Package org.springframework.security.web.servletapi

Class SecurityContextHolderAwareRequestWrapper

java.lang.Object

jakarta.servlet.ServletRequestWrapper

jakarta.servlet.http.HttpServletRequestWrapper

org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper

All Implemented Interfaces:

jakarta.servlet.http.HttpServletRequest, jakarta.servlet.ServletRequest

public class SecurityContextHolderAwareRequestWrapper
extends jakarta.servlet.http.HttpServletRequestWrapper

A Spring Security-aware HttpServletRequestWrapper, which uses the SecurityContext-defined Authentication object to implement the servlet API security methods:

• getUserPrincipal()
• isUserInRole(String)
• HttpServletRequestWrapper.getRemoteUser().

See Also:

• SecurityContextHolderAwareRequestFilter

Field Summary

Fields inherited from interface jakarta.servlet.http.HttpServletRequest

BASIC_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH, FORM_AUTH

Constructor Summary

Constructors

Constructor	Description
SecurityContextHolderAwareRequestWrapper(jakarta.servlet.http.HttpServletRequest request, String rolePrefix)	Creates a new instance with AuthenticationTrustResolverImpl.
SecurityContextHolderAwareRequestWrapper(jakarta.servlet.http.HttpServletRequest request, AuthenticationTrustResolver trustResolver, String rolePrefix)	Creates a new instance

Method Summary

Modifier and Type	Method	Description
String	getRemoteUser()	Returns the principal's name, as obtained from the SecurityContextHolder.
Principal	getUserPrincipal()	Returns the Authentication (which is a subclass of Principal), or null if unavailable.
boolean	isUserInRole(String role)	Simple searches for an exactly matching GrantedAuthority.getAuthority().
String	toString()

Methods inherited from class jakarta.servlet.http.HttpServletRequestWrapper

authenticate, changeSessionId, getAuthType, getContextPath, getCookies, getDateHeader, getHeader, getHeaderNames, getHeaders, getHttpServletMapping, getIntHeader, getMethod, getPart, getParts, getPathInfo, getPathTranslated, getQueryString, getRequestedSessionId, getRequestURI, getRequestURL, getServletPath, getSession, getSession, getTrailerFields, isRequestedSessionIdFromCookie, isRequestedSessionIdFromUrl, isRequestedSessionIdFromURL, isRequestedSessionIdValid, isTrailerFieldsReady, login, logout, newPushBuilder, upgrade

Methods inherited from class jakarta.servlet.ServletRequestWrapper

getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameter, getParameterMap, getParameterNames, getParameterValues, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequest, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, isWrapperFor, isWrapperFor, removeAttribute, setAttribute, setCharacterEncoding, setRequest, startAsync, startAsync

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface jakarta.servlet.ServletRequest

getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameter, getParameterMap, getParameterNames, getParameterValues, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, removeAttribute, setAttribute, setCharacterEncoding, startAsync, startAsync

Constructor Details

SecurityContextHolderAwareRequestWrapper

public SecurityContextHolderAwareRequestWrapper(jakarta.servlet.http.HttpServletRequest request,
 String rolePrefix)

Creates a new instance with AuthenticationTrustResolverImpl.

Parameters:

request -

rolePrefix -

SecurityContextHolderAwareRequestWrapper

public SecurityContextHolderAwareRequestWrapper(jakarta.servlet.http.HttpServletRequest request,
 AuthenticationTrustResolver trustResolver,
 String rolePrefix)

Creates a new instance

Parameters:

request - the original HttpServletRequest

trustResolver - the AuthenticationTrustResolver to use. Cannot be null.

rolePrefix - The prefix to be added to isUserInRole(String) or null if no prefix.

Method Details

getRemoteUser

public String getRemoteUser()

Returns the principal's name, as obtained from the SecurityContextHolder. Properly handles both String-based and UserDetails-based principals.

Specified by:

getRemoteUser in interface jakarta.servlet.http.HttpServletRequest

Overrides:

getRemoteUser in class jakarta.servlet.http.HttpServletRequestWrapper

Returns:

the username or null if unavailable

getUserPrincipal

public Principal getUserPrincipal()

Returns the Authentication (which is a subclass of Principal), or null if unavailable.

Specified by:

getUserPrincipal in interface jakarta.servlet.http.HttpServletRequest

Overrides:

getUserPrincipal in class jakarta.servlet.http.HttpServletRequestWrapper

Returns:

the Authentication, or null

isUserInRole

public boolean isUserInRole(String role)

Simple searches for an exactly matching GrantedAuthority.getAuthority().

Will always return false if the SecurityContextHolder contains an Authentication with null principal and/or GrantedAuthority[] objects.

Specified by:

isUserInRole in interface jakarta.servlet.http.HttpServletRequest

Overrides:

isUserInRole in class jakarta.servlet.http.HttpServletRequestWrapper

Parameters:

role - the GrantedAuthorityString representation to check for

Returns:

true if an exact (case sensitive) matching granted authority is located, false otherwise

toString

public String toString()

Overrides:

toString in class Object