Package org.springframework.security.web.authentication.preauth

Class RequestAttributeAuthenticationFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter
org.springframework.security.web.authentication.preauth.RequestAttributeAuthenticationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class RequestAttributeAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter
A simple pre-authenticated filter which obtains the username from request attributes, for use with SSO systems such as Stanford WebAuth or Shibboleth.

As with most pre-authenticated scenarios, it is essential that the external authentication system is set up correctly as this filter does no authentication whatsoever.

The property principalEnvironmentVariable is the name of the request attribute that contains the username. It defaults to "REMOTE_USER" for compatibility with WebAuth and Shibboleth.

If the environment variable is missing from the request, getPreAuthenticatedPrincipal will throw an exception. You can override this behaviour by setting the exceptionIfVariableMissing property.

Since:
4.2

  • Constructor Details

    • RequestAttributeAuthenticationFilter

      public RequestAttributeAuthenticationFilter()

  • Method Details

    • getPreAuthenticatedPrincipal

      protected Object getPreAuthenticatedPrincipal(jakarta.servlet.http.HttpServletRequest request)
      Read and returns the variable named by principalEnvironmentVariable from the request.
      Specified by:
      getPreAuthenticatedPrincipal in class AbstractPreAuthenticatedProcessingFilter
      Throws:
      PreAuthenticatedCredentialsNotFoundException - if the environment variable is missing and exceptionIfVariableMissing is set to true.

    • getPreAuthenticatedCredentials

      protected Object getPreAuthenticatedCredentials(jakarta.servlet.http.HttpServletRequest request)
      Credentials aren't usually applicable, but if a credentialsEnvironmentVariable is set, this will be read and used as the credentials value. Otherwise a dummy value will be used.
      Specified by:
      getPreAuthenticatedCredentials in class AbstractPreAuthenticatedProcessingFilter

    • setPrincipalEnvironmentVariable

      public void setPrincipalEnvironmentVariable(String principalEnvironmentVariable)

    • setCredentialsEnvironmentVariable

      public void setCredentialsEnvironmentVariable(String credentialsEnvironmentVariable)

    • setExceptionIfVariableMissing

      public void setExceptionIfVariableMissing(boolean exceptionIfVariableMissing)
      Defines whether an exception should be raised if the principal variable is missing. Defaults to true.
      Parameters:
      exceptionIfVariableMissing - set to false to override the default behaviour and allow the request to proceed if no variable is found.