public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean
Filter
which populates the ServletRequest
with a request wrapper
which implements the servlet API security methods.
In pre servlet 3 environment the wrapper class used is SecurityContextHolderAwareRequestWrapper
. See its javadoc for the methods that are implemented.
In a servlet 3 environment SecurityContextHolderAwareRequestWrapper
is extended to provide the following additional methods:
HttpServletRequest.authenticate(HttpServletResponse)
- Allows the user to determine if they are
authenticated and if not send the user to the login page. See
setAuthenticationEntryPoint(AuthenticationEntryPoint)
.HttpServletRequest.login(String, String)
- Allows the user to authenticate using the
AuthenticationManager
. See setAuthenticationManager(AuthenticationManager)
.HttpServletRequest.logout()
- Allows the user to logout using the LogoutHandler
s configured in
Spring Security. See setLogoutHandlers(List)
.AsyncContext.start(Runnable)
- Automatically copy the SecurityContext
from the
SecurityContextHolder
found on the Thread that invoked AsyncContext.start(Runnable)
to the Thread
that processes the Runnable
.logger
Constructor and Description |
---|
SecurityContextHolderAwareRequestFilter() |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet() |
void |
doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain) |
void |
setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)
Sets the
AuthenticationEntryPoint used when integrating HttpServletRequest with Servlet 3 APIs. |
void |
setAuthenticationManager(AuthenticationManager authenticationManager)
Sets the
AuthenticationManager used when integrating HttpServletRequest with Servlet 3 APIs. |
void |
setLogoutHandlers(List<LogoutHandler> logoutHandlers)
Sets the
LogoutHandler s used when integrating with HttpServletRequest with Servlet 3 APIs. |
void |
setRolePrefix(String rolePrefix) |
void |
setTrustResolver(AuthenticationTrustResolver trustResolver)
Sets the
AuthenticationTrustResolver to be used. |
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
public SecurityContextHolderAwareRequestFilter()
public void setRolePrefix(String rolePrefix)
public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)
Sets the AuthenticationEntryPoint
used when integrating HttpServletRequest
with Servlet 3 APIs.
Specifically, it will be used when HttpServletRequest.authenticate(HttpServletResponse)
is called and the
user is not authenticated.
If the value is null (default), then the default container behavior will be be retained when invoking
HttpServletRequest.authenticate(HttpServletResponse)
.
authenticationEntryPoint
- the AuthenticationEntryPoint
to use when invoking
HttpServletRequest.authenticate(HttpServletResponse)
if the user is not authenticated.IllegalStateException
- if the Servlet 3 APIs are not found on the classpathpublic void setAuthenticationManager(AuthenticationManager authenticationManager)
Sets the AuthenticationManager
used when integrating HttpServletRequest
with Servlet 3 APIs.
Specifically, it will be used when HttpServletRequest.login(String, String)
is invoked to determine if
the user is authenticated.
If the value is null (default), then the default container behavior will be retained when invoking
HttpServletRequest.login(String, String)
.
authenticationManager
- the AuthenticationManager
to use when invoking
HttpServletRequest.login(String, String)
IllegalStateException
- if the Servlet 3 APIs are not found on the classpathpublic void setLogoutHandlers(List<LogoutHandler> logoutHandlers)
Sets the LogoutHandler
s used when integrating with HttpServletRequest
with Servlet 3 APIs.
Specifically it will be used when HttpServletRequest.logout()
is invoked in order to log the user out. So
long as the LogoutHandler
s do not commit the HttpServletResponse
(expected), then the user is in
charge of handling the response.
If the value is null (default), the default container behavior will be retained when invoking
HttpServletRequest.logout()
.
logoutHandlers
- the List
s when invoking HttpServletRequest.logout()
.IllegalStateException
- if the Servlet 3 APIs are not found on the classpathpublic void doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
IOException
javax.servlet.ServletException
public void afterPropertiesSet() throws javax.servlet.ServletException
afterPropertiesSet
in interface InitializingBean
afterPropertiesSet
in class GenericFilterBean
javax.servlet.ServletException
public void setTrustResolver(AuthenticationTrustResolver trustResolver)
AuthenticationTrustResolver
to be used. The default is
AuthenticationTrustResolverImpl
.trustResolver
- the AuthenticationTrustResolver
to use. Cannot be
null.