public abstract class AbstractPreAuthenticatedProcessingFilter
extends org.springframework.web.filter.GenericFilterBean
implements org.springframework.context.ApplicationEventPublisherAware
The purpose is then only to extract the necessary information on the principal from the
incoming request, rather than to authenticate them. External authentication systems may
provide this information via request data such as headers or cookies which the
pre-authentication system can extract. It is assumed that the external system is
responsible for the accuracy of the data and preventing the submission of forged
values.
Subclasses must implement the getPreAuthenticatedPrincipal()
and
getPreAuthenticatedCredentials()
methods. Subclasses of this filter are
typically used in combination with a PreAuthenticatedAuthenticationProvider
,
which is used to load additional data for the user. This provider will reject null
credentials, so the getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest)
method should not return
null for a valid principal.
If the security context already contains an Authentication
object (either from
a invocation of the filter or because of some other authentication mechanism), the
filter will do nothing by default. You can force it to check for a change in the
principal by setting the checkForPrincipalChanges
property.
By default, the filter chain will proceed when an authentication attempt fails in order
to allow other authentication mechanisms to process the request. To reject the
credentials immediately, set the
continueFilterChainOnUnsuccessfulAuthentication flag to false. The exception
raised by the AuthenticationManager will the be re-thrown. Note that this will
not affect cases where the principal returned by getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest)
is null, when the chain will still proceed as normal.
Constructor and Description |
---|
AbstractPreAuthenticatedProcessingFilter() |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet()
Check whether all required properties have been set.
|
void |
doFilter(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain)
Try to authenticate a pre-authenticated user with Spring Security if the user has
not yet been authenticated.
|
protected AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> |
getAuthenticationDetailsSource() |
protected abstract java.lang.Object |
getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)
Override to extract the credentials (if applicable) from the current request.
|
protected abstract java.lang.Object |
getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
Override to extract the principal information from the current request
|
protected boolean |
principalChanged(javax.servlet.http.HttpServletRequest request,
Authentication currentAuthentication)
Determines if the current principal has changed.
|
void |
setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher anApplicationEventPublisher) |
void |
setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource) |
void |
setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler)
Sets the strategy used to handle a failed authentication.
|
void |
setAuthenticationManager(AuthenticationManager authenticationManager) |
void |
setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler)
Sets the strategy used to handle a successful authentication.
|
void |
setCheckForPrincipalChanges(boolean checkForPrincipalChanges)
If set, the pre-authenticated principal will be checked on each request and
compared against the name of the current Authentication object.
|
void |
setContinueFilterChainOnUnsuccessfulAuthentication(boolean shouldContinue)
If set to
true (the default), any AuthenticationException raised by the
AuthenticationManager will be swallowed, and the request will be allowed to
proceed, potentially using alternative authentication mechanisms. |
void |
setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange)
If checkForPrincipalChanges is set, and a change of principal is detected,
determines whether any existing session should be invalidated before proceeding to
authenticate the new principal.
|
void |
setRequiresAuthenticationRequestMatcher(RequestMatcher requiresAuthenticationRequestMatcher)
Sets the request matcher to check whether to proceed the request further.
|
protected void |
successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
Authentication authResult)
Puts the
Authentication instance returned by the authentication
manager into the secure context. |
protected void |
unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
AuthenticationException failed)
Ensures the authentication object in the secure context is set to null when
authentication fails.
|
public AbstractPreAuthenticatedProcessingFilter()
public void afterPropertiesSet()
afterPropertiesSet
in interface org.springframework.beans.factory.InitializingBean
afterPropertiesSet
in class org.springframework.web.filter.GenericFilterBean
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException
doFilter
in interface javax.servlet.Filter
java.io.IOException
javax.servlet.ServletException
protected boolean principalChanged(javax.servlet.http.HttpServletRequest request, Authentication currentAuthentication)
getPreAuthenticatedPrincipal(HttpServletRequest)
is a String, the Principal.getName()
is compared against the pre authenticated principalgetPreAuthenticatedPrincipal(HttpServletRequest)
is compared against the Authentication.getPrincipal()
Subclasses can override this method to determine when a principal has changed.
request
- currentAuthentication
- protected void successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authResult) throws java.io.IOException, javax.servlet.ServletException
Authentication
instance returned by the authentication
manager into the secure context.java.io.IOException
javax.servlet.ServletException
protected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthenticationException failed) throws java.io.IOException, javax.servlet.ServletException
Caches the failure exception as a request attribute
java.io.IOException
javax.servlet.ServletException
public void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher anApplicationEventPublisher)
setApplicationEventPublisher
in interface org.springframework.context.ApplicationEventPublisherAware
anApplicationEventPublisher
- The ApplicationEventPublisher to usepublic void setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
authenticationDetailsSource
- The AuthenticationDetailsSource to useprotected AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> getAuthenticationDetailsSource()
public void setAuthenticationManager(AuthenticationManager authenticationManager)
authenticationManager
- The AuthenticationManager to usepublic void setContinueFilterChainOnUnsuccessfulAuthentication(boolean shouldContinue)
true
(the default), any AuthenticationException
raised by the
AuthenticationManager
will be swallowed, and the request will be allowed to
proceed, potentially using alternative authentication mechanisms. If false
,
authentication failure will result in an immediate exception.shouldContinue
- set to true
to allow the request to proceed after a
failed authentication.public void setCheckForPrincipalChanges(boolean checkForPrincipalChanges)
Authentication.getPrincipal()
is equal to the principal will
also be performed. If a change is detected, the user will be reauthenticated.checkForPrincipalChanges
- public void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange)
invalidateSessionOnPrincipalChange
- false to retain the existing
session. Defaults to true.public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler)
public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler)
public void setRequiresAuthenticationRequestMatcher(RequestMatcher requiresAuthenticationRequestMatcher)
protected abstract java.lang.Object getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
protected abstract java.lang.Object getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)