public class BasicAuthenticationFilter extends OncePerRequestFilter
SecurityContextHolder.
For a detailed background on what this filter is designed to process, refer to RFC 1945, Section 11.1. Any realm name presented in the HTTP request is ignored.
In summary, this filter is responsible for processing any request that has a HTTP
request header of Authorization with an authentication scheme of
Basic and a Base64-encoded username:password token. For
example, to authenticate user "Aladdin" with password "open sesame" the following
header would be presented:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).
If authentication is successful, the resulting Authentication object will be
placed into the SecurityContextHolder.
If authentication fails and ignoreFailure is false (the
default), an AuthenticationEntryPoint implementation is called (unless the
ignoreFailure property is set to true). Usually this should be
BasicAuthenticationEntryPoint, which will prompt the user to authenticate again
via BASIC authentication.
Basic authentication is an attractive protocol because it is simple and widely
deployed. However, it still transmits a password in clear text and as such is
undesirable in many situations. Digest authentication is also provided by Spring
Security and should be used instead of Basic authentication wherever possible. See
DigestAuthenticationFilter.
Note that if a RememberMeServices is set, this filter will automatically send
back remember-me details to the client. Therefore, subsequent requests will not need to
present a BASIC authentication header as they will be authenticated using the
remember-me mechanism.
ALREADY_FILTERED_SUFFIXlogger| Constructor and Description |
|---|
BasicAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager)
Creates an instance which will authenticate against the supplied
AuthenticationManager and which will ignore failed authentication attempts,
allowing the request to proceed down the filter chain. |
BasicAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager,
AuthenticationEntryPoint authenticationEntryPoint)
Creates an instance which will authenticate against the supplied
AuthenticationManager and use the supplied AuthenticationEntryPoint
to handle authentication failures. |
| Modifier and Type | Method and Description |
|---|---|
void |
afterPropertiesSet() |
protected void |
doFilterInternal(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain) |
protected AuthenticationEntryPoint |
getAuthenticationEntryPoint() |
protected org.springframework.security.authentication.AuthenticationManager |
getAuthenticationManager() |
protected String |
getCredentialsCharset(javax.servlet.http.HttpServletRequest httpRequest) |
protected boolean |
isIgnoreFailure() |
protected void |
onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.springframework.security.core.Authentication authResult) |
protected void |
onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.springframework.security.core.AuthenticationException failed) |
void |
setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource) |
void |
setCredentialsCharset(String credentialsCharset) |
void |
setRememberMeServices(RememberMeServices rememberMeServices) |
doFilter, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatchaddRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContextpublic BasicAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager)
AuthenticationManager and which will ignore failed authentication attempts,
allowing the request to proceed down the filter chain.authenticationManager - the bean to submit authentication requests topublic BasicAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager,
AuthenticationEntryPoint authenticationEntryPoint)
AuthenticationManager and use the supplied AuthenticationEntryPoint
to handle authentication failures.authenticationManager - the bean to submit authentication requests toauthenticationEntryPoint - will be invoked when authentication fails.
Typically an instance of BasicAuthenticationEntryPoint.public void afterPropertiesSet()
afterPropertiesSet in interface InitializingBeanafterPropertiesSet in class GenericFilterBeanprotected void doFilterInternal(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
doFilterInternal in class OncePerRequestFilterIOExceptionjavax.servlet.ServletExceptionprotected void onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.springframework.security.core.Authentication authResult)
throws IOException
IOExceptionprotected void onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.springframework.security.core.AuthenticationException failed)
throws IOException
IOExceptionprotected AuthenticationEntryPoint getAuthenticationEntryPoint()
protected org.springframework.security.authentication.AuthenticationManager getAuthenticationManager()
protected boolean isIgnoreFailure()
public void setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
public void setRememberMeServices(RememberMeServices rememberMeServices)
public void setCredentialsCharset(String credentialsCharset)
protected String getCredentialsCharset(javax.servlet.http.HttpServletRequest httpRequest)