Class AbstractAuthenticationProcessingFilter

  extended by org.springframework.web.filter.GenericFilterBean
      extended by
All Implemented Interfaces:
Filter, BeanNameAware, DisposableBean, InitializingBean, ApplicationEventPublisherAware, MessageSourceAware, ServletContextAware
Direct Known Subclasses:
AbstractProcessingFilter, CasAuthenticationFilter, OpenIDAuthenticationFilter, UsernamePasswordAuthenticationFilter

public abstract class AbstractAuthenticationProcessingFilter
extends GenericFilterBean
implements ApplicationEventPublisherAware, MessageSourceAware

Abstract processor of browser-based HTTP-based authentication requests.

Authentication Process

The filter requires that you set the authenticationManager property. An AuthenticationManager is required to process the authentication request tokens created by implementing classes.

This filter will intercept a request and attempt to perform authentication from that request if the request URL matches the value of the filterProcessesUrl property. This behaviour can modified by overriding the method requiresAuthentication.

Authentication is performed by the attemptAuthentication method, which must be implemented by subclasses.

Authentication Success

If authentication is successful, the resulting Authentication object will be placed into the SecurityContext for the current thread, which is guaranteed to have already been created by an earlier filter.

The configured AuthenticationSuccessHandler will then be called to take the redirect to the appropriate destination after a successful login. The default behaviour is implemented in a SavedRequestAwareAuthenticationSuccessHandler which will make use of any DefaultSavedRequest set by the ExceptionTranslationFilter and redirect the user to the URL contained therein. Otherwise it will redirect to the webapp root "/". You can customize this behaviour by injecting a differently configured instance of this class, or by using a different implementation.

See the successfulAuthentication method for more information.

Authentication Failure

If authentication fails, the resulting AuthenticationException will be placed into the HttpSession with the attribute defined by SPRING_SECURITY_LAST_EXCEPTION_KEY. It will then delegate to the configured AuthenticationFailureHandler to allow the failure information to be conveyed to the client. The default implementation is SimpleUrlAuthenticationFailureHandler, which sends a 401 error code to the client. It may also be configured with a failure URL as an alternative. Again you can inject whatever behaviour you require here.

Event Publication

If authentication is successful, an InteractiveAuthenticationSuccessEvent will be published via the application context. No events will be published if authentication was unsuccessful, because this would generally be recorded via an AuthenticationManager-specific application event.

The filter has an optional attribute invalidateSessionOnSuccessfulAuthentication that will invalidate the current session on successful authentication. This is to protect against session fixation attacks (see this Wikipedia article for more information). The behaviour is turned off by default. Additionally there is a property migrateInvalidatedSessionAttributes which tells if on session invalidation we are to migrate all session attributes from the old session to a newly created one. This is turned on by default, but not used unless invalidateSessionOnSuccessfulAuthentication is true. If you are using this feature in combination with concurrent session control, you should set the sessionRegistry property to make sure that the session information is updated consistently.

$Id: 3921 2009-10-05 16:40:32Z ltaylor $
Ben Alex

Field Summary
protected  AuthenticationDetailsSource authenticationDetailsSource
protected  ApplicationEventPublisher eventPublisher
protected  MessageSourceAccessor messages
Fields inherited from class org.springframework.web.filter.GenericFilterBean
Constructor Summary
protected AbstractAuthenticationProcessingFilter(String defaultFilterProcessesUrl)
Method Summary
 void afterPropertiesSet()
abstract  Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
          Performs actual authentication.
 void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
          Invokes the requiresAuthentication method to determine whether the request is for authentication and should be handled by this filter.
protected  boolean getAllowSessionCreation()
 AuthenticationDetailsSource getAuthenticationDetailsSource()
protected  AuthenticationManager getAuthenticationManager()
 String getFilterProcessesUrl()
 RememberMeServices getRememberMeServices()
protected  boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response)
          Indicates whether this filter should attempt to process a login request for the current invocation.
 void setAllowSessionCreation(boolean allowSessionCreation)
 void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)
 void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
 void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
 void setAuthenticationManager(AuthenticationManager authenticationManager)
 void setAuthenticationSuccessHandler(AuthenticationSuccessHandler successHandler)
          Sets the strategy used to handle a successful authentication.
 void setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)
          Indicates if the filter chain should be continued prior to delegation to successfulAuthentication(HttpServletRequest, HttpServletResponse, Authentication), which may be useful in certain environment (such as Tapestry applications).
 void setFilterProcessesUrl(String filterProcessesUrl)
 void setMessageSource(MessageSource messageSource)
 void setRememberMeServices(RememberMeServices rememberMeServices)
 void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy)
          The session handling strategy which will be invoked immediately after an authentication request is successfully processed by the AuthenticationManager.
protected  void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult)
          Default behaviour for successful authentication.
protected  void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed)
          Default behaviour for unsuccessful authentication.
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail


