org.springframework.security.web.authentication
Class UsernamePasswordAuthenticationFilter

java.lang.Object
  extended by org.springframework.web.filter.GenericFilterBean
      extended by org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
          extended by org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
All Implemented Interfaces:
Filter, BeanNameAware, DisposableBean, InitializingBean, ApplicationEventPublisherAware, MessageSourceAware, ServletContextAware
Direct Known Subclasses:
AuthenticationProcessingFilter

public class UsernamePasswordAuthenticationFilter
extends AbstractAuthenticationProcessingFilter

Processes an authentication form. Called AuthenticationProcessingFilter in previous versions of the framework.

Login forms must present two parameters to this filter: a username and password. The default parameter names to use are contained in the static fields SPRING_SECURITY_FORM_USERNAME_KEY and SPRING_SECURITY_FORM_PASSWORD_KEY. The parameter names can also be changed by setting the usernameParameter and passwordParameter properties.

This filter by default responds to the URL /j_spring_security_check.

Since:
3.0
Version:
$Id: UsernamePasswordAuthenticationFilter.java 3924 2009-10-05 17:33:34Z ltaylor $
Author:
Ben Alex, Colin Sampaleanu, Luke Taylor

Field Summary
static String SPRING_SECURITY_FORM_PASSWORD_KEY
           
static String SPRING_SECURITY_FORM_USERNAME_KEY
           
static String SPRING_SECURITY_LAST_USERNAME_KEY
           
 
Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
authenticationDetailsSource, eventPublisher, messages, SPRING_SECURITY_LAST_EXCEPTION_KEY
 
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
 
Constructor Summary
UsernamePasswordAuthenticationFilter()
           
 
Method Summary
 Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
          Performs actual authentication.
 String getPasswordParameter()
           
 String getUsernameParameter()
           
protected  String obtainPassword(HttpServletRequest request)
          Enables subclasses to override the composition of the password, such as by including additional values and a separator.
protected  String obtainUsername(HttpServletRequest request)
          Enables subclasses to override the composition of the username, such as by including additional values and a separator.
protected  void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest)
          Provided so that subclasses may configure what is put into the authentication request's details property.
 void setPasswordParameter(String passwordParameter)
          Sets the parameter name which will be used to obtain the password from the login request..
 void setPostOnly(boolean postOnly)
          Defines whether only HTTP POST requests will be allowed by this filter.
 void setUsernameParameter(String usernameParameter)
          Sets the parameter name which will be used to obtain the username from the login request.
 
Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationDetailsSource, getAuthenticationManager, getFilterProcessesUrl, getRememberMeServices, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setSessionAuthenticationStrategy, successfulAuthentication, unsuccessfulAuthentication
 
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

SPRING_SECURITY_FORM_USERNAME_KEY

public static final String SPRING_SECURITY_FORM_USERNAME_KEY
See Also:
Constant Field Values

SPRING_SECURITY_FORM_PASSWORD_KEY

public static final String SPRING_SECURITY_FORM_PASSWORD_KEY
See Also:
Constant Field Values

SPRING_SECURITY_LAST_USERNAME_KEY

public static final String SPRING_SECURITY_LAST_USERNAME_KEY
See Also:
Constant Field Values
Constructor Detail

UsernamePasswordAuthenticationFilter

public UsernamePasswordAuthenticationFilter()
Method Detail

attemptAuthentication

public Authentication attemptAuthentication(HttpServletRequest request,
                                            HttpServletResponse response)
                                     throws AuthenticationException
Description copied from class: AbstractAuthenticationProcessingFilter
Performs actual authentication.

The implementation should do one of the following:

  1. Return a populated authentication token for the authenticated user, indicating successful authentication
  2. Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
  3. Throw an AuthenticationException if the authentication process fails

Specified by:
attemptAuthentication in class AbstractAuthenticationProcessingFilter
Parameters:
request - from which to extract parameters and perform the authentication
response - the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OpenID).
Returns:
the authenticated user token, or null if authentication is incomplete.
Throws:
AuthenticationException - if authentication fails.

obtainPassword

protected String obtainPassword(HttpServletRequest request)
Enables subclasses to override the composition of the password, such as by including additional values and a separator.

This might be used for example if a postcode/zipcode was required in addition to the password. A delimiter such as a pipe (|) should be used to separate the password and extended value(s). The AuthenticationDao will need to generate the expected password in a corresponding manner.

Parameters:
request - so that request attributes can be retrieved
Returns:
the password that will be presented in the Authentication request token to the AuthenticationManager

obtainUsername

protected String obtainUsername(HttpServletRequest request)
Enables subclasses to override the composition of the username, such as by including additional values and a separator.

Parameters:
request - so that request attributes can be retrieved
Returns:
the username that will be presented in the Authentication request token to the AuthenticationManager

setDetails

protected void setDetails(HttpServletRequest request,
                          UsernamePasswordAuthenticationToken authRequest)
Provided so that subclasses may configure what is put into the authentication request's details property.

Parameters:
request - that an authentication request is being created for
authRequest - the authentication request object that should have its details set

setUsernameParameter

public void setUsernameParameter(String usernameParameter)
Sets the parameter name which will be used to obtain the username from the login request.

Parameters:
usernameParameter - the parameter name. Defaults to "j_username".

setPasswordParameter

public void setPasswordParameter(String passwordParameter)
Sets the parameter name which will be used to obtain the password from the login request..

Parameters:
passwordParameter - the parameter name. Defaults to "j_password".

setPostOnly

public void setPostOnly(boolean postOnly)
Defines whether only HTTP POST requests will be allowed by this filter. If set to true, and an authentication request is received which is not a POST request, an exception will be raised immediately and authentication will not be attempted. The unsuccessfulAuthentication() method will be called as if handling a failed authentication.

Defaults to true but may be overridden by subclasses.


getUsernameParameter

public final String getUsernameParameter()

getPasswordParameter

public final String getPasswordParameter()


Copyright © 2004-2009 SpringSource, Inc. All Rights Reserved.