org.springframework.security.web.authentication.preauth
Class AbstractPreAuthenticatedProcessingFilter

java.lang.Object
  extended by org.springframework.web.filter.GenericFilterBean
      extended by org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter
All Implemented Interfaces:
Filter, BeanNameAware, DisposableBean, InitializingBean, ApplicationEventPublisherAware, ServletContextAware
Direct Known Subclasses:
J2eePreAuthenticatedProcessingFilter, RequestHeaderAuthenticationFilter, WebSpherePreAuthenticatedProcessingFilter, X509AuthenticationFilter

public abstract class AbstractPreAuthenticatedProcessingFilter
extends GenericFilterBean
implements InitializingBean, ApplicationEventPublisherAware

Base class for processing filters that handle pre-authenticated authentication requests. Subclasses must implement the getPreAuthenticatedPrincipal() and getPreAuthenticatedCredentials() methods.

If the security context already contains an Authentication object (either from a invocation of the filter or because of some other authentication mechanism), the filter will do nothing by default. You can force it to check for a change in the principal by setting the checkForPrincipalChanges property.

By default, the filter chain will proceed when an authentication attempt fails in order to allow other authentication mechanisms to process the request. To reject the credentials immediately, set the continueFilterChainOnUnsuccessfulAuthentication flag to false. The exception raised by the AuthenticationManager will the be re-thrown. Note that this will not affect cases where the principal returned by getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest) is null, when the chain will still proceed as normal.

Since:
2.0
Author:
Luke Taylor, Ruud Senden

Field Summary
 
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
 
Constructor Summary
AbstractPreAuthenticatedProcessingFilter()
           
 
Method Summary
 void afterPropertiesSet()
          Check whether all required properties have been set.
 void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
          Try to authenticate a pre-authenticated user with Spring Security if the user has not yet been authenticated.
protected abstract  Object getPreAuthenticatedCredentials(HttpServletRequest request)
          Override to extract the credentials (if applicable) from the current request.
protected abstract  Object getPreAuthenticatedPrincipal(HttpServletRequest request)
          Override to extract the principal information from the current request
 void setApplicationEventPublisher(ApplicationEventPublisher anApplicationEventPublisher)
           
 void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
           
 void setAuthenticationManager(AuthenticationManager authenticationManager)
           
 void setCheckForPrincipalChanges(boolean checkForPrincipalChanges)
          If set, the pre-authenticated principal will be checked on each request and compared against the name of the current Authentication object.
 void setContinueFilterChainOnUnsuccessfulAuthentication(boolean shouldContinue)
           
 void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange)
          If checkForPrincipalChanges is set, and a change of principal is detected, determines whether any existing session should be invalidated before proceeding to authenticate the new principal.
protected  void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult)
          Puts the Authentication instance returned by the authentication manager into the secure context.
protected  void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed)
          Ensures the authentication object in the secure context is set to null when authentication fails.
 
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AbstractPreAuthenticatedProcessingFilter

public AbstractPreAuthenticatedProcessingFilter()
Method Detail

afterPropertiesSet

public void afterPropertiesSet()
Check whether all required properties have been set.

Specified by:
afterPropertiesSet in interface InitializingBean
Overrides:
afterPropertiesSet in class GenericFilterBean

doFilter

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
              throws IOException,
                     ServletException
Try to authenticate a pre-authenticated user with Spring Security if the user has not yet been authenticated.

Specified by:
doFilter in interface Filter
Throws:
IOException
ServletException

successfulAuthentication

protected void successfulAuthentication(HttpServletRequest request,
                                        HttpServletResponse response,
                                        Authentication authResult)
Puts the Authentication instance returned by the authentication manager into the secure context.


unsuccessfulAuthentication

protected void unsuccessfulAuthentication(HttpServletRequest request,
                                          HttpServletResponse response,
                                          AuthenticationException failed)
Ensures the authentication object in the secure context is set to null when authentication fails.


setApplicationEventPublisher

public void setApplicationEventPublisher(ApplicationEventPublisher anApplicationEventPublisher)
Specified by:
setApplicationEventPublisher in interface ApplicationEventPublisherAware
Parameters:
anApplicationEventPublisher - The ApplicationEventPublisher to use

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
Parameters:
authenticationDetailsSource - The AuthenticationDetailsSource to use

setAuthenticationManager

public void setAuthenticationManager(AuthenticationManager authenticationManager)
Parameters:
authenticationManager - The AuthenticationManager to use

setContinueFilterChainOnUnsuccessfulAuthentication

public void setContinueFilterChainOnUnsuccessfulAuthentication(boolean shouldContinue)

setCheckForPrincipalChanges

public void setCheckForPrincipalChanges(boolean checkForPrincipalChanges)
If set, the pre-authenticated principal will be checked on each request and compared against the name of the current Authentication object. If a change is detected, the user will be reauthenticated.

Parameters:
checkForPrincipalChanges -

setInvalidateSessionOnPrincipalChange

public void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange)
If checkForPrincipalChanges is set, and a change of principal is detected, determines whether any existing session should be invalidated before proceeding to authenticate the new principal.

Parameters:
invalidateSessionOnPrincipalChange - false to retain the existing session. Defaults to true.

getPreAuthenticatedPrincipal

protected abstract Object getPreAuthenticatedPrincipal(HttpServletRequest request)
Override to extract the principal information from the current request


getPreAuthenticatedCredentials

protected abstract Object getPreAuthenticatedCredentials(HttpServletRequest request)
Override to extract the credentials (if applicable) from the current request. Some implementations may return a dummy value.



Copyright © 2004-2009 SpringSource, Inc. All Rights Reserved.