See Also:
Constant Field Values


protected ApplicationEventPublisher eventPublisher


protected AuthenticationDetailsSource authenticationDetailsSource


protected MessageSourceAccessor messages
Constructor Detail


protected AbstractAuthenticationProcessingFilter(String defaultFilterProcessesUrl)
defaultFilterProcessesUrl - the default value for filterProcessesUrl.
Method Detail


public void afterPropertiesSet()
Specified by:
afterPropertiesSet in interface InitializingBean
afterPropertiesSet in class GenericFilterBean


public void doFilter(ServletRequest req,
                     ServletResponse res,
                     FilterChain chain)
              throws IOException,
Invokes the requiresAuthentication method to determine whether the request is for authentication and should be handled by this filter. If it is an authentication request, the attemptAuthentication will be invoked to perform the authentication. There are then three possible outcomes:
  1. An Authentication object is returned. The successfulAuthentication method will be invoked
  2. An AuthenticationException occurs during authentication. The unSuccessfulAuthentication method will be invoked
  3. Null is returned, indicating that the authentication process is incomplete. The method will then return immediately, assuming that the subclass has done any necessary work (such as redirects) to continue the authentication process. The assumption is that a later request will be received by this method where the returned Authentication object is not null.

Specified by:
doFilter in interface Filter


protected boolean requiresAuthentication(HttpServletRequest request,
                                         HttpServletResponse response)
Indicates whether this filter should attempt to process a login request for the current invocation.

It strips any parameters from the "path" section of the request URL (such as the jsessionid parameter in http://host/myapp/index.html;jsessionid=blah) before matching against the filterProcessesUrl property.

Subclasses may override for special requirements, such as Tapestry integration.

true if the filter should attempt authentication, false otherwise.


public abstract Authentication attemptAuthentication(HttpServletRequest request,
                                                     HttpServletResponse response)
                                              throws AuthenticationException,
Performs actual authentication.

The implementation should do one of the following:

  1. Return a populated authentication token for the authenticated user, indicating successful authentication
  2. Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
  3. Throw an AuthenticationException if the authentication process fails

request - from which to extract parameters and perform the authentication
response - the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OpenID).
the authenticated user token, or null if authentication is incomplete.
AuthenticationException - if authentication fails.


protected void successfulAuthentication(HttpServletRequest request,
                                        HttpServletResponse response,
                                        Authentication authResult)
                                 throws IOException,
Default behaviour for successful authentication.
  1. Sets the successful Authentication object on the SecurityContextHolder
  2. Invokes the configured SessionAuthenticationStrategy to handle any session-related behaviour (such as creating a new session to protect against session-fixation attacks).
  3. Informs the configured RememberMeServices of the successful login
  4. Fires an InteractiveAuthenticationSuccessEvent via the configured ApplicationEventPublisher
  5. Delegates additional behaviour to the AuthenticationSuccessHandler.

authResult - the object returned from the attemptAuthentication method.


protected void unsuccessfulAuthentication(HttpServletRequest request,
                                          HttpServletResponse response,
                                          AuthenticationException failed)
                                   throws IOException,
Default behaviour for unsuccessful authentication.
  1. Clears the SecurityContextHolder
  2. Stores the exception in the session (if it exists or allowSesssionCreation is set to true)
  3. Informs the configured RememberMeServices of the failed login
  4. Delegates additional behaviour to the AuthenticationFailureHandler.



protected AuthenticationManager getAuthenticationManager()


public void setAuthenticationManager(AuthenticationManager authenticationManager)


public String getFilterProcessesUrl()


public void setFilterProcessesUrl(String filterProcessesUrl)


public RememberMeServices getRememberMeServices()


public void setRememberMeServices(RememberMeServices rememberMeServices)


public void setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)
Indicates if the filter chain should be continued prior to delegation to successfulAuthentication(HttpServletRequest, HttpServletResponse, Authentication), which may be useful in certain environment (such as Tapestry applications). Defaults to false.


public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)
Specified by:
setApplicationEventPublisher in interface ApplicationEventPublisherAware


public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)


public void setMessageSource(MessageSource messageSource)
Specified by:
setMessageSource in interface MessageSourceAware


public AuthenticationDetailsSource getAuthenticationDetailsSource()


protected boolean getAllowSessionCreation()


public void setAllowSessionCreation(boolean allowSessionCreation)


public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy)
The session handling strategy which will be invoked immediately after an authentication request is successfully processed by the AuthenticationManager. Used, for example, to handle changing of the session identifier to prevent session fixation attacks.

sessionStrategy - the implementation to use. If not set a null implementation is used.


public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler successHandler)
Sets the strategy used to handle a successful authentication. By default a SavedRequestAwareAuthenticationSuccessHandler is used.


public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)

Copyright © 2004-2009 SpringSource, Inc. All Rights Reserved.