View Javadoc

1   /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
2    *
3    * Licensed under the Apache License, Version 2.0 (the "License");
4    * you may not use this file except in compliance with the License.
5    * You may obtain a copy of the License at
6    *
7    *     http://www.apache.org/licenses/LICENSE-2.0
8    *
9    * Unless required by applicable law or agreed to in writing, software
10   * distributed under the License is distributed on an "AS IS" BASIS,
11   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12   * See the License for the specific language governing permissions and
13   * limitations under the License.
14   */
15  
16  package org.springframework.security.ui.webapp;
17  
18  import org.springframework.security.Authentication;
19  import org.springframework.security.AuthenticationException;
20  
21  import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
22  
23  import org.springframework.security.ui.AbstractProcessingFilter;
24  import org.springframework.security.ui.FilterChainOrder;
25  import org.springframework.security.util.TextUtils;
26  import org.springframework.util.Assert;
27  
28  import javax.servlet.http.HttpServletRequest;
29  import javax.servlet.http.HttpSession;
30  
31  
32  /**
33   * Processes an authentication form.
34   * <p>Login forms must present two parameters to this filter: a username and
35   * password. The default parameter names to use are contained in the
36   * static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY} and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.
37   * The parameter names can also be changed by setting the <tt>usernameParameter</tt> and <tt>passwordParameter</tt>
38   * properties.
39   *
40   * @author Ben Alex
41   * @author Colin Sampaleanu
42   * @version $Id: AuthenticationProcessingFilter.java 3033 2008-05-05 18:37:02Z luke_t $
43   */
44  public class AuthenticationProcessingFilter extends AbstractProcessingFilter {
45      //~ Static fields/initializers =====================================================================================
46  
47      public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";
48      public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";
49      public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME";
50  
51      private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
52      private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
53  
54      //~ Methods ========================================================================================================
55  
56      public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {
57          String username = obtainUsername(request);
58          String password = obtainPassword(request);
59  
60          if (username == null) {
61              username = "";
62          }
63  
64          if (password == null) {
65              password = "";
66          }
67  
68          username = username.trim();
69  
70          UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
71  
72          // Place the last username attempted into HttpSession for views
73          HttpSession session = request.getSession(false);
74  
75          if (session != null || getAllowSessionCreation()) {
76              request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextUtils.escapeEntities(username));
77          }
78  
79          // Allow subclasses to set the "details" property
80          setDetails(request, authRequest);
81  
82          return this.getAuthenticationManager().authenticate(authRequest);
83      }
84  
85      /**
86       * This filter by default responds to <code>/j_spring_security_check</code>.
87       *
88       * @return the default
89       */
90      public String getDefaultFilterProcessesUrl() {
91          return "/j_spring_security_check";
92      }
93  
94      /**
95       * Enables subclasses to override the composition of the password, such as by including additional values
96       * and a separator.<p>This might be used for example if a postcode/zipcode was required in addition to the
97       * password. A delimiter such as a pipe (|) should be used to separate the password and extended value(s). The
98       * <code>AuthenticationDao</code> will need to generate the expected password in a corresponding manner.</p>
99       *
100      * @param request so that request attributes can be retrieved
101      *
102      * @return the password that will be presented in the <code>Authentication</code> request token to the
103      *         <code>AuthenticationManager</code>
104      */
105     protected String obtainPassword(HttpServletRequest request) {
106         return request.getParameter(passwordParameter);
107     }
108 
109     /**
110      * Enables subclasses to override the composition of the username, such as by including additional values
111      * and a separator.
112      *
113      * @param request so that request attributes can be retrieved
114      *
115      * @return the username that will be presented in the <code>Authentication</code> request token to the
116      *         <code>AuthenticationManager</code>
117      */
118     protected String obtainUsername(HttpServletRequest request) {
119         return request.getParameter(usernameParameter);
120     }
121 
122     /**
123      * Provided so that subclasses may configure what is put into the authentication request's details
124      * property.
125      *
126      * @param request that an authentication request is being created for
127      * @param authRequest the authentication request object that should have its details set
128      */
129     protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
130         authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
131     }
132 
133     /**
134      * Sets the parameter name which will be used to obtain the username from the login request.
135      *
136      * @param usernameParameter the parameter name. Defaults to "j_username".
137      */
138     public void setUsernameParameter(String usernameParameter) {
139         Assert.hasText(usernameParameter, "Username parameter must not be empty or null");
140         this.usernameParameter = usernameParameter;
141     }
142 
143     /**
144      * Sets the parameter name which will be used to obtain the password from the login request..
145      *
146      * @param passwordParameter the parameter name. Defaults to "j_password".
147      */
148     public void setPasswordParameter(String passwordParameter) {
149         Assert.hasText(passwordParameter, "Password parameter must not be empty or null");
150         this.passwordParameter = passwordParameter;
151     }
152 
153     public int getOrder() {
154         return FilterChainOrder.AUTHENTICATION_PROCESSING_FILTER;
155     }
156 
157     String getUsernameParameter() {
158         return usernameParameter;
159     }
160 
161     String getPasswordParameter() {
162         return passwordParameter;
163     }
164 }