|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.springframework.web.filter.GenericFilterBean org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter
public abstract class AbstractPreAuthenticatedProcessingFilter
Base class for processing filters that handle pre-authenticated authentication requests, where it is assumed that the principal has already been authenticated by an external system.
The purpose is then only to extract the necessary information on the principal from the incoming request, rather
than to authenticate them. External authentication systems may provide this information via request data such as
headers or cookies which the pre-authentication system can extract. It is assumed that the external system is
responsible for the accuracy of the data and preventing the submission of forged values.
Subclasses must implement the getPreAuthenticatedPrincipal()
and getPreAuthenticatedCredentials()
methods. Subclasses of this filter are typically used in combination with a
PreAuthenticatedAuthenticationProvider
, which is used to load additional data for the user.
This provider will reject null credentials, so the getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest)
method should not return
null for a valid principal.
If the security context already contains an Authentication
object (either from a invocation of the
filter or because of some other authentication mechanism), the filter will do nothing by default. You can force
it to check for a change in the principal by setting the checkForPrincipalChanges
property.
By default, the filter chain will proceed when an authentication attempt fails in order to allow other
authentication mechanisms to process the request. To reject the credentials immediately, set the
continueFilterChainOnUnsuccessfulAuthentication flag to false. The exception raised by the
AuthenticationManager will the be re-thrown. Note that this will not affect cases where the principal
returned by getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest)
is null, when the chain will still proceed as normal.
Field Summary |
---|
Fields inherited from class org.springframework.web.filter.GenericFilterBean |
---|
logger |
Constructor Summary | |
---|---|
AbstractPreAuthenticatedProcessingFilter()
|
Method Summary | |
---|---|
void |
afterPropertiesSet()
Check whether all required properties have been set. |
void |
doFilter(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain)
Try to authenticate a pre-authenticated user with Spring Security if the user has not yet been authenticated. |
protected abstract Object |
getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)
Override to extract the credentials (if applicable) from the current request. |
protected abstract Object |
getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
Override to extract the principal information from the current request |
void |
setApplicationEventPublisher(ApplicationEventPublisher anApplicationEventPublisher)
|
void |
setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
|
void |
setAuthenticationManager(AuthenticationManager authenticationManager)
|
void |
setCheckForPrincipalChanges(boolean checkForPrincipalChanges)
If set, the pre-authenticated principal will be checked on each request and compared against the name of the current Authentication object. |
void |
setContinueFilterChainOnUnsuccessfulAuthentication(boolean shouldContinue)
|
void |
setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange)
If checkForPrincipalChanges is set, and a change of principal is detected, determines whether any existing session should be invalidated before proceeding to authenticate the new principal. |
protected void |
successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
Authentication authResult)
Puts the Authentication instance returned by the
authentication manager into the secure context. |
protected void |
unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
AuthenticationException failed)
Ensures the authentication object in the secure context is set to null when authentication fails. |
Methods inherited from class org.springframework.web.filter.GenericFilterBean |
---|
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public AbstractPreAuthenticatedProcessingFilter()
Method Detail |
---|
public void afterPropertiesSet()
afterPropertiesSet
in interface InitializingBean
afterPropertiesSet
in class GenericFilterBean
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
doFilter
in interface javax.servlet.Filter
IOException
javax.servlet.ServletException
protected void successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authResult)
Authentication
instance returned by the
authentication manager into the secure context.
protected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthenticationException failed)
public void setApplicationEventPublisher(ApplicationEventPublisher anApplicationEventPublisher)
setApplicationEventPublisher
in interface ApplicationEventPublisherAware
anApplicationEventPublisher
- The ApplicationEventPublisher to usepublic void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
authenticationDetailsSource
- The AuthenticationDetailsSource to usepublic void setAuthenticationManager(AuthenticationManager authenticationManager)
authenticationManager
- The AuthenticationManager to usepublic void setContinueFilterChainOnUnsuccessfulAuthentication(boolean shouldContinue)
public void setCheckForPrincipalChanges(boolean checkForPrincipalChanges)
checkForPrincipalChanges
- public void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange)
invalidateSessionOnPrincipalChange
- false to retain the existing session. Defaults to true.protected abstract Object getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
protected abstract Object getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |