public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean
Filter
which populates the ServletRequest
with a request
wrapper which implements the servlet API security methods.
In pre servlet 3 environment the wrapper class used is
SecurityContextHolderAwareRequestWrapper
. See its javadoc for the methods that
are implemented.
In a servlet 3 environment SecurityContextHolderAwareRequestWrapper
is extended
to provide the following additional methods:
HttpServletRequest.authenticate(HttpServletResponse)
- Allows the user to
determine if they are authenticated and if not send the user to the login page. See
setAuthenticationEntryPoint(AuthenticationEntryPoint)
.HttpServletRequest.login(String, String)
- Allows the user to authenticate
using the AuthenticationManager
. See
setAuthenticationManager(AuthenticationManager)
.HttpServletRequest.logout()
- Allows the user to logout using the
LogoutHandler
s configured in Spring Security. See
setLogoutHandlers(List)
.AsyncContext.start(Runnable)
- Automatically copy the
SecurityContext
from the SecurityContextHolder
found on the Thread that
invoked AsyncContext.start(Runnable)
to the Thread that processes the
Runnable
.logger
Constructor and Description |
---|
SecurityContextHolderAwareRequestFilter() |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet() |
void |
doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain) |
void |
setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)
Sets the
AuthenticationEntryPoint used when integrating
HttpServletRequest with Servlet 3 APIs. |
void |
setAuthenticationManager(AuthenticationManager authenticationManager)
Sets the
AuthenticationManager used when integrating
HttpServletRequest with Servlet 3 APIs. |
void |
setLogoutHandlers(List<LogoutHandler> logoutHandlers)
Sets the
LogoutHandler s used when integrating with
HttpServletRequest with Servlet 3 APIs. |
void |
setRolePrefix(String rolePrefix) |
void |
setTrustResolver(AuthenticationTrustResolver trustResolver)
Sets the
AuthenticationTrustResolver to be used. |
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
public SecurityContextHolderAwareRequestFilter()
public void setRolePrefix(String rolePrefix)
public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)
Sets the AuthenticationEntryPoint
used when integrating
HttpServletRequest
with Servlet 3 APIs. Specifically, it will be used when
HttpServletRequest.authenticate(HttpServletResponse)
is called and the user
is not authenticated.
If the value is null (default), then the default container behavior will be be
retained when invoking HttpServletRequest.authenticate(HttpServletResponse)
.
authenticationEntryPoint
- the AuthenticationEntryPoint
to use when
invoking HttpServletRequest.authenticate(HttpServletResponse)
if the user
is not authenticated.IllegalStateException
- if the Servlet 3 APIs are not found on the classpathpublic void setAuthenticationManager(AuthenticationManager authenticationManager)
Sets the AuthenticationManager
used when integrating
HttpServletRequest
with Servlet 3 APIs. Specifically, it will be used when
HttpServletRequest.login(String, String)
is invoked to determine if the
user is authenticated.
If the value is null (default), then the default container behavior will be
retained when invoking HttpServletRequest.login(String, String)
.
authenticationManager
- the AuthenticationManager
to use when invoking
HttpServletRequest.login(String, String)
IllegalStateException
- if the Servlet 3 APIs are not found on the classpathpublic void setLogoutHandlers(List<LogoutHandler> logoutHandlers)
Sets the LogoutHandler
s used when integrating with
HttpServletRequest
with Servlet 3 APIs. Specifically it will be used when
HttpServletRequest.logout()
is invoked in order to log the user out. So
long as the LogoutHandler
s do not commit the HttpServletResponse
(expected), then the user is in charge of handling the response.
If the value is null (default), the default container behavior will be retained
when invoking HttpServletRequest.logout()
.
logoutHandlers
- the List
s when invoking
HttpServletRequest.logout()
.IllegalStateException
- if the Servlet 3 APIs are not found on the classpathpublic void doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
IOException
javax.servlet.ServletException
public void afterPropertiesSet() throws javax.servlet.ServletException
afterPropertiesSet
in interface InitializingBean
afterPropertiesSet
in class GenericFilterBean
javax.servlet.ServletException
public void setTrustResolver(AuthenticationTrustResolver trustResolver)
AuthenticationTrustResolver
to be used. The default is
AuthenticationTrustResolverImpl
.trustResolver
- the AuthenticationTrustResolver
to use. Cannot be
null.