedia article for more information). The behaviour is turned off by default. Additionally there is a property migrateInvalidatedSessionAttributes which tells if on session invalidation we are to migrate all session attributes from the old session to a newly created one. This is turned on by default, but not used unless invalidateSessionOnSuccessfulAuthentication is true. If you are using this feature in combination with concurrent session control, you should set the sessionRegistry property to make sure that the session information is updated consistently.
Field Summary | |
---|---|
protected AuthenticationDetailsSource |
authenticationDetailsSource
|
protected ApplicationEventPublisher |
eventPublisher
|
protected MessageSourceAccessor |
messages
|
static String |
SPRING_SECURITY_LAST_EXCEPTION_KEY
|
Fields inherited from class org.springframework.web.filter.GenericFilterBean |
---|
logger |
Constructor Summary | |
---|---|
protected |
AbstractAuthenticationProcessingFilter(String defaultFilterProcessesUrl)
|
Method Summary | |
---|---|
void |
afterPropertiesSet()
|
abstract Authentication |
attemptAuthentication(HttpServletRequest request,
HttpServletResponse response)
Performs actual authentication. |
void |
doFilter(ServletRequest req,
ServletResponse res,
FilterChain chain)
Invokes the requiresAuthentication
method to determine whether the request is for authentication and should be handled by this filter. |
protected boolean |
getAllowSessionCreation()
|
AuthenticationDetailsSource |
getAuthenticationDetailsSource()
|
protected AuthenticationManager |
getAuthenticationManager()
|
String |
getFilterProcessesUrl()
|
RememberMeServices |
getRememberMeServices()
|
protected boolean |
requiresAuthentication(HttpServletRequest request,
HttpServletResponse response)
Indicates whether this filter should attempt to process a login request for the current invocation. |
void |
setAllowSessionCreation(boolean allowSessionCreation)
|
void |
setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)
|
void |
setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
|
void |
setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
|
void |
setAuthenticationManager(AuthenticationManager authenticationManager)
|
void |
setAuthenticationSuccessHandler(AuthenticationSuccessHandler successHandler)
Sets the strategy used to handle a successful authentication. |
void |
setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)
Indicates if the filter chain should be continued prior to delegation to successfulAuthentication(HttpServletRequest, HttpServletResponse,
Authentication) , which may be useful in certain environment (such as
Tapestry applications). |
void |
setFilterProcessesUrl(String filterProcessesUrl)
|
void |
setMessageSource(MessageSource messageSource)
|
void |
setRememberMeServices(RememberMeServices rememberMeServices)
|
void |
setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy)
The session handling strategy which will be invoked immediately after an authentication request is successfully processed by the AuthenticationManager. |
protected void |
successfulAuthentication(HttpServletRequest request,
HttpServletResponse response,
Authentication authResult)
Default behaviour for successful authentication. |
protected void |
unsuccessfulAuthentication(HttpServletRequest request,
HttpServletResponse response,
AuthenticationException failed)
Default behaviour for unsuccessful authentication. |
Methods inherited from class org.springframework.web.filter.GenericFilterBean |
---|
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final String SPRING_SECURITY_LAST_EXCEPTION_KEY
protected ApplicationEventPublisher eventPublisher
protected AuthenticationDetailsSource authenticationDetailsSource
protected MessageSourceAccessor messages
Constructor Detail |
---|
protected AbstractAuthenticationProcessingFilter(String defaultFilterProcessesUrl)
defaultFilterProcessesUrl
- the default value for filterProcessesUrl.Method Detail |
---|
public void afterPropertiesSet()
afterPropertiesSet
in interface InitializingBean
afterPropertiesSet
in class GenericFilterBean
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException
requiresAuthentication
method to determine whether the request is for authentication and should be handled by this filter.
If it is an authentication request, the
attemptAuthentication
will be invoked
to perform the authentication. There are then three possible outcomes:
successfulAuthentication
method will be invokedunSuccessfulAuthentication
method will be invoked
doFilter
in interface Filter
IOException
ServletException
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response)
It strips any parameters from the "path" section of the request URL (such
as the jsessionid parameter in
http://host/myapp/index.html;jsessionid=blah) before matching
against the filterProcessesUrl
property.
Subclasses may override for special requirements, such as Tapestry integration.
true
if the filter should attempt authentication, false
otherwise.public abstract Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException
The implementation should do one of the following:
request
- from which to extract parameters and perform the authenticationresponse
- the response, which may be needed if the implementation has to do a redirect as part of a
multi-stage authentication process (such as OpenID).
AuthenticationException
- if authentication fails.
IOException
ServletException
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException, ServletException
SecurityContextHolder
SessionAuthenticationStrategy
to handle any session-related behaviour
(such as creating a new session to protect against session-fixation attacks).InteractiveAuthenticationSuccessEvent
via the configured
ApplicationEventPublisherAuthenticationSuccessHandler
.
authResult
- the object returned from the attemptAuthentication method.
IOException
ServletException
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException
SecurityContextHolder
AuthenticationFailureHandler
.
IOException
ServletException
protected AuthenticationManager getAuthenticationManager()
public void setAuthenticationManager(AuthenticationManager authenticationManager)
public String getFilterProcessesUrl()
public void setFilterProcessesUrl(String filterProcessesUrl)
public RememberMeServices getRememberMeServices()
public void setRememberMeServices(RememberMeServices rememberMeServices)
public void setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)
successfulAuthentication(HttpServletRequest, HttpServletResponse,
Authentication)
, which may be useful in certain environment (such as
Tapestry applications). Defaults to false
.
public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)
setApplicationEventPublisher
in interface ApplicationEventPublisherAware
public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
public void setMessageSource(MessageSource messageSource)
setMessageSource
in interface MessageSourceAware
public AuthenticationDetailsSource getAuthenticationDetailsSource()
protected boolean getAllowSessionCreation()
public void setAllowSessionCreation(boolean allowSessionCreation)
public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy)
sessionStrategy
- the implementation to use. If not set a null implementation is
used.public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler successHandler)
SavedRequestAwareAuthenticationSuccessHandler
is used.
public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |