Class UsernamePasswordAuthenticationFilter
- java.lang.Object
-
- org.springframework.web.filter.GenericFilterBean
-
- org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
-
- org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
-
- All Implemented Interfaces:
javax.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.ApplicationEventPublisherAware
,org.springframework.context.EnvironmentAware
,org.springframework.context.MessageSourceAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter
Processes an authentication form submission. CalledAuthenticationProcessingFilter
prior to Spring Security 3.0.Login forms must present two parameters to this filter: a username and password. The default parameter names to use are contained in the static fields
SPRING_SECURITY_FORM_USERNAME_KEY
andSPRING_SECURITY_FORM_PASSWORD_KEY
. The parameter names can also be changed by setting theusernameParameter
andpasswordParameter
properties.This filter by default responds to the URL
/login
.- Since:
- 3.0
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
SPRING_SECURITY_FORM_PASSWORD_KEY
static java.lang.String
SPRING_SECURITY_FORM_USERNAME_KEY
-
Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
authenticationDetailsSource, eventPublisher, messages
-
-
Constructor Summary
Constructors Constructor Description UsernamePasswordAuthenticationFilter()
UsernamePasswordAuthenticationFilter(AuthenticationManager authenticationManager)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Authentication
attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Performs actual authentication.java.lang.String
getPasswordParameter()
java.lang.String
getUsernameParameter()
protected java.lang.String
obtainPassword(javax.servlet.http.HttpServletRequest request)
Enables subclasses to override the composition of the password, such as by including additional values and a separator.protected java.lang.String
obtainUsername(javax.servlet.http.HttpServletRequest request)
Enables subclasses to override the composition of the username, such as by including additional values and a separator.protected void
setDetails(javax.servlet.http.HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest)
Provided so that subclasses may configure what is put into the authentication request's details property.void
setPasswordParameter(java.lang.String passwordParameter)
Sets the parameter name which will be used to obtain the password from the login request..void
setPostOnly(boolean postOnly)
Defines whether only HTTP POST requests will be allowed by this filter.void
setUsernameParameter(java.lang.String usernameParameter)
Sets the parameter name which will be used to obtain the username from the login request.-
Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy, successfulAuthentication, unsuccessfulAuthentication
-
-
-
-
Field Detail
-
SPRING_SECURITY_FORM_USERNAME_KEY
public static final java.lang.String SPRING_SECURITY_FORM_USERNAME_KEY
- See Also:
- Constant Field Values
-
SPRING_SECURITY_FORM_PASSWORD_KEY
public static final java.lang.String SPRING_SECURITY_FORM_PASSWORD_KEY
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
UsernamePasswordAuthenticationFilter
public UsernamePasswordAuthenticationFilter()
-
UsernamePasswordAuthenticationFilter
public UsernamePasswordAuthenticationFilter(AuthenticationManager authenticationManager)
-
-
Method Detail
-
attemptAuthentication
public Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException
Description copied from class:AbstractAuthenticationProcessingFilter
Performs actual authentication.The implementation should do one of the following:
- Return a populated authentication token for the authenticated user, indicating successful authentication
- Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
- Throw an AuthenticationException if the authentication process fails
- Specified by:
attemptAuthentication
in classAbstractAuthenticationProcessingFilter
- Parameters:
request
- from which to extract parameters and perform the authenticationresponse
- the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OpenID).- Returns:
- the authenticated user token, or null if authentication is incomplete.
- Throws:
AuthenticationException
- if authentication fails.
-
obtainPassword
@Nullable protected java.lang.String obtainPassword(javax.servlet.http.HttpServletRequest request)
Enables subclasses to override the composition of the password, such as by including additional values and a separator.This might be used for example if a postcode/zipcode was required in addition to the password. A delimiter such as a pipe (|) should be used to separate the password and extended value(s). The
AuthenticationDao
will need to generate the expected password in a corresponding manner.- Parameters:
request
- so that request attributes can be retrieved- Returns:
- the password that will be presented in the
Authentication
request token to theAuthenticationManager
-
obtainUsername
@Nullable protected java.lang.String obtainUsername(javax.servlet.http.HttpServletRequest request)
Enables subclasses to override the composition of the username, such as by including additional values and a separator.- Parameters:
request
- so that request attributes can be retrieved- Returns:
- the username that will be presented in the
Authentication
request token to theAuthenticationManager
-
setDetails
protected void setDetails(javax.servlet.http.HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest)
Provided so that subclasses may configure what is put into the authentication request's details property.- Parameters:
request
- that an authentication request is being created forauthRequest
- the authentication request object that should have its details set
-
setUsernameParameter
public void setUsernameParameter(java.lang.String usernameParameter)
Sets the parameter name which will be used to obtain the username from the login request.- Parameters:
usernameParameter
- the parameter name. Defaults to "username".
-
setPasswordParameter
public void setPasswordParameter(java.lang.String passwordParameter)
Sets the parameter name which will be used to obtain the password from the login request..- Parameters:
passwordParameter
- the parameter name. Defaults to "password".
-
setPostOnly
public void setPostOnly(boolean postOnly)
Defines whether only HTTP POST requests will be allowed by this filter. If set to true, and an authentication request is received which is not a POST request, an exception will be raised immediately and authentication will not be attempted. The unsuccessfulAuthentication() method will be called as if handling a failed authentication.Defaults to true but may be overridden by subclasses.
-
getUsernameParameter
public final java.lang.String getUsernameParameter()
-
getPasswordParameter
public final java.lang.String getPasswordParameter()
-
-