Class AbstractPreAuthenticatedProcessingFilter
- All Implemented Interfaces:
jakarta.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.ApplicationEventPublisherAware
,org.springframework.context.EnvironmentAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
- Direct Known Subclasses:
J2eePreAuthenticatedProcessingFilter
,RequestAttributeAuthenticationFilter
,RequestHeaderAuthenticationFilter
,WebSpherePreAuthenticatedProcessingFilter
,X509AuthenticationFilter
The purpose is then only to extract the necessary information on the principal from the
incoming request, rather than to authenticate them. External authentication systems may
provide this information via request data such as headers or cookies which the
pre-authentication system can extract. It is assumed that the external system is
responsible for the accuracy of the data and preventing the submission of forged
values.
Subclasses must implement the getPreAuthenticatedPrincipal()
and
getPreAuthenticatedCredentials()
methods. Subclasses of this filter are
typically used in combination with a PreAuthenticatedAuthenticationProvider
,
which is used to load additional data for the user. This provider will reject null
credentials, so the getPreAuthenticatedCredentials(jakarta.servlet.http.HttpServletRequest)
method should not return
null for a valid principal.
If the security context already contains an Authentication
object (either from
a invocation of the filter or because of some other authentication mechanism), the
filter will do nothing by default. You can force it to check for a change in the
principal by setting the checkForPrincipalChanges
property.
By default, the filter chain will proceed when an authentication attempt fails in order
to allow other authentication mechanisms to process the request. To reject the
credentials immediately, set the
continueFilterChainOnUnsuccessfulAuthentication flag to false. The exception
raised by the AuthenticationManager will the be re-thrown. Note that this will
not affect cases where the principal returned by getPreAuthenticatedPrincipal(jakarta.servlet.http.HttpServletRequest)
is null, when the chain will still proceed as normal.
- Since:
- 2.0
-
Field Summary
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
Check whether all required properties have been set.void
doFilter
(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) Try to authenticate a pre-authenticated user with Spring Security if the user has not yet been authenticated.protected AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,
?> protected abstract Object
getPreAuthenticatedCredentials
(jakarta.servlet.http.HttpServletRequest request) Override to extract the credentials (if applicable) from the current request.protected abstract Object
getPreAuthenticatedPrincipal
(jakarta.servlet.http.HttpServletRequest request) Override to extract the principal information from the current requestprotected boolean
principalChanged
(jakarta.servlet.http.HttpServletRequest request, Authentication currentAuthentication) Determines if the current principal has changed.void
setApplicationEventPublisher
(org.springframework.context.ApplicationEventPublisher anApplicationEventPublisher) void
setAuthenticationDetailsSource
(AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest, ?> authenticationDetailsSource) void
setAuthenticationFailureHandler
(AuthenticationFailureHandler authenticationFailureHandler) Sets the strategy used to handle a failed authentication.void
setAuthenticationManager
(AuthenticationManager authenticationManager) void
setAuthenticationSuccessHandler
(AuthenticationSuccessHandler authenticationSuccessHandler) Sets the strategy used to handle a successful authentication.void
setCheckForPrincipalChanges
(boolean checkForPrincipalChanges) If set, the pre-authenticated principal will be checked on each request and compared against the name of the current Authentication object.void
setContinueFilterChainOnUnsuccessfulAuthentication
(boolean shouldContinue) If set totrue
(the default), anyAuthenticationException
raised by theAuthenticationManager
will be swallowed, and the request will be allowed to proceed, potentially using alternative authentication mechanisms.void
setInvalidateSessionOnPrincipalChange
(boolean invalidateSessionOnPrincipalChange) If checkForPrincipalChanges is set, and a change of principal is detected, determines whether any existing session should be invalidated before proceeding to authenticate the new principal.void
setRequiresAuthenticationRequestMatcher
(RequestMatcher requiresAuthenticationRequestMatcher) Sets the request matcher to check whether to proceed the request further.void
setSecurityContextHolderStrategy
(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use.void
setSecurityContextRepository
(SecurityContextRepository securityContextRepository) Sets theSecurityContextRepository
to save theSecurityContext
on authentication success.protected void
successfulAuthentication
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authResult) Puts theAuthentication
instance returned by the authentication manager into the secure context.protected void
unsuccessfulAuthentication
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, AuthenticationException failed) Ensures the authentication object in the secure context is set to null when authentication fails.Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
AbstractPreAuthenticatedProcessingFilter
public AbstractPreAuthenticatedProcessingFilter()
-
-
Method Details
-
afterPropertiesSet
public void afterPropertiesSet()Check whether all required properties have been set.- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
- Overrides:
afterPropertiesSet
in classorg.springframework.web.filter.GenericFilterBean
-
doFilter
public void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException Try to authenticate a pre-authenticated user with Spring Security if the user has not yet been authenticated.- Specified by:
doFilter
in interfacejakarta.servlet.Filter
- Throws:
IOException
jakarta.servlet.ServletException
-
principalChanged
protected boolean principalChanged(jakarta.servlet.http.HttpServletRequest request, Authentication currentAuthentication) Determines if the current principal has changed. The default implementation tries- If the
getPreAuthenticatedPrincipal(HttpServletRequest)
is a String, thePrincipal.getName()
is compared against the pre authenticated principal - Otherwise, the
getPreAuthenticatedPrincipal(HttpServletRequest)
is compared against theAuthentication.getPrincipal()
Subclasses can override this method to determine when a principal has changed.
