org.springframework.security.web.authentication.www
Class BasicAuthenticationFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.www.BasicAuthenticationFilter
- All Implemented Interfaces:
- javax.servlet.Filter, BeanNameAware, DisposableBean, InitializingBean, ServletContextAware
public class BasicAuthenticationFilter
- extends GenericFilterBean
Processes a HTTP request's BASIC authorization headers, putting the result into the
SecurityContextHolder.
For a detailed background on what this filter is designed to process, refer to
RFC 1945, Section 11.1. Any realm name presented in
the HTTP request is ignored.
In summary, this filter is responsible for processing any request that has a HTTP request header of
Authorization with an authentication scheme of Basic and a Base64-encoded
username:password token. For example, to authenticate user "Aladdin" with password "open sesame" the
following header would be presented:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as
Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).
If authentication is successful, the resulting Authentication object will be placed into the
SecurityContextHolder.
If authentication fails and ignoreFailure is false (the default), an AuthenticationEntryPoint implementation is called (unless the ignoreFailure property is set to
true). Usually this should be BasicAuthenticationEntryPoint, which will prompt the user to
authenticate again via BASIC authentication.
Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still
transmits a password in clear text and as such is undesirable in many situations. Digest authentication is also
provided by Spring Security and should be used instead of Basic authentication wherever possible. See DigestAuthenticationFilter.
Note that if a RememberMeServices is set, this filter will automatically send back remember-me
details to the client. Therefore, subsequent requests will not need to present a BASIC authentication header as
they will be authenticated using the remember-me mechanism.
- Author:
- Ben Alex
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
BasicAuthenticationFilter
public BasicAuthenticationFilter()
afterPropertiesSet
public void afterPropertiesSet()
- Specified by:
afterPropertiesSet in interface InitializingBean- Overrides:
afterPropertiesSet in class GenericFilterBean
doFilter
public void doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
onSuccessfulAuthentication
protected void onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.springframework.security.core.Authentication authResult)
throws IOException
- Throws:
IOException
onUnsuccessfulAuthentication
protected void onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.springframework.security.core.AuthenticationException failed)
throws IOException
- Throws:
IOException
getAuthenticationEntryPoint
protected AuthenticationEntryPoint getAuthenticationEntryPoint()
setAuthenticationEntryPoint
public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)
getAuthenticationManager
protected org.springframework.security.authentication.AuthenticationManager getAuthenticationManager()
setAuthenticationManager
public void setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager)
isIgnoreFailure
protected boolean isIgnoreFailure()
setIgnoreFailure
public void setIgnoreFailure(boolean ignoreFailure)
setAuthenticationDetailsSource
public void setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource authenticationDetailsSource)
setRememberMeServices
public void setRememberMeServices(RememberMeServices rememberMeServices)
setCredentialsCharset
public void setCredentialsCharset(String credentialsCharset)
getCredentialsCharset
protected String getCredentialsCharset(javax.servlet.http.HttpServletRequest httpRequest)