Class ChannelProcessingFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

    public class ChannelProcessingFilter
    extends org.springframework.web.filter.GenericFilterBean
    Ensures a web request is delivered over the required channel.

    Internally uses a FilterInvocation to represent the request, allowing a FilterInvocationSecurityMetadataSource to be used to lookup the attributes which apply.

    Delegates the actual channel security decisions and necessary actions to the configured ChannelDecisionManager. If a response is committed by the ChannelDecisionManager, the filter chain will not proceed.

    The most common usage is to ensure that a request takes place over HTTPS, where the ChannelDecisionManagerImpl is configured with a SecureChannelProcessor and an InsecureChannelProcessor. A typical configuration would be

     <bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
       <property name="channelDecisionManager" ref="channelDecisionManager"/>
       <property name="securityMetadataSource">
         <security:filter-security-metadata-source request-matcher="regex">
           <security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
           <security:intercept-url pattern="\A/login.jsp.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
           <security:intercept-url pattern="\A/.*\Z" access="ANY_CHANNEL"/>
         </security:filter-security-metadata-source>
       </property>
     </bean>
    
     <bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
       <property name="channelProcessors">
         <list>
         <ref bean="secureChannelProcessor"/>
         <ref bean="insecureChannelProcessor"/>
         </list>
       </property>
     </bean>
    
     <bean id="secureChannelProcessor"
       class="org.springframework.security.web.access.channel.SecureChannelProcessor"/>
     <bean id="insecureChannelProcessor"
       class="org.springframework.security.web.access.channel.InsecureChannelProcessor"/>
    
     
    which would force the login form and any access to the /secure path to be made over HTTPS.
    • Constructor Detail

      • ChannelProcessingFilter

        public ChannelProcessingFilter()
    • Method Detail

      • afterPropertiesSet

        public void afterPropertiesSet()
        Specified by:
        afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
        Overrides:
        afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean
      • doFilter

        public void doFilter​(javax.servlet.ServletRequest req,
                             javax.servlet.ServletResponse res,
                             javax.servlet.FilterChain chain)
                      throws java.io.IOException,
                             javax.servlet.ServletException
        Throws:
        java.io.IOException
        javax.servlet.ServletException
      • setChannelDecisionManager

        public void setChannelDecisionManager​(ChannelDecisionManager channelDecisionManager)