Class UsernamePasswordAuthenticationFilter
- All Implemented Interfaces:
jakarta.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.ApplicationEventPublisherAware
,org.springframework.context.EnvironmentAware
,org.springframework.context.MessageSourceAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
AuthenticationProcessingFilter
prior to Spring Security 3.0.
Login forms must present two parameters to this filter: a username and password. The
default parameter names to use are contained in the static fields
SPRING_SECURITY_FORM_USERNAME_KEY
and
SPRING_SECURITY_FORM_PASSWORD_KEY
. The parameter names can also be changed by
setting the usernameParameter
and passwordParameter
properties.
This filter by default responds to the URL /login
.
- Since:
- 3.0
-
Field Summary
Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
authenticationDetailsSource, eventPublisher, messages
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
-
Constructor Summary
ConstructorDescriptionUsernamePasswordAuthenticationFilter
(AuthenticationManager authenticationManager) -
Method Summary
Modifier and TypeMethodDescriptionattemptAuthentication
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Performs actual authentication.final String
final String
protected String
obtainPassword
(jakarta.servlet.http.HttpServletRequest request) Enables subclasses to override the composition of the password, such as by including additional values and a separator.protected String
obtainUsername
(jakarta.servlet.http.HttpServletRequest request) Enables subclasses to override the composition of the username, such as by including additional values and a separator.protected void
setDetails
(jakarta.servlet.http.HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) Provided so that subclasses may configure what is put into the authentication request's details property.void
setPasswordParameter
(String passwordParameter) Sets the parameter name which will be used to obtain the password from the login request..void
setPostOnly
(boolean postOnly) Defines whether only HTTP POST requests will be allowed by this filter.void
setUsernameParameter
(String usernameParameter) Sets the parameter name which will be used to obtain the username from the login request.Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSecurityContextRepository, setSessionAuthenticationStrategy, successfulAuthentication, unsuccessfulAuthentication
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Field Details
-
SPRING_SECURITY_FORM_USERNAME_KEY
- See Also:
-
SPRING_SECURITY_FORM_PASSWORD_KEY
- See Also:
-
-
Constructor Details
-
UsernamePasswordAuthenticationFilter
public UsernamePasswordAuthenticationFilter() -
UsernamePasswordAuthenticationFilter
-
-
Method Details
-
attemptAuthentication
public Authentication attemptAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws AuthenticationException Description copied from class:AbstractAuthenticationProcessingFilter
Performs actual authentication.The implementation should do one of the following:
- Return a populated authentication token for the authenticated user, indicating successful authentication
- Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
- Throw an AuthenticationException if the authentication process fails
- Specified by:
attemptAuthentication
in classAbstractAuthenticationProcessingFilter
- Parameters:
request
- from which to extract parameters and perform the authenticationresponse
- the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OIDC).- Returns:
- the authenticated user token, or null if authentication is incomplete.
- Throws:
AuthenticationException
- if authentication fails.
-
obtainPassword
Enables subclasses to override the composition of the password, such as by including additional values and a separator.This might be used for example if a postcode/zipcode was required in addition to the password. A delimiter such as a pipe (|) should be used to separate the password and extended value(s). The
AuthenticationDao
will need to generate the expected password in a corresponding manner.- Parameters:
request
- so that request attributes can be retrieved- Returns:
- the password that will be presented in the
Authentication
request token to theAuthenticationManager
-
obtainUsername
Enables subclasses to override the composition of the username, such as by including additional values and a separator.- Parameters:
request
- so that request attributes can be retrieved- Returns:
- the username that will be presented in the
Authentication
request token to theAuthenticationManager
-
setDetails
protected void setDetails(jakarta.servlet.http.HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) Provided so that subclasses may configure what is put into the authentication request's details property.- Parameters:
request
- that an authentication request is being created forauthRequest
- the authentication request object that should have its details set
-
setUsernameParameter
Sets the parameter name which will be used to obtain the username from the login request.- Parameters:
usernameParameter
- the parameter name. Defaults to "username".
-
setPasswordParameter
Sets the parameter name which will be used to obtain the password from the login request..- Parameters:
passwordParameter
- the parameter name. Defaults to "password".
-
setPostOnly
public void setPostOnly(boolean postOnly) Defines whether only HTTP POST requests will be allowed by this filter. If set to true, and an authentication request is received which is not a POST request, an exception will be raised immediately and authentication will not be attempted. The unsuccessfulAuthentication() method will be called as if handling a failed authentication.Defaults to true but may be overridden by subclasses.
-
getUsernameParameter
-
getPasswordParameter
-