|
Spring Security Framework | |||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.springframework.security.ui.SpringSecurityFilter org.springframework.security.ui.AbstractProcessingFilter
public abstract class AbstractProcessingFilter
Abstract processor of browser-based HTTP-based authentication requests.
This filter is responsible for processing authentication requests. If
authentication is successful, the resulting Authentication
object
will be placed into the SecurityContext
, which is guaranteed
to have already been created by an earlier filter.
If authentication fails, the AuthenticationException
will be
placed into the HttpSession
with the attribute defined by
SPRING_SECURITY_LAST_EXCEPTION_KEY
.
To use this filter, it is necessary to specify the following properties:
defaultTargetUrl
indicates the URL that should be used
for redirection if the HttpSession
attribute named
SPRING_SECURITY_SAVED_REQUEST_KEY
does not indicate the target URL once
authentication is completed successfully. eg: /
. The
defaultTargetUrl
will be treated as relative to the web-app's
context path, and should include the leading /
.
Alternatively, inclusion of a scheme name (eg http:// or https://) as the
prefix will denote a fully-qualified URL and this is also supported. More
complex behