org.springframework.security.web.access.channel
Class ChannelProcessingFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.access.channel.ChannelProcessingFilter
- All Implemented Interfaces:
- javax.servlet.Filter, BeanNameAware, DisposableBean, InitializingBean, ServletContextAware
public class ChannelProcessingFilter
- extends GenericFilterBean
Ensures a web request is delivered over the required channel.
Internally uses a FilterInvocation
to represent the request, allowing a
FilterInvocationSecurityMetadataSource
to be used to lookup the attributes which apply.
Delegates the actual channel security decisions and necessary actions to the configured
ChannelDecisionManager
. If a response is committed by the ChannelDecisionManager
,
the filter chain will not proceed.
The most common usage is to ensure that a request takes place over HTTPS, where the
ChannelDecisionManagerImpl
is configured with a SecureChannelProcessor
and an
InsecureChannelProcessor
. A typical configuration would be
<bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
<property name="channelDecisionManager" ref="channelDecisionManager"/>
<property name="securityMetadataSource">
<security:filter-security-metadata-source path-type="regex">
<security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
<security:intercept-url pattern="\A/login.jsp.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
<security:intercept-url pattern="\A/.*\Z" access="ANY_CHANNEL"/>
</security:filter-security-metadata-source>
</property>
</bean>
<bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
<property name="channelProcessors">
<list>
<ref bean="secureChannelProcessor"/>
<ref bean="insecureChannelProcessor"/>
</list>
</property>
</bean>
<bean id="secureChannelProcessor"
class="org.springframework.security.web.access.channel.SecureChannelProcessor"/>
<bean id="insecureChannelProcessor"
class="org.springframework.security.web.access.channel.InsecureChannelProcessor"/>
which would force the login form and any access to the /secure
path to be made over HTTPS.
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
ChannelProcessingFilter
public ChannelProcessingFilter()
afterPropertiesSet
public void afterPropertiesSet()
- Specified by:
afterPropertiesSet
in interface InitializingBean
- Overrides:
afterPropertiesSet
in class GenericFilterBean
doFilter
public void doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
getChannelDecisionManager
protected ChannelDecisionManager getChannelDecisionManager()
getSecurityMetadataSource
protected FilterInvocationSecurityMetadataSource getSecurityMetadataSource()
setChannelDecisionManager
public void setChannelDecisionManager(ChannelDecisionManager channelDecisionManager)
setSecurityMetadataSource
public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource)