|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.springframework.web.filter.GenericFilterBean org.springframework.security.web.authentication.www.BasicAuthenticationFilter
public class BasicAuthenticationFilter
Processes a HTTP request's BASIC authorization headers, putting the result into the
SecurityContextHolder
.
For a detailed background on what this filter is designed to process, refer to RFC 1945, Section 11.1. Any realm name presented in the HTTP request is ignored.
In summary, this filter is responsible for processing any request that has a HTTP request header of
Authorization
with an authentication scheme of Basic
and a Base64-encoded
username:password
token. For example, to authenticate user "Aladdin" with password "open sesame" the
following header would be presented:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).
If authentication is successful, the resulting Authentication
object will be placed into the
SecurityContextHolder
.
If authentication fails and ignoreFailure
is false
(the default), an AuthenticationEntryPoint
implementation is called (unless the ignoreFailure property is set to
true). Usually this should be BasicAuthenticationEntryPoint
, which will prompt the user to
authenticate again via BASIC authentication.
Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still
transmits a password in clear text and as such is undesirable in many situations. Digest authentication is also
provided by Spring Security and should be used instead of Basic authentication wherever possible. See DigestAuthenticationFilter
.
Note that if a RememberMeServices
is set, this filter will automatically send back remember-me
details to the client. Therefore, subsequent requests will not need to present a BASIC authentication header as
they will be authenticated using the remember-me mechanism.
Field Summary |
---|
Fields inherited from class org.springframework.web.filter.GenericFilterBean |
---|
logger |
Constructor Summary | |
---|---|
BasicAuthenticationFilter()
Deprecated. Use constructor injection |
|
BasicAuthenticationFilter(AuthenticationManager authenticationManager)
Creates an instance which will authenticate against the supplied AuthenticationManager
and which will ignore failed authentication attempts, allowing the request to proceed down the filter chain. |
|
BasicAuthenticationFilter(AuthenticationManager authenticationManager,
AuthenticationEntryPoint authenticationEntryPoint)
Creates an instance which will authenticate against the supplied AuthenticationManager and
use the supplied AuthenticationEntryPoint to handle authentication failures. |
Method Summary | |
---|---|
void |
afterPropertiesSet()
|
void |
doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
|
protected AuthenticationEntryPoint |
getAuthenticationEntryPoint()
|
protected AuthenticationManager |
getAuthenticationManager()
|
protected String |
getCredentialsCharset(javax.servlet.http.HttpServletRequest httpRequest)
|
protected boolean |
isIgnoreFailure()
|
protected void |
onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
Authentication authResult)
|
protected void |
onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
AuthenticationException failed)
|
void |
setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
|
void |
setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)
Deprecated. Use constructor injection |
void |
setAuthenticationManager(AuthenticationManager authenticationManager)
Deprecated. Use constructor injection |
void |
setCredentialsCharset(String credentialsCharset)
|
void |
setIgnoreFailure(boolean ignoreFailure)
Deprecated. Use the constructor which takes a single AuthenticationManager parameter |
void |
setRememberMeServices(RememberMeServices rememberMeServices)
|
Methods inherited from class org.springframework.web.filter.GenericFilterBean |
---|
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public BasicAuthenticationFilter()
public BasicAuthenticationFilter(AuthenticationManager authenticationManager)
AuthenticationManager
and which will ignore failed authentication attempts, allowing the request to proceed down the filter chain.
authenticationManager
- the bean to submit authentication requests topublic BasicAuthenticationFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint)
AuthenticationManager
and
use the supplied AuthenticationEntryPoint
to handle authentication failures.
authenticationManager
- the bean to submit authentication requests toauthenticationEntryPoint
- will be invoked when authentication fails. Typically an instance of
BasicAuthenticationEntryPoint
.Method Detail |
---|
public void afterPropertiesSet()
afterPropertiesSet
in interface InitializingBean
afterPropertiesSet
in class GenericFilterBean
public void doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
IOException
javax.servlet.ServletException
protected void onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authResult) throws IOException
IOException
protected void onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthenticationException failed) throws IOException
IOException
protected AuthenticationEntryPoint getAuthenticationEntryPoint()
@Deprecated public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)
protected AuthenticationManager getAuthenticationManager()
@Deprecated public void setAuthenticationManager(AuthenticationManager authenticationManager)
protected boolean isIgnoreFailure()
@Deprecated public void setIgnoreFailure(boolean ignoreFailure)
public void setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
public void setRememberMeServices(RememberMeServices rememberMeServices)
public void setCredentialsCharset(String credentialsCharset)
protected String getCredentialsCharset(javax.servlet.http.HttpServletRequest httpRequest)
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |