org.springframework.security.web.access.channel
Class ChannelProcessingFilter

java.lang.Object
  extended by org.springframework.web.filter.GenericFilterBean
      extended by org.springframework.security.web.access.channel.ChannelProcessingFilter
All Implemented Interfaces:
javax.servlet.Filter, Aware, BeanNameAware, DisposableBean, InitializingBean, EnvironmentAware, ServletContextAware

public class ChannelProcessingFilter
extends GenericFilterBean

Ensures a web request is delivered over the required channel.

Internally uses a FilterInvocation to represent the request, allowing a FilterInvocationSecurityMetadataSource to be used to lookup the attributes which apply.

Delegates the actual channel security decisions and necessary actions to the configured ChannelDecisionManager. If a response is committed by the ChannelDecisionManager, the filter chain will not proceed.

The most common usage is to ensure that a request takes place over HTTPS, where the ChannelDecisionManagerImpl is configured with a SecureChannelProcessor and an InsecureChannelProcessor. A typical configuration would be

<bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
  <property name="channelDecisionManager" ref="channelDecisionManager"/>
  <property name="securityMetadataSource">
    <security:filter-security-metadata-source path-type="regex">
      <security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
      <security:intercept-url pattern="\A/login.jsp.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
      <security:intercept-url pattern="\A/.*\Z" access="ANY_CHANNEL"/>
    </security:filter-security-metadata-source>
  </property>
</bean>

<bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
  <property name="channelProcessors">
    <list>
    <ref bean="secureChannelProcessor"/>
    <ref bean="insecureChannelProcessor"/>
    </list>
  </property>
</bean>

<bean id="secureChannelProcessor"
  class="org.springframework.security.web.access.channel.SecureChannelProcessor"/>
<bean id="insecureChannelProcessor"
  class="org.springframework.security.web.access.channel.InsecureChannelProcessor"/>

 
which would force the login form and any access to the /secure path to be made over HTTPS.


Field Summary
 
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
 
Constructor Summary
ChannelProcessingFilter()
           
 
Method Summary
 void afterPropertiesSet()
           
 void doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain)
           
protected  ChannelDecisionManager getChannelDecisionManager()
           
protected  FilterInvocationSecurityMetadataSource getSecurityMetadataSource()
           
 void setChannelDecisionManager(ChannelDecisionManager channelDecisionManager)
           
 void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource)
           
 
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ChannelProcessingFilter

public ChannelProcessingFilter()
Method Detail

afterPropertiesSet

public void afterPropertiesSet()
Specified by:
afterPropertiesSet in interface InitializingBean
Overrides:
afterPropertiesSet in class GenericFilterBean

doFilter

public void doFilter(javax.servlet.ServletRequest req,
                     javax.servlet.ServletResponse res,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
Throws:
IOException
javax.servlet.ServletException

getChannelDecisionManager

protected ChannelDecisionManager getChannelDecisionManager()

getSecurityMetadataSource

protected FilterInvocationSecurityMetadataSource getSecurityMetadataSource()

setChannelDecisionManager

public void setChannelDecisionManager(ChannelDecisionManager channelDecisionManager)

setSecurityMetadataSource

public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource)