Class BasicAuthenticationFilter
- All Implemented Interfaces:
jakarta.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.EnvironmentAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
SecurityContextHolder
.
For a detailed background on what this filter is designed to process, refer to RFC 1945, Section 11.1. Any realm name presented in the HTTP request is ignored.
In summary, this filter is responsible for processing any request that has a HTTP
request header of Authorization
with an authentication scheme of
Basic
and a Base64-encoded username:password
token. For
example, to authenticate user "Aladdin" with password "open sesame" the following
header would be presented:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).
If authentication is successful, the resulting Authentication
object will be
placed into the SecurityContextHolder
.
If authentication fails and ignoreFailure
is false
(the
default), an AuthenticationEntryPoint
implementation is called (unless the
ignoreFailure property is set to true). Usually this should be
BasicAuthenticationEntryPoint
, which will prompt the user to authenticate again
via BASIC authentication.
Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still transmits a password in clear text and as such is undesirable in many situations.
Note that if a RememberMeServices
is set, this filter will automatically send
back remember-me details to the client. Therefore, subsequent requests will not need to
present a BASIC authentication header as they will be authenticated using the
remember-me mechanism.
-
Field Summary
Fields inherited from class org.springframework.web.filter.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
-
Constructor Summary
ConstructorDescriptionBasicAuthenticationFilter
(AuthenticationManager authenticationManager) Creates an instance which will authenticate against the suppliedAuthenticationManager
and which will ignore failed authentication attempts, allowing the request to proceed down the filter chain.BasicAuthenticationFilter
(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint) Creates an instance which will authenticate against the suppliedAuthenticationManager
and use the suppliedAuthenticationEntryPoint
to handle authentication failures. -
Method Summary
Modifier and TypeMethodDescriptionvoid
protected boolean
authenticationIsRequired
(String username) protected void
doFilterInternal
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain) protected AuthenticationEntryPoint
protected AuthenticationManager
protected String
getCredentialsCharset
(jakarta.servlet.http.HttpServletRequest httpRequest) protected boolean
protected void
onSuccessfulAuthentication
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authResult) protected void
onUnsuccessfulAuthentication
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, AuthenticationException failed) void
setAuthenticationConverter
(AuthenticationConverter authenticationConverter) Sets theAuthenticationConverter
to use.void
setAuthenticationDetailsSource
(AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest, ?> authenticationDetailsSource) Sets theAuthenticationDetailsSource
to use.void
setCredentialsCharset
(String credentialsCharset) Sets the charset to use when decoding credentials toString
s.void
setRememberMeServices
(RememberMeServices rememberMeServices) void
setSecurityContextHolderStrategy
(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use.void
setSecurityContextRepository
(SecurityContextRepository securityContextRepository) Sets theSecurityContextRepository
to save theSecurityContext
on authentication success.Methods inherited from class org.springframework.web.filter.OncePerRequestFilter
doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
BasicAuthenticationFilter
Creates an instance which will authenticate against the suppliedAuthenticationManager
and which will ignore failed authentication attempts, allowing the request to proceed down the filter chain.- Parameters:
authenticationManager
- the bean to submit authentication requests to
-
BasicAuthenticationFilter
public BasicAuthenticationFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint) Creates an instance which will authenticate against the suppliedAuthenticationManager
and use the suppliedAuthenticationEntryPoint
to handle authentication failures.- Parameters:
authenticationManager
- the bean to submit authentication requests toauthenticationEntryPoint
- will be invoked when authentication fails. Typically an instance ofBasicAuthenticationEntryPoint
.
-
-
Method Details
-
setSecurityContextRepository
Sets theSecurityContextRepository
to save theSecurityContext
on authentication success. The default action is not to save theSecurityContext
.- Parameters:
securityContextRepository
- theSecurityContextRepository
to use. Cannot be null.
-
setAuthenticationConverter
Sets theAuthenticationConverter
to use. Defaults toBasicAuthenticationConverter
- Parameters:
authenticationConverter
- the converter to use- Since:
- 6.2
-
afterPropertiesSet
public void afterPropertiesSet()- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
- Overrides:
afterPropertiesSet
in classorg.springframework.web.filter.GenericFilterBean
-
doFilterInternal
protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException - Specified by:
doFilterInternal
in classorg.springframework.web.filter.OncePerRequestFilter
- Throws:
IOException
jakarta.servlet.ServletException
-
authenticationIsRequired
-
onSuccessfulAuthentication
protected void onSuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authResult) throws IOException - Throws:
IOException
-
onUnsuccessfulAuthentication
protected void onUnsuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, AuthenticationException failed) throws IOException - Throws:
IOException
-
getAuthenticationEntryPoint
-
getAuthenticationManager
-
isIgnoreFailure
protected boolean isIgnoreFailure() -
setSecurityContextHolderStrategy
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use. The default action is to use theSecurityContextHolderStrategy
stored inSecurityContextHolder
.- Since:
- 5.8
-
setAuthenticationDetailsSource
public void setAuthenticationDetailsSource(AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest, ?> authenticationDetailsSource) Sets theAuthenticationDetailsSource
to use. By default, it is set to use theWebAuthenticationDetailsSource
. Note that this configuration applies exclusively when theauthenticationConverter
is set toBasicAuthenticationConverter
. If you are utilizing a different implementation, you will need to manually specify the authentication details on it.- Parameters:
authenticationDetailsSource
- theAuthenticationDetailsSource
to use.
-
setRememberMeServices
-
setCredentialsCharset
Sets the charset to use when decoding credentials toString
s. By default, it is set toUTF-8
. Note that this configuration applies exclusively when theauthenticationConverter
is set toBasicAuthenticationConverter
. If you are utilizing a different implementation, you will need to manually specify the charset on it.- Parameters:
credentialsCharset
- the charset to use.
-
getCredentialsCharset
-