public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean implements ApplicationEventPublisherAware, MessageSourceAware
This filter will intercept a request and attempt to perform authentication from that
request if the request matches the
setRequiresAuthenticationRequestMatcher(RequestMatcher).
Authentication is performed by the
attemptAuthentication method, which must be implemented by subclasses.
Authentication object will be
placed into the SecurityContext for the current thread, which is
guaranteed to have already been created by an earlier filter.
The configured AuthenticationSuccessHandler will then be called to take the redirect to the
appropriate destination after a successful login. The default behaviour is implemented
in a SavedRequestAwareAuthenticationSuccessHandler which will make use of any
DefaultSavedRequest set by the ExceptionTranslationFilter and
redirect the user to the URL contained therein. Otherwise it will redirect to the
webapp root "/". You can customize this behaviour by injecting a differently configured
instance of this class, or by using a different implementation.
See the
successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication)
method for more information.
AuthenticationFailureHandler to allow the failure information to be conveyed to
the client. The default implementation is SimpleUrlAuthenticationFailureHandler
, which sends a 401 error code to the client. It may also be configured with a failure
URL as an alternative. Again you can inject whatever behaviour you require here.
InteractiveAuthenticationSuccessEvent will
be published via the application context. No events will be published if authentication
was unsuccessful, because this would generally be recorded via an
AuthenticationManager-specific application event.
SessionAuthenticationStrategy which will be invoked
immediately after a successful call to attemptAuthentication(). Different
implementations
can be
injected to enable things like session-fixation attack prevention or to control the
number of simultaneous sessions a principal may have.| Modifier and Type | Field and Description |
|---|---|
protected org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> |
authenticationDetailsSource |
protected ApplicationEventPublisher |
eventPublisher |
protected MessageSourceAccessor |
messages |
logger| Modifier | Constructor and Description |
|---|---|
protected |
AbstractAuthenticationProcessingFilter(RequestMatcher requiresAuthenticationRequestMatcher)
Creates a new instance
|
protected |
AbstractAuthenticationProcessingFilter(String defaultFilterProcessesUrl) |
| Modifier and Type | Method and Description |
|---|---|
void |
afterPropertiesSet() |
abstract org.springframework.security.core.Authentication |
attemptAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Performs actual authentication.
|
void |
doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
Invokes the
requiresAuthentication method to determine whether the request is for
authentication and should be handled by this filter. |
protected boolean |
getAllowSessionCreation() |
protected org.springframework.security.authentication.AuthenticationManager |
getAuthenticationManager() |
protected AuthenticationFailureHandler |
getFailureHandler() |
RememberMeServices |
getRememberMeServices() |
protected AuthenticationSuccessHandler |
getSuccessHandler() |
protected boolean |
requiresAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Indicates whether this filter should attempt to process a login request for the
current invocation.
|
void |
setAllowSessionCreation(boolean allowSessionCreation) |
void |
setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) |
void |
setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource) |
void |
setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler) |
void |
setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager) |
void |
setAuthenticationSuccessHandler(AuthenticationSuccessHandler successHandler)
Sets the strategy used to handle a successful authentication.
|
void |
setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)
Indicates if the filter chain should be continued prior to delegation to
successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication)
, which may be useful in certain environment (such as Tapestry applications). |
void |
setFilterProcessesUrl(String filterProcessesUrl)
Sets the URL that determines if authentication is required
|
void |
setMessageSource(MessageSource messageSource) |
void |
setRememberMeServices(RememberMeServices rememberMeServices) |
void |
setRequiresAuthenticationRequestMatcher(RequestMatcher requestMatcher) |
void |
setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy)
The session handling strategy which will be invoked immediately after an
authentication request is successfully processed by the
AuthenticationManager.
|
protected void |
successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain,
org.springframework.security.core.Authentication authResult)
Default behaviour for successful authentication.
|
protected void |
unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.springframework.security.core.AuthenticationException failed)
Default behaviour for unsuccessful authentication.
|
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContextprotected ApplicationEventPublisher eventPublisher
protected org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource
protected MessageSourceAccessor messages
protected AbstractAuthenticationProcessingFilter(String defaultFilterProcessesUrl)
defaultFilterProcessesUrl - the default value for filterProcessesUrl.protected AbstractAuthenticationProcessingFilter(RequestMatcher requiresAuthenticationRequestMatcher)
requiresAuthenticationRequestMatcher - the RequestMatcher used to
determine if authentication is required. Cannot be null.public void afterPropertiesSet()
afterPropertiesSet in interface InitializingBeanafterPropertiesSet in class GenericFilterBeanpublic void doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
requiresAuthentication method to determine whether the request is for
authentication and should be handled by this filter. If it is an authentication
request, the
attemptAuthentication will be invoked to perform the authentication. There are
then three possible outcomes:
SessionAuthenticationStrategy will be invoked (to handle any
session-related behaviour such as creating a new session to protect against
session-fixation attacks) followed by the invocation of
successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication)
methodunsuccessfulAuthentication method will be invokeddoFilter in interface javax.servlet.FilterIOExceptionjavax.servlet.ServletExceptionprotected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
It strips any parameters from the "path" section of the request URL (such as the
jsessionid parameter in http://host/myapp/index.html;jsessionid=blah)
before matching against the filterProcessesUrl property.
Subclasses may override for special requirements, such as Tapestry integration.
true if the filter should attempt authentication,
false otherwise.public abstract org.springframework.security.core.Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws org.springframework.security.core.AuthenticationException,
IOException,
javax.servlet.ServletException
The implementation should do one of the following:
request - from which to extract parameters and perform the authenticationresponse - the response, which may be needed if the implementation has to do a
redirect as part of a multi-stage authentication process (such as OpenID).org.springframework.security.core.AuthenticationException - if authentication fails.IOExceptionjavax.servlet.ServletExceptionprotected void successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain,
org.springframework.security.core.Authentication authResult)
throws IOException,
javax.servlet.ServletException
SecurityContextHolderInteractiveAuthenticationSuccessEvent via the configured
ApplicationEventPublisherAuthenticationSuccessHandler.FilterChain after
successful authentication.request - response - chain - authResult - the object returned from the attemptAuthentication
method.IOExceptionjavax.servlet.ServletExceptionprotected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.springframework.security.core.AuthenticationException failed)
throws IOException,
javax.servlet.ServletException
SecurityContextHolderAuthenticationFailureHandler.IOExceptionjavax.servlet.ServletExceptionprotected org.springframework.security.authentication.AuthenticationManager getAuthenticationManager()
public void setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager)
public void setFilterProcessesUrl(String filterProcessesUrl)
filterProcessesUrl - public final void setRequiresAuthenticationRequestMatcher(RequestMatcher requestMatcher)
public RememberMeServices getRememberMeServices()
public void setRememberMeServices(RememberMeServices rememberMeServices)
public void setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)
successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication)
, which may be useful in certain environment (such as Tapestry applications).
Defaults to false.public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)
setApplicationEventPublisher in interface ApplicationEventPublisherAwarepublic void setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
public void setMessageSource(MessageSource messageSource)
setMessageSource in interface MessageSourceAwareprotected boolean getAllowSessionCreation()
public void setAllowSessionCreation(boolean allowSessionCreation)
public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy)
sessionStrategy - the implementation to use. If not set a null implementation
is used.public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler successHandler)
SavedRequestAwareAuthenticationSuccessHandler is used.public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
protected AuthenticationSuccessHandler getSuccessHandler()
protected AuthenticationFailureHandler getFailureHandler()