Class BasicAuthenticationFilter
- java.lang.Object
-
- org.springframework.web.filter.GenericFilterBean
-
- org.springframework.web.filter.OncePerRequestFilter
-
- org.springframework.security.web.authentication.www.BasicAuthenticationFilter
-
- All Implemented Interfaces:
javax.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.EnvironmentAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
public class BasicAuthenticationFilter extends org.springframework.web.filter.OncePerRequestFilter
Processes a HTTP request's BASIC authorization headers, putting the result into theSecurityContextHolder
.For a detailed background on what this filter is designed to process, refer to RFC 1945, Section 11.1. Any realm name presented in the HTTP request is ignored.
In summary, this filter is responsible for processing any request that has a HTTP request header of
Authorization
with an authentication scheme ofBasic
and a Base64-encodedusername:password
token. For example, to authenticate user "Aladdin" with password "open sesame" the following header would be presented:Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).
If authentication is successful, the resulting
Authentication
object will be placed into theSecurityContextHolder
.If authentication fails and
ignoreFailure
isfalse
(the default), anAuthenticationEntryPoint
implementation is called (unless the ignoreFailure property is set to true). Usually this should beBasicAuthenticationEntryPoint
, which will prompt the user to authenticate again via BASIC authentication.Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still transmits a password in clear text and as such is undesirable in many situations. Digest authentication is also provided by Spring Security and should be used instead of Basic authentication wherever possible. See
DigestAuthenticationFilter
.Note that if a
RememberMeServices
is set, this filter will automatically send back remember-me details to the client. Therefore, subsequent requests will not need to present a BASIC authentication header as they will be authenticated using the remember-me mechanism.
-
-
Constructor Summary
Constructors Constructor Description BasicAuthenticationFilter(AuthenticationManager authenticationManager)
Creates an instance which will authenticate against the suppliedAuthenticationManager
and which will ignore failed authentication attempts, allowing the request to proceed down the filter chain.BasicAuthenticationFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint)
Creates an instance which will authenticate against the suppliedAuthenticationManager
and use the suppliedAuthenticationEntryPoint
to handle authentication failures.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
afterPropertiesSet()
protected void
doFilterInternal(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
protected AuthenticationEntryPoint
getAuthenticationEntryPoint()
protected AuthenticationManager
getAuthenticationManager()
protected java.lang.String
getCredentialsCharset(javax.servlet.http.HttpServletRequest httpRequest)
protected boolean
isIgnoreFailure()
protected void
onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authResult)
protected void
onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthenticationException failed)
void
setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
void
setCredentialsCharset(java.lang.String credentialsCharset)
void
setRememberMeServices(RememberMeServices rememberMeServices)
-
Methods inherited from class org.springframework.web.filter.OncePerRequestFilter
doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch
-
-
-
-
Constructor Detail
-
BasicAuthenticationFilter
public BasicAuthenticationFilter(AuthenticationManager authenticationManager)
Creates an instance which will authenticate against the suppliedAuthenticationManager
and which will ignore failed authentication attempts, allowing the request to proceed down the filter chain.- Parameters:
authenticationManager
- the bean to submit authentication requests to
-
BasicAuthenticationFilter
public BasicAuthenticationFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint)
Creates an instance which will authenticate against the suppliedAuthenticationManager
and use the suppliedAuthenticationEntryPoint
to handle authentication failures.- Parameters:
authenticationManager
- the bean to submit authentication requests toauthenticationEntryPoint
- will be invoked when authentication fails. Typically an instance ofBasicAuthenticationEntryPoint
.
-
-
Method Detail
-
afterPropertiesSet
public void afterPropertiesSet()
- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
- Overrides:
afterPropertiesSet
in classorg.springframework.web.filter.GenericFilterBean
-
doFilterInternal
protected void doFilterInternal(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException
- Specified by:
doFilterInternal
in classorg.springframework.web.filter.OncePerRequestFilter
- Throws:
java.io.IOException
javax.servlet.ServletException
-
onSuccessfulAuthentication
protected void onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authResult) throws java.io.IOException
- Throws:
java.io.IOException
-
onUnsuccessfulAuthentication
protected void onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthenticationException failed) throws java.io.IOException
- Throws:
java.io.IOException
-
getAuthenticationEntryPoint
protected AuthenticationEntryPoint getAuthenticationEntryPoint()
-
getAuthenticationManager
protected AuthenticationManager getAuthenticationManager()
-
isIgnoreFailure
protected boolean isIgnoreFailure()
-
setAuthenticationDetailsSource
public void setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
-
setRememberMeServices
public void setRememberMeServices(RememberMeServices rememberMeServices)
-
setCredentialsCharset
public void setCredentialsCharset(java.lang.String credentialsCharset)
-
getCredentialsCharset
protected java.lang.String getCredentialsCharset(javax.servlet.http.HttpServletRequest httpRequest)
-
-