Package org.springframework.security.web.authentication.www

Class BasicAuthenticationFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.web.filter.OncePerRequestFilter
org.springframework.security.web.authentication.www.BasicAuthenticationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class BasicAuthenticationFilter extends org.springframework.web.filter.OncePerRequestFilter
Processes a HTTP request's BASIC authorization headers, putting the result into the SecurityContextHolder.

For a detailed background on what this filter is designed to process, refer to RFC 1945, Section 11.1. Any realm name presented in the HTTP request is ignored.

In summary, this filter is responsible for processing any request that has a HTTP request header of Authorization with an authentication scheme of Basic and a Base64-encoded username:password token. For example, to authenticate user "Aladdin" with password "open sesame" the following header would be presented: 


 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).

If authentication is successful, the resulting Authentication object will be placed into the SecurityContextHolder.

If authentication fails and ignoreFailure is false (the default), an AuthenticationEntryPoint implementation is called (unless the ignoreFailure property is set to true). Usually this should be BasicAuthenticationEntryPoint, which will prompt the user to authenticate again via BASIC authentication.

Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still transmits a password in clear text and as such is undesirable in many situations.

Note that if a RememberMeServices is set, this filter will automatically send back remember-me details to the client. Therefore, subsequent requests will not need to present a BASIC authentication header as they will be authenticated using the remember-me mechanism.

  • Constructor Details

    • BasicAuthenticationFilter

      public BasicAuthenticationFilter(AuthenticationManager authenticationManager)
      Creates an instance which will authenticate against the supplied AuthenticationManager and which will ignore failed authentication attempts, allowing the request to proceed down the filter chain.
      Parameters:
      authenticationManager - the bean to submit authentication requests to

    • BasicAuthenticationFilter

      public BasicAuthenticationFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint)
      Creates an instance which will authenticate against the supplied AuthenticationManager and use the supplied AuthenticationEntryPoint to handle authentication failures.
      Parameters:
      authenticationManager - the bean to submit authentication requests to
      authenticationEntryPoint - will be invoked when authentication fails. Typically an instance of BasicAuthenticationEntryPoint.

  • Method Details

    • setSecurityContextRepository

      public void setSecurityContextRepository(SecurityContextRepository securityContextRepository)
      Sets the SecurityContextRepository to save the SecurityContext on authentication success. The default action is not to save the SecurityContext.
      Parameters:
      securityContextRepository - the SecurityContextRepository to use. Cannot be null.

    • setAuthenticationConverter

      public void setAuthenticationConverter(AuthenticationConverter authenticationConverter)
      Sets the AuthenticationConverter to use. Defaults to BasicAuthenticationConverter
      Parameters:
      authenticationConverter - the converter to use
      Since:
      6.2

    • afterPropertiesSet

      public void afterPropertiesSet()
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
      Overrides:
      afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean

    • doFilterInternal

      protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException
      Specified by:
      doFilterInternal in class org.springframework.web.filter.OncePerRequestFilter
      Throws:
      IOException
      jakarta.servlet.ServletException

    • authenticationIsRequired

      protected boolean authenticationIsRequired(String username)

    • onSuccessfulAuthentication

      protected void onSuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authResult) throws IOException
      Throws:
      IOException

    • onUnsuccessfulAuthentication

      protected void onUnsuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, AuthenticationException failed) throws IOException
      Throws:
      IOException

    • getAuthenticationEntryPoint

      protected AuthenticationEntryPoint getAuthenticationEntryPoint()

    • getAuthenticationManager

      protected AuthenticationManager getAuthenticationManager()

    • isIgnoreFailure

      protected boolean isIgnoreFailure()

    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)
      Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.
      Since:
      5.8

    • setAuthenticationDetailsSource

      public void setAuthenticationDetailsSource(AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
      Sets the AuthenticationDetailsSource to use. By default, it is set to use the WebAuthenticationDetailsSource. Note that this configuration applies exclusively when the authenticationConverter is set to BasicAuthenticationConverter. If you are utilizing a different implementation, you will need to manually specify the authentication details on it.
      Parameters:
      authenticationDetailsSource - the AuthenticationDetailsSource to use.

    • setRememberMeServices

      public void setRememberMeServices(RememberMeServices rememberMeServices)

    • setCredentialsCharset

      public void setCredentialsCharset(String credentialsCharset)
      Sets the charset to use when decoding credentials to Strings. By default, it is set to UTF-8. Note that this configuration applies exclusively when the authenticationConverter is set to BasicAuthenticationConverter. If you are utilizing a different implementation, you will need to manually specify the charset on it.
      Parameters:
      credentialsCharset - the charset to use.

    • getCredentialsCharset

      protected String getCredentialsCharset(jakarta.servlet.http.HttpServletRequest httpRequest)