- Parameters:
request
-currentAuthentication
-- Returns:
- true if the principal has changed, else false
- If the
-
successfulAuthentication
protected void successfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authResult) throws IOException, jakarta.servlet.ServletException Puts theAuthentication
instance returned by the authentication manager into the secure context.- Throws:
IOException
jakarta.servlet.ServletException
-
unsuccessfulAuthentication
protected void unsuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, AuthenticationException failed) throws IOException, jakarta.servlet.ServletException Ensures the authentication object in the secure context is set to null when authentication fails.Caches the failure exception as a request attribute
- Throws:
IOException
jakarta.servlet.ServletException
-
setApplicationEventPublisher
public void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher anApplicationEventPublisher) - Specified by:
setApplicationEventPublisher
in interfaceorg.springframework.context.ApplicationEventPublisherAware
- Parameters:
anApplicationEventPublisher
- The ApplicationEventPublisher to use
-
setSecurityContextRepository
Sets theSecurityContextRepository
to save theSecurityContext
on authentication success. The default action is not to save theSecurityContext
.- Parameters:
securityContextRepository
- theSecurityContextRepository
to use. Cannot be null.
-
setAuthenticationDetailsSource
public void setAuthenticationDetailsSource(AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest, ?> authenticationDetailsSource) - Parameters:
authenticationDetailsSource
- The AuthenticationDetailsSource to use
-
getAuthenticationDetailsSource
protected AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,?> getAuthenticationDetailsSource() -
setAuthenticationManager
- Parameters:
authenticationManager
- The AuthenticationManager to use
-
setContinueFilterChainOnUnsuccessfulAuthentication
public void setContinueFilterChainOnUnsuccessfulAuthentication(boolean shouldContinue) If set totrue
(the default), anyAuthenticationException
raised by theAuthenticationManager
will be swallowed, and the request will be allowed to proceed, potentially using alternative authentication mechanisms. Iffalse
, authentication failure will result in an immediate exception.- Parameters:
shouldContinue
- set totrue
to allow the request to proceed after a failed authentication.
-
setCheckForPrincipalChanges
public void setCheckForPrincipalChanges(boolean checkForPrincipalChanges) If set, the pre-authenticated principal will be checked on each request and compared against the name of the current Authentication object. A check to determine ifAuthentication.getPrincipal()
is equal to the principal will also be performed. If a change is detected, the user will be reauthenticated.- Parameters:
checkForPrincipalChanges
-
-
setInvalidateSessionOnPrincipalChange
public void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange) If checkForPrincipalChanges is set, and a change of principal is detected, determines whether any existing session should be invalidated before proceeding to authenticate the new principal.- Parameters:
invalidateSessionOnPrincipalChange
- false to retain the existing session. Defaults to true.
-
setAuthenticationSuccessHandler
public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) Sets the strategy used to handle a successful authentication. -
setAuthenticationFailureHandler
public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) Sets the strategy used to handle a failed authentication. -
setRequiresAuthenticationRequestMatcher
public void setRequiresAuthenticationRequestMatcher(RequestMatcher requiresAuthenticationRequestMatcher) Sets the request matcher to check whether to proceed the request further. -
setSecurityContextHolderStrategy
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use. The default action is to use theSecurityContextHolderStrategy
stored inSecurityContextHolder
.- Since:
- 5.8
-
getPreAuthenticatedPrincipal
protected abstract Object getPreAuthenticatedPrincipal(jakarta.servlet.http.HttpServletRequest request) Override to extract the principal information from the current request -
getPreAuthenticatedCredentials
protected abstract Object getPreAuthenticatedCredentials(jakarta.servlet.http.HttpServletRequest request) Override to extract the credentials (if applicable) from the current request. Should not return null for a valid principal, though some implementations may return a dummy value.
-