org.springframework.security.web.authentication.www
Class BasicAuthenticationFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.www.BasicAuthenticationFilter
- All Implemented Interfaces:
- javax.servlet.Filter, BeanNameAware, DisposableBean, InitializingBean, ServletContextAware
public class BasicAuthenticationFilter
- extends GenericFilterBean
Processes a HTTP request's BASIC authorization headers, putting the result into the
SecurityContextHolder
.
For a detailed background on what this filter is designed to process, refer to
RFC 1945, Section 11.1. Any realm name presented in
the HTTP request is ignored.
In summary, this filter is responsible for processing any request that has a HTTP request header of
Authorization
with an authentication scheme of Basic
and a Base64-encoded
username:password
token. For example, to authenticate user "Aladdin" with password "open sesame" the
following header would be presented:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as
Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).
If authentication is successful, the resulting Authentication
object will be placed into the
SecurityContextHolder
.
If authentication fails and ignoreFailure
is false
(the default), an AuthenticationEntryPoint
implementation is called (unless the ignoreFailure property is set to
true). Usually this should be BasicAuthenticationEntryPoint
, which will prompt the user to
authenticate again via BASIC authentication.
Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still
transmits a password in clear text and as such is undesirable in many situations. Digest authentication is also
provided by Spring Security and should be used instead of Basic authentication wherever possible. See DigestAuthenticationFilter
.
Note that if a RememberMeServices
is set, this filter will automatically send back remember-me
details to the client. Therefore, subsequent requests will not need to present a BASIC authentication header as
they will be authenticated using the remember-me mechanism.
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
BasicAuthenticationFilter
public BasicAuthenticationFilter()
afterPropertiesSet
public void afterPropertiesSet()
- Specified by:
afterPropertiesSet
in interface InitializingBean
- Overrides:
afterPropertiesSet
in class GenericFilterBean
doFilter
public void doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
onSuccessfulAuthentication
protected void onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
Authentication authResult)
throws IOException
- Throws:
IOException
onUnsuccessfulAuthentication
protected void onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
AuthenticationException failed)
throws IOException
- Throws:
IOException
getAuthenticationEntryPoint
protected AuthenticationEntryPoint getAuthenticationEntryPoint()
setAuthenticationEntryPoint
public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)
getAuthenticationManager
protected AuthenticationManager getAuthenticationManager()
setAuthenticationManager
public void setAuthenticationManager(AuthenticationManager authenticationManager)
isIgnoreFailure
protected boolean isIgnoreFailure()
setIgnoreFailure
public void setIgnoreFailure(boolean ignoreFailure)
setAuthenticationDetailsSource
public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
setRememberMeServices
public void setRememberMeServices(RememberMeServices rememberMeServices)
setCredentialsCharset
public void setCredentialsCharset(String credentialsCharset)
getCredentialsCharset
protected String getCredentialsCharset(javax.servlet.http.HttpServletRequest httpRequest)