Package org.springframework.security.web.authentication

Class UsernamePasswordAuthenticationFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter
Processes an authentication form submission. Called AuthenticationProcessingFilter prior to Spring Security 3.0.

Login forms must present two parameters to this filter: a username and password. The default parameter names to use are contained in the static fields SPRING_SECURITY_FORM_USERNAME_KEY and SPRING_SECURITY_FORM_PASSWORD_KEY. The parameter names can also be changed by setting the usernameParameter and passwordParameter properties.

This filter by default responds to the URL /login.

Since:
3.0

  • Field Details

  • Constructor Details

    • UsernamePasswordAuthenticationFilter

      public UsernamePasswordAuthenticationFilter()

    • UsernamePasswordAuthenticationFilter

      public UsernamePasswordAuthenticationFilter(AuthenticationManager authenticationManager)

  • Method Details

    • attemptAuthentication

      public Authentication attemptAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws AuthenticationException
      Description copied from class: AbstractAuthenticationProcessingFilter
      Performs actual authentication.

      The implementation should do one of the following:

      1. Return a populated authentication token for the authenticated user, indicating successful authentication
      2. Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
      3. Throw an AuthenticationException if the authentication process fails
      Specified by:
      attemptAuthentication in class AbstractAuthenticationProcessingFilter
      Parameters:
      request - from which to extract parameters and perform the authentication
      response - the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OIDC).
      Returns:
      the authenticated user token, or null if authentication is incomplete.
      Throws:
      AuthenticationException - if authentication fails.

    • obtainPassword

      @Nullable protected String obtainPassword(jakarta.servlet.http.HttpServletRequest request)
      Enables subclasses to override the composition of the password, such as by including additional values and a separator.

      This might be used for example if a postcode/zipcode was required in addition to the password. A delimiter such as a pipe (|) should be used to separate the password and extended value(s). The AuthenticationDao will need to generate the expected password in a corresponding manner.

      Parameters:
      request - so that request attributes can be retrieved
      Returns:
      the password that will be presented in the Authentication request token to the AuthenticationManager

    • obtainUsername

      @Nullable protected String obtainUsername(jakarta.servlet.http.HttpServletRequest request)
      Enables subclasses to override the composition of the username, such as by including additional values and a separator.
      Parameters:
      request - so that request attributes can be retrieved
      Returns:
      the username that will be presented in the Authentication request token to the AuthenticationManager

    • setDetails

      protected void setDetails(jakarta.servlet.http.HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest)
      Provided so that subclasses may configure what is put into the authentication request's details property.
      Parameters:
      request - that an authentication request is being created for
      authRequest - the authentication request object that should have its details set

    • setUsernameParameter

      public void setUsernameParameter(String usernameParameter)
      Sets the parameter name which will be used to obtain the username from the login request.
      Parameters:
      usernameParameter - the parameter name. Defaults to "username".

    • setPasswordParameter

      public void setPasswordParameter(String passwordParameter)
      Sets the parameter name which will be used to obtain the password from the login request..
      Parameters:
      passwordParameter - the parameter name. Defaults to "password".

    • setPostOnly

      public void setPostOnly(boolean postOnly)
      Defines whether only HTTP POST requests will be allowed by this filter. If set to true, and an authentication request is received which is not a POST request, an exception will be raised immediately and authentication will not be attempted. The unsuccessfulAuthentication() method will be called as if handling a failed authentication.

      Defaults to true but may be overridden by subclasses.

    • getUsernameParameter

      public final String getUsernameParameter()

    • getPasswordParameter

      public final String getPasswordParameter()