Class AbstractAuthenticationProcessingFilter
- java.lang.Object
-
- org.springframework.web.filter.GenericFilterBean
-
- org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
-
- All Implemented Interfaces:
javax.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.ApplicationEventPublisherAware
,org.springframework.context.EnvironmentAware
,org.springframework.context.MessageSourceAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
- Direct Known Subclasses:
CasAuthenticationFilter
,OAuth2LoginAuthenticationFilter
,OpenIDAuthenticationFilter
,Saml2WebSsoAuthenticationFilter
,UsernamePasswordAuthenticationFilter
public abstract class AbstractAuthenticationProcessingFilter extends org.springframework.web.filter.GenericFilterBean implements org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.MessageSourceAware
Abstract processor of browser-based HTTP-based authentication requests.Authentication Process
The filter requires that you set the authenticationManager property. An AuthenticationManager is required to process the authentication request tokens created by implementing classes.This filter will intercept a request and attempt to perform authentication from that request if the request matches the
setRequiresAuthenticationRequestMatcher(RequestMatcher)
.Authentication is performed by the
attemptAuthentication
method, which must be implemented by subclasses.Authentication Success
If authentication is successful, the resultingAuthentication
object will be placed into theSecurityContext
for the current thread, which is guaranteed to have already been created by an earlier filter.The configured
AuthenticationSuccessHandler
will then be called to take the redirect to the appropriate destination after a successful login. The default behaviour is implemented in aSavedRequestAwareAuthenticationSuccessHandler
which will make use of any DefaultSavedRequest set by the ExceptionTranslationFilter and redirect the user to the URL contained therein. Otherwise it will redirect to the webapp root "/". You can customize this behaviour by injecting a differently configured instance of this class, or by using a different implementation.See the
successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication)
method for more information.Authentication Failure
If authentication fails, it will delegate to the configuredAuthenticationFailureHandler
to allow the failure information to be conveyed to the client. The default implementation isSimpleUrlAuthenticationFailureHandler
, which sends a 401 error code to the client. It may also be configured with a failure URL as an alternative. Again you can inject whatever behaviour you require here.Event Publication
If authentication is successful, anInteractiveAuthenticationSuccessEvent
will be published via the application context. No events will be published if authentication was unsuccessful, because this would generally be recorded via anAuthenticationManager
-specific application event.Session Authentication
The class has an optionalSessionAuthenticationStrategy
which will be invoked immediately after a successful call toattemptAuthentication()
. Different implementationscan be injected
to enable things like session-fixation attack prevention or to control the number of simultaneous sessions a principal may have.
-
-
Field Summary
Fields Modifier and Type Field Description protected AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?>
authenticationDetailsSource
protected org.springframework.context.ApplicationEventPublisher
eventPublisher
protected org.springframework.context.support.MessageSourceAccessor
messages
-
Constructor Summary
Constructors Modifier Constructor Description protected
AbstractAuthenticationProcessingFilter(java.lang.String defaultFilterProcessesUrl)
protected
AbstractAuthenticationProcessingFilter(java.lang.String defaultFilterProcessesUrl, AuthenticationManager authenticationManager)
Creates a new instance with a default filterProcessesUrl and anAuthenticationManager
protected
AbstractAuthenticationProcessingFilter(RequestMatcher requiresAuthenticationRequestMatcher)
Creates a new instanceprotected
AbstractAuthenticationProcessingFilter(RequestMatcher requiresAuthenticationRequestMatcher, AuthenticationManager authenticationManager)
Creates a new instance with aRequestMatcher
and anAuthenticationManager
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description void
afterPropertiesSet()
abstract Authentication
attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Performs actual authentication.void
doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
Invokes therequiresAuthentication
method to determine whether the request is for authentication and should be handled by this filter.protected boolean
getAllowSessionCreation()
protected AuthenticationManager
getAuthenticationManager()
protected AuthenticationFailureHandler
getFailureHandler()
RememberMeServices
getRememberMeServices()
protected AuthenticationSuccessHandler
getSuccessHandler()
protected boolean
requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Indicates whether this filter should attempt to process a login request for the current invocation.void
setAllowSessionCreation(boolean allowSessionCreation)
void
setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher eventPublisher)
void
setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
void
setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
void
setAuthenticationManager(AuthenticationManager authenticationManager)
void
setAuthenticationSuccessHandler(AuthenticationSuccessHandler successHandler)
Sets the strategy used to handle a successful authentication.void
setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)
Indicates if the filter chain should be continued prior to delegation tosuccessfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication)
, which may be useful in certain environment (such as Tapestry applications).void
setFilterProcessesUrl(java.lang.String filterProcessesUrl)
Sets the URL that determines if authentication is requiredvoid
setMessageSource(org.springframework.context.MessageSource messageSource)
void
setRememberMeServices(RememberMeServices rememberMeServices)
void
setRequiresAuthenticationRequestMatcher(RequestMatcher requestMatcher)
void
setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy)
The session handling strategy which will be invoked immediately after an authentication request is successfully processed by the AuthenticationManager.protected void
successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain, Authentication authResult)
Default behaviour for successful authentication.protected void
unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthenticationException failed)
Default behaviour for unsuccessful authentication.
-
-
-
Field Detail
-
eventPublisher
protected org.springframework.context.ApplicationEventPublisher eventPublisher
-
authenticationDetailsSource
protected AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource
-
messages
protected org.springframework.context.support.MessageSourceAccessor messages
-
-
Constructor Detail
-
AbstractAuthenticationProcessingFilter
protected AbstractAuthenticationProcessingFilter(java.lang.String defaultFilterProcessesUrl)
- Parameters:
defaultFilterProcessesUrl
- the default value for filterProcessesUrl.
-
AbstractAuthenticationProcessingFilter
protected AbstractAuthenticationProcessingFilter(RequestMatcher requiresAuthenticationRequestMatcher)
Creates a new instance- Parameters:
requiresAuthenticationRequestMatcher
- theRequestMatcher
used to determine if authentication is required. Cannot be null.
-
AbstractAuthenticationProcessingFilter
protected AbstractAuthenticationProcessingFilter(java.lang.String defaultFilterProcessesUrl, AuthenticationManager authenticationManager)
Creates a new instance with a default filterProcessesUrl and anAuthenticationManager
- Parameters:
defaultFilterProcessesUrl
- the default value for filterProcessesUrl.authenticationManager
- theAuthenticationManager
used to authenticate anAuthentication
object. Cannot be null.
-
AbstractAuthenticationProcessingFilter
protected AbstractAuthenticationProcessingFilter(RequestMatcher requiresAuthenticationRequestMatcher, AuthenticationManager authenticationManager)
Creates a new instance with aRequestMatcher
and anAuthenticationManager
- Parameters:
requiresAuthenticationRequestMatcher
- theRequestMatcher
used to determine if authentication is required. Cannot be null.authenticationManager
- theAuthenticationManager
used to authenticate anAuthentication
object. Cannot be null.
-
-
Method Detail
-
afterPropertiesSet
public void afterPropertiesSet()
- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
- Overrides:
afterPropertiesSet
in classorg.springframework.web.filter.GenericFilterBean
-
doFilter
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException
Invokes therequiresAuthentication
method to determine whether the request is for authentication and should be handled by this filter. If it is an authentication request, theattemptAuthentication
will be invoked to perform the authentication. There are then three possible outcomes:- An Authentication object is returned. The configured
SessionAuthenticationStrategy
will be invoked (to handle any session-related behaviour such as creating a new session to protect against session-fixation attacks) followed by the invocation ofsuccessfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication)
method - An AuthenticationException occurs during authentication. The
unsuccessfulAuthentication
method will be invoked - Null is returned, indicating that the authentication process is incomplete. The method will then return immediately, assuming that the subclass has done any necessary work (such as redirects) to continue the authentication process. The assumption is that a later request will be received by this method where the returned Authentication object is not null.
- Specified by:
doFilter
in interfacejavax.servlet.Filter
- Throws:
java.io.IOException
javax.servlet.ServletException
- An Authentication object is returned. The configured
-
requiresAuthentication
protected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Indicates whether this filter should attempt to process a login request for the current invocation.It strips any parameters from the "path" section of the request URL (such as the jsessionid parameter in https://host/myapp/index.html;jsessionid=blah) before matching against the
filterProcessesUrl
property.Subclasses may override for special requirements, such as Tapestry integration.
- Returns:
true
if the filter should attempt authentication,false
otherwise.
-
attemptAuthentication
public abstract Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException, java.io.IOException, javax.servlet.ServletException
Performs actual authentication.The implementation should do one of the following:
- Return a populated authentication token for the authenticated user, indicating successful authentication
- Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
- Throw an AuthenticationException if the authentication process fails
- Parameters:
request
- from which to extract parameters and perform the authenticationresponse
- the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OpenID).- Returns:
- the authenticated user token, or null if authentication is incomplete.
- Throws:
AuthenticationException
- if authentication fails.java.io.IOException
javax.servlet.ServletException
-
successfulAuthentication
protected void successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain, Authentication authResult) throws java.io.IOException, javax.servlet.ServletException
Default behaviour for successful authentication.- Sets the successful Authentication object on the
SecurityContextHolder
- Informs the configured RememberMeServices of the successful login
- Fires an
InteractiveAuthenticationSuccessEvent
via the configured ApplicationEventPublisher - Delegates additional behaviour to the
AuthenticationSuccessHandler
.
FilterChain
after successful authentication.- Parameters:
request
-response
-chain
-authResult
- the object returned from the attemptAuthentication method.- Throws:
java.io.IOException
javax.servlet.ServletException
- Sets the successful Authentication object on the
-
unsuccessfulAuthentication
protected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthenticationException failed) throws java.io.IOException, javax.servlet.ServletException
Default behaviour for unsuccessful authentication.- Clears the
SecurityContextHolder
- Stores the exception in the session (if it exists or allowSesssionCreation is set to true)
- Informs the configured RememberMeServices of the failed login
- Delegates additional behaviour to the
AuthenticationFailureHandler
.
- Throws:
java.io.IOException
javax.servlet.ServletException
- Clears the
-
getAuthenticationManager
protected AuthenticationManager getAuthenticationManager()
-
setAuthenticationManager
public void setAuthenticationManager(AuthenticationManager authenticationManager)
-
setFilterProcessesUrl
public void setFilterProcessesUrl(java.lang.String filterProcessesUrl)
Sets the URL that determines if authentication is required- Parameters:
filterProcessesUrl
-
-
setRequiresAuthenticationRequestMatcher
public final void setRequiresAuthenticationRequestMatcher(RequestMatcher requestMatcher)
-
getRememberMeServices
public RememberMeServices getRememberMeServices()
-
setRememberMeServices
public void setRememberMeServices(RememberMeServices rememberMeServices)
-
setContinueChainBeforeSuccessfulAuthentication
public void setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)
Indicates if the filter chain should be continued prior to delegation tosuccessfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication)
, which may be useful in certain environment (such as Tapestry applications). Defaults tofalse
.
-
setApplicationEventPublisher
public void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher eventPublisher)
- Specified by:
setApplicationEventPublisher
in interfaceorg.springframework.context.ApplicationEventPublisherAware
-
setAuthenticationDetailsSource
public void setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
-
setMessageSource
public void setMessageSource(org.springframework.context.MessageSource messageSource)
- Specified by:
setMessageSource
in interfaceorg.springframework.context.MessageSourceAware
-
getAllowSessionCreation
protected boolean getAllowSessionCreation()
-
setAllowSessionCreation
public void setAllowSessionCreation(boolean allowSessionCreation)
-
setSessionAuthenticationStrategy
public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy)
The session handling strategy which will be invoked immediately after an authentication request is successfully processed by the AuthenticationManager. Used, for example, to handle changing of the session identifier to prevent session fixation attacks.- Parameters:
sessionStrategy
- the implementation to use. If not set a null implementation is used.
-
setAuthenticationSuccessHandler
public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler successHandler)
Sets the strategy used to handle a successful authentication. By default aSavedRequestAwareAuthenticationSuccessHandler
is used.
-
setAuthenticationFailureHandler
public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
-
getSuccessHandler
protected AuthenticationSuccessHandler getSuccessHandler()
-
getFailureHandler
protected AuthenticationFailureHandler getFailureHandler()
-
-