Package org.springframework.security.web.access.channel

Class ChannelProcessingFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.access.channel.ChannelProcessingFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class ChannelProcessingFilter extends org.springframework.web.filter.GenericFilterBean
Ensures a web request is delivered over the required channel.

Internally uses a FilterInvocation to represent the request, allowing a FilterInvocationSecurityMetadataSource to be used to lookup the attributes which apply.

Delegates the actual channel security decisions and necessary actions to the configured ChannelDecisionManager. If a response is committed by the ChannelDecisionManager, the filter chain will not proceed.

The most common usage is to ensure that a request takes place over HTTPS, where the ChannelDecisionManagerImpl is configured with a SecureChannelProcessor and an InsecureChannelProcessor. A typical configuration would be 


 <bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
   <property name="channelDecisionManager" ref="channelDecisionManager"/>
   <property name="securityMetadataSource">
     <security:filter-security-metadata-source request-matcher="regex">
       <security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
       <security:intercept-url pattern="\A/login.jsp.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
       <security:intercept-url pattern="\A/.*\Z" access="ANY_CHANNEL"/>
     </security:filter-security-metadata-source>
   </property>
 </bean>

 <bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
   <property name="channelProcessors">
     <list>
     <ref bean="secureChannelProcessor"/>
     <ref bean="insecureChannelProcessor"/>
     </list>
   </property>
 </bean>

 <bean id="secureChannelProcessor"
   class="org.springframework.security.web.access.channel.SecureChannelProcessor"/>
 <bean id="insecureChannelProcessor"
   class="org.springframework.security.web.access.channel.InsecureChannelProcessor"/>
which would force the login form and any access to the /secure path to be made over HTTPS.

  • Constructor Details

    • ChannelProcessingFilter

      public ChannelProcessingFilter()

  • Method Details

    • afterPropertiesSet

      public void afterPropertiesSet()
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
      Overrides:
      afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean

    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest req, jakarta.servlet.ServletResponse res, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException
      Throws:
      IOException
      jakarta.servlet.ServletException

    • getChannelDecisionManager

      protected ChannelDecisionManager getChannelDecisionManager()

    • getSecurityMetadataSource

      protected FilterInvocationSecurityMetadataSource getSecurityMetadataSource()

    • setChannelDecisionManager

      public void setChannelDecisionManager(ChannelDecisionManager channelDecisionManager)

    • setSecurityMetadataSource

      public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource)