Package org.springframework.security.web.jaasapi

Class JaasApiIntegrationFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.jaasapi.JaasApiIntegrationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class JaasApiIntegrationFilter extends org.springframework.web.filter.GenericFilterBean

A Filter which attempts to obtain a JAAS Subject and continue the FilterChain running as that Subject.

By using this Filter in conjunction with Spring's JaasAuthenticationProvider both Spring's SecurityContext and a JAAS Subject can be populated simultaneously. This is useful when integrating with code that requires a JAAS Subject to be populated.

See Also:

  • Constructor Details

    • JaasApiIntegrationFilter

      public JaasApiIntegrationFilter()

  • Method Details

    • doFilter

      public final void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws jakarta.servlet.ServletException, IOException

      Attempts to obtain and run as a JAAS Subject using obtainSubject(ServletRequest).

      If the Subject is null and createEmptySubject is true, an empty, writeable Subject is used. This allows for the Subject to be populated at the time of login. If the Subject is null, the FilterChain continues with no additional processing. If the Subject is not null , the FilterChain is ran with Subject.doAs(Subject, PrivilegedExceptionAction) in conjunction with the Subject obtained.

      Throws:
      jakarta.servlet.ServletException
      IOException

    • obtainSubject

      protected Subject obtainSubject(jakarta.servlet.ServletRequest request)

      Obtains the Subject to run as or null if no Subject is available.

      The default implementation attempts to obtain the Subject from the SecurityContext's Authentication. If it is of type JaasAuthenticationToken and is authenticated, the Subject is returned from it. Otherwise, null is returned.

      Parameters:
      request - the current ServletRequest
      Returns:
      the Subject to run as or null if no Subject is available.

    • setCreateEmptySubject

      public final void setCreateEmptySubject(boolean createEmptySubject)
      Sets createEmptySubject. If the value is true, and obtainSubject(ServletRequest) returns null, an empty, writeable Subject is created instead. Otherwise no Subject is used. The default is false.
      Parameters:
      createEmptySubject - the new value

    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)
      Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.
      Since:
      5.8