org.springframework.security.web.access.channel
Class ChannelProcessingFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.access.channel.ChannelProcessingFilter
- All Implemented Interfaces:
- javax.servlet.Filter, BeanNameAware, DisposableBean, InitializingBean, ServletContextAware
public class ChannelProcessingFilter
- extends GenericFilterBean
Ensures a web request is delivered over the required channel.
Internally uses a FilterInvocation to represent the request, allowing a
FilterInvocationSecurityMetadataSource to be used to lookup the attributes which apply.
Delegates the actual channel security decisions and necessary actions to the configured
ChannelDecisionManager. If a response is committed by the ChannelDecisionManager,
the filter chain will not proceed.
The most common usage is to ensure that a request takes place over HTTPS, where the
ChannelDecisionManagerImpl is configured with a SecureChannelProcessor and an
InsecureChannelProcessor. A typical configuration would be
<bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
<property name="channelDecisionManager" ref="channelDecisionManager"/>
<property name="securityMetadataSource">
<security:filter-security-metadata-source path-type="regex">
<security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
<security:intercept-url pattern="\A/login.jsp.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
<security:intercept-url pattern="\A/.*\Z" access="ANY_CHANNEL"/>
</security:filter-security-metadata-source>
</property>
</bean>
<bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
<property name="channelProcessors">
<list>
<ref bean="secureChannelProcessor"/>
<ref bean="insecureChannelProcessor"/>
</list>
</property>
</bean>
<bean id="secureChannelProcessor"
class="org.springframework.security.web.access.channel.SecureChannelProcessor"/>
<bean id="insecureChannelProcessor"
class="org.springframework.security.web.access.channel.InsecureChannelProcessor"/>
which would force the login form and any access to the /secure path to be made over HTTPS.
- Author:
- Ben Alex
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
ChannelProcessingFilter
public ChannelProcessingFilter()
afterPropertiesSet
public void afterPropertiesSet()
- Specified by:
afterPropertiesSet in interface InitializingBean- Overrides:
afterPropertiesSet in class GenericFilterBean
doFilter
public void doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
getChannelDecisionManager
protected ChannelDecisionManager getChannelDecisionManager()
getSecurityMetadataSource
protected FilterInvocationSecurityMetadataSource getSecurityMetadataSource()
setChannelDecisionManager
public void setChannelDecisionManager(ChannelDecisionManager channelDecisionManager)
setSecurityMetadataSource
public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource)