AbstractProcessingFilter (Spring Security 2.0.6.RELEASE API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

Spring Security Framework

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.springframework.security.ui
Class AbstractProcessingFilter

java.lang.Object
  org.springframework.security.ui.SpringSecurityFilter
      org.springframework.security.ui.AbstractProcessingFilter

All Implemented Interfaces:: Filter, InitializingBean, ApplicationEventPublisherAware, MessageSourceAware, Ordered

Direct Known Subclasses:: AuthenticationProcessingFilter, CasProcessingFilter, OpenIDAuthenticationProcessingFilter

public abstract class AbstractProcessingFilter
extends SpringSecurityFilter
implements InitializingBean, ApplicationEventPublisherAware, MessageSourceAware
extends SpringSecurityFilter
implements InitializingBean, ApplicationEventPublisherAware, MessageSourceAware

Abstract processor of browser-based HTTP-based authentication requests.

This filter is responsible for processing authentication requests. If authentication is successful, the resulting Authentication object will be placed into the SecurityContext, which is guaranteed to have already been created by an earlier filter.

If authentication fails, the AuthenticationException will be placed into the HttpSession with the attribute defined by SPRING_SECURITY_LAST_EXCEPTION_KEY.

To use this filter, it is necessary to specify the following properties:

defaultTargetUrl indicates the URL that should be used for redirection if the HttpSession attribute named SPRING_SECURITY_SAVED_REQUEST_KEY does not indicate the target URL once authentication is completed successfully. eg: /. The defaultTargetUrl will be treated as relative to the web-app's context path, and should include the leading /. Alternatively, inclusion of a scheme name (eg http:// or https://) as the prefix will denote a fully-qualified URL and this is also supported. More complex behaviour can be implemented by using a customised TargetUrlResolver.
authenticationFailureUrl (optional) indicates the URL that should be used for redirection if the authentication request fails. eg: /login.jsp?login_error=1. If not configured, sendError will be called on the response, with the error code SC_UNAUTHORIZED.
filterProcessesUrl indicates the URL that this filter will respond to. This parameter varies by subclass.
alwaysUseDefaultTargetUrl causes successful authentication to always redirect to the defaultTargetUrl, even if the HttpSession attribute named SPRING_SECURITY_SAVED_REQUEST_KEY defines the intended target URL.

To configure this filter to redirect to specific pages as the result of specific AuthenticationExceptions you can do the following. Configure the exceptionMappings property in your application xml. This property is a java.util.Properties object that maps a fully-qualified exception class name to a redirection url target. For example:

  <property name="exceptionMappings">
    <props>
      <prop> key="org.springframework.security.BadCredentialsException">/bad_credentials.jsp</prop>
    </props>
  </property>

The example above would redirect all BadCredentialsExceptions thrown, to a page in the web-application called /bad_credentials.jsp.

Any AuthenticationException thrown that cannot be matched in the exceptionMappings will be redirected to the authenticationFailureUrl

If authentication is successful, an InteractiveAuthenticationSuccessEvent will be published to the application context. No events will be published if authentication was unsuccessful, because this would generally be recorded via an AuthenticationManager-specific application event.

The filter has an optional attribute invalidateSessionOnSuccessfulAuthentication that will invalidate the current session on successful authentication. This is to protect against session fixation attacks (see this Wikipedia article for more information). The behaviour is turned off by default. Additionally there is a property migrateInvalidatedSessionAttributes which tells if on session invalidation we are to migrate all session attributes from the old session to a newly created one. This is turned on by default, but not used unless invalidateSessionOnSuccessfulAuthentication is true. If you are using this feature in combination with concurrent session control, you should set the sessionRegistry property to make sure that the session information is updated consistently.

Version:: $Id$
Author:: Ben Alex

Field Summary
`protected AuthenticationDetailsSource`	`authenticationDetailsSource`
`protected ApplicationEventPublisher`	`eventPublisher`
`protected MessageSourceAccessor`	`messages`
`static String`	`SPRING_SECURITY_LAST_EXCEPTION_KEY`
`static String`	`SPRING_SECURITY_SAVED_REQUEST_KEY`

Fields inherited from class org.springframework.security.ui.SpringSecurityFilter
`logger`

Fields inherited from interface org.springframework.core.Ordered
`HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE`

Constructor Summary
`AbstractProcessingFilter()`

Method Summary
`void`	`afterPropertiesSet()`
`abstract Authentication`	`attemptAuthentication(HttpServletRequest request)` Performs actual authentication.
`protected String`	`determineFailureUrl(HttpServletRequest request, AuthenticationException failed)`
`protected String`	`determineTargetUrl(HttpServletRequest request)`
`void`	`doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)`
`protected boolean`	`getAllowSessionCreation()`
`AuthenticationDetailsSource`	`getAuthenticationDetailsSource()`
`String`	`getAuthenticationFailureUrl()`
`protected AuthenticationManager`	`getAuthenticationManager()`
`abstract String`	`getDefaultFilterProcessesUrl()` Specifies the default `filterProcessesUrl` for the implementation.
`String`	`getDefaultTargetUrl()` Supplies the default target Url that will be used if no saved request is found or the `alwaysUseDefaultTargetUrl` propert is set to true.
`protected Properties`	`getExceptionMappings()`
`String`	`getFilterProcessesUrl()`
`RememberMeServices`	`getRememberMeServices()`
`protected TargetUrlResolver`	`getTargetUrlResolver()`
`static String`	`obtainFullSavedRequestUrl(HttpServletRequest request)`
`protected void`	`onPreAuthentication(HttpServletRequest request, HttpServletResponse response)`
`protected void`	`onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult)`
`protected void`	`onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed)`
`protected boolean`	`requiresAuthentication(HttpServletRequest request, HttpServletResponse response)` Indicates whether this filter should attempt to process a login request for the current invocation.
`protected void`	`sendRedirect(HttpServletRequest request, HttpServletResponse response, String url)`
`void`	`setAllowSessionCreation(boolean allowSessionCreation)`
`void`	`setAlwaysUseDefaultTargetUrl(boolean alwaysUseDefaultTargetUrl)`
`void`	`setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)`
`void`	`setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)`
`void`	`setAuthenticationFailureUrl(String authenticationFailureUrl)`
`void`	`setAuthenticationManager(AuthenticationManager authenticationManager)`
`void`	`setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)`
`void`	`setDefaultTargetUrl(String defaultTargetUrl)`
`void`	`setExceptionMappings(Properties exceptionMappings)`
`void`	`setFilterProcessesUrl(String filterProcessesUrl)`
`void`	`setInvalidateSessionOnSuccessfulAuthentication(boolean invalidateSessionOnSuccessfulAuthentication)`
`void`	`setMessageSource(MessageSource messageSource)`
`void`	`setMigrateInvalidatedSessionAttributes(boolean migrateInvalidatedSessionAttributes)`
`void`	`setRememberMeServices(RememberMeServices rememberMeServices)`
`void`	`setServerSideRedirect(boolean serverSideRedirect)` Tells if we are to do a server side include of the error URL instead of a 302 redirect.
`void`	`setSessionRegistry(SessionRegistry sessionRegistry)` The session registry needs to be set if session fixation attack protection is in use (and concurrent session control is enabled).
`void`	`setTargetUrlResolver(TargetUrlResolver targetUrlResolver)`
`void`	`setUseRelativeContext(boolean useRelativeContext)`
`protected void`	`successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult)`
`protected void`	`unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed)`

Methods inherited from class org.springframework.security.ui.SpringSecurityFilter
`destroy, doFilter, init, toString`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait`

Methods inherited from interface org.springframework.core.Ordered
`getOrder`

Field Detail

SPRING_SECURITY_SAVED_REQUEST_KEY

public static final String SPRING_SECURITY_SAVED_REQUEST_KEY

See Also:: Constant Field Values

SPRING_SECURITY_LAST_EXCEPTION_KEY

public static final String SPRING_SECURITY_LAST_EXCEPTION_KEY

See Also:: Constant Field Values

eventPublisher

protected ApplicationEventPublisher eventPublisher

authenticationDetailsSource

protected AuthenticationDetailsSource authenticationDetailsSource

messages

protected MessageSourceAccessor messages

Constructor Detail

AbstractProcessingFilter

public AbstractProcessingFilter()

Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception

Specified by:: afterPropertiesSet in interface InitializingBean

Throws:: Exception

attemptAuthentication

public abstract Authentication attemptAuthentication(HttpServletRequest request)
                                              throws AuthenticationException

Performs actual authentication.

Parameters:: request - from which to extract parameters and perform the authentication
Returns:: the authenticated user
Throws:: AuthenticationException - if authentication fails

doFilterHttp

public void doFilterHttp(HttpServletRequest request,
                         HttpServletResponse response,
                         FilterChain chain)
                  throws IOException,
                         ServletException

Specified by:: doFilterHttp in class SpringSecurityFilter

Throws:: IOException; ServletException

obtainFullSavedRequestUrl

public static String obtainFullSavedRequestUrl(HttpServletRequest request)

onPreAuthentication

protected void onPreAuthentication(HttpServletRequest request,
                                   HttpServletResponse response)
                            throws AuthenticationException,
                                   IOException

Throws:: AuthenticationException; IOException

onSuccessfulAuthentication

protected void onSuccessfulAuthentication(HttpServletRequest request,
                                          HttpServletResponse response,
                                          Authentication authResult)
                                   throws IOException

Throws:: IOException

onUnsuccessfulAuthentication

protected void onUnsuccessfulAuthentication(HttpServletRequest request,
                                            HttpServletResponse response,
                                            AuthenticationException failed)
                                     throws IOException

Throws:: IOException

requiresAuthentication

protected boolean requiresAuthentication(HttpServletRequest request,
                                         HttpServletResponse response)

Indicates whether this filter should attempt to process a login request for the current invocation.

It strips any parameters from the "path" section of the request URL (such as the jsessionid parameter in http://host/myapp/index.html;jsessionid=blah) before matching against the filterProcessesUrl property.

Subclasses may override for special requirements, such as Tapestry integration.

Parameters:: request - as received from the filter chain; response - as received from the filter chain
Returns:: true if the filter should attempt authentication, false otherwise

sendRedirect

protected void sendRedirect(HttpServletRequest request,
                            HttpServletResponse response,
                            String url)
                     throws IOException

Throws:: IOException

successfulAuthentication

protected void successfulAuthentication(HttpServletRequest request,
                                        HttpServletResponse response,
                                        Authentication authResult)
                                 throws IOException,
                                        ServletException

Throws:: IOException; ServletException

determineTargetUrl

protected String determineTargetUrl(HttpServletRequest request)

unsuccessfulAuthentication

protected void unsuccessfulAuthentication(HttpServletRequest request,
                                          HttpServletResponse response,
                                          AuthenticationException failed)
                                   throws IOException,
                                          ServletException

Throws:: IOException; ServletException

determineFailureUrl

protected String determineFailureUrl(HttpServletRequest request,
                                     AuthenticationException failed)

getAuthenticationFailureUrl

public String getAuthenticationFailureUrl()

setAuthenticationFailureUrl

public void setAuthenticationFailureUrl(String authenticationFailureUrl)

getAuthenticationManager

protected AuthenticationManager getAuthenticationManager()

setAuthenticationManager

public void setAuthenticationManager(AuthenticationManager authenticationManager)

getDefaultFilterProcessesUrl

public abstract String getDefaultFilterProcessesUrl()

Specifies the default filterProcessesUrl for the implementation.

Returns:: the default filterProcessesUrl

getDefaultTargetUrl

public String getDefaultTargetUrl()

Supplies the default target Url that will be used if no saved request is found or the alwaysUseDefaultTargetUrl propert is set to true. Override this method of you want to provide a customized default Url (for example if you want different Urls depending on the authorities of the user who has just logged in).

Returns:: the defaultTargetUrl property

setDefaultTargetUrl

public void setDefaultTargetUrl(String defaultTargetUrl)

getExceptionMappings

protected Properties getExceptionMappings()

setExceptionMappings

public void setExceptionMappings(Properties exceptionMappings)

getFilterProcessesUrl

public String getFilterProcessesUrl()

setFilterProcessesUrl

public void setFilterProcessesUrl(String filterProcessesUrl)

getRememberMeServices

public RememberMeServices getRememberMeServices()

setRememberMeServices

public void setRememberMeServices(RememberMeServices rememberMeServices)

setAlwaysUseDefaultTargetUrl

public void setAlwaysUseDefaultTargetUrl(boolean alwaysUseDefaultTargetUrl)

setContinueChainBeforeSuccessfulAuthentication

public void setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)

setApplicationEventPublisher

public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)

Specified by:: setApplicationEventPublisher in interface ApplicationEventPublisherAware

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)

setMessageSource

public void setMessageSource(MessageSource messageSource)

Specified by:: setMessageSource in interface MessageSourceAware

setInvalidateSessionOnSuccessfulAuthentication

public void setInvalidateSessionOnSuccessfulAuthentication(boolean invalidateSessionOnSuccessfulAuthentication)

setMigrateInvalidatedSessionAttributes

public void setMigrateInvalidatedSessionAttributes(boolean migrateInvalidatedSessionAttributes)

getAuthenticationDetailsSource

public AuthenticationDetailsSource getAuthenticationDetailsSource()

setUseRelativeContext

public void setUseRelativeContext(boolean useRelativeContext)

getAllowSessionCreation

protected boolean getAllowSessionCreation()

setAllowSessionCreation

public void setAllowSessionCreation(boolean allowSessionCreation)

getTargetUrlResolver

protected TargetUrlResolver getTargetUrlResolver()

Returns:: the targetUrlResolver

setTargetUrlResolver

public void setTargetUrlResolver(TargetUrlResolver targetUrlResolver)

Parameters:: targetUrlResolver - the targetUrlResolver to set

setServerSideRedirect

public void setServerSideRedirect(boolean serverSideRedirect)

Tells if we are to do a server side include of the error URL instead of a 302 redirect.

Parameters:: serverSideRedirect -

setSessionRegistry

public void setSessionRegistry(SessionRegistry sessionRegistry)

The session registry needs to be set if session fixation attack protection is in use (and concurrent session control is enabled).