Package org.springframework.security.web.access

Class ExceptionTranslationFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.access.ExceptionTranslationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class ExceptionTranslationFilter extends org.springframework.web.filter.GenericFilterBean implements org.springframework.context.MessageSourceAware
Handles any AccessDeniedException and AuthenticationException thrown within the filter chain.

This filter is necessary because it provides the bridge between Java exceptions and HTTP responses. It is solely concerned with maintaining the user interface. This filter does not do any actual security enforcement.

If an AuthenticationException is detected, the filter will launch the authenticationEntryPoint. This allows common handling of authentication failures originating from Web or Method Security.

If an AccessDeniedException is detected, the filter will determine whether or not the user is an anonymous user. If they are an anonymous user, the authenticationEntryPoint will be launched. If they are not an anonymous user, the filter will delegate to the AccessDeniedHandler. By default the filter will use AccessDeniedHandlerImpl.

To use this filter, it is necessary to specify the following properties:

  • authenticationEntryPoint indicates the handler that should commence the authentication process if an AuthenticationException is detected. Note that this may also switch the current protocol from http to https for an SSL login.
  • requestCache determines the strategy used to save a request during the authentication process in order that it may be retrieved and reused once the user has authenticated. The default implementation is HttpSessionRequestCache.

  • Field Details

    • messages

      protected org.springframework.context.support.MessageSourceAccessor messages

  • Constructor Details

  • Method Details

    • afterPropertiesSet

      public void afterPropertiesSet()
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
      Overrides:
      afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean

    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException
      Specified by:
      doFilter in interface jakarta.servlet.Filter
      Throws:
      IOException
      jakarta.servlet.ServletException

    • getAuthenticationEntryPoint

      public AuthenticationEntryPoint getAuthenticationEntryPoint()

    • getAuthenticationTrustResolver

      protected AuthenticationTrustResolver getAuthenticationTrustResolver()

    • sendStartAuthentication

      protected void sendStartAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain, AuthenticationException reason) throws jakarta.servlet.ServletException, IOException
      Throws:
      jakarta.servlet.ServletException
      IOException

    • setAccessDeniedHandler

      public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)

    • setAuthenticationTrustResolver

      public void setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver)

    • setThrowableAnalyzer

      public void setThrowableAnalyzer(ThrowableAnalyzer throwableAnalyzer)

    • setMessageSource

      public void setMessageSource(org.springframework.context.MessageSource messageSource)
      Specified by:
      setMessageSource in interface org.springframework.context.MessageSourceAware
      Since:
      5.5

    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)
      Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.
      Since:
      5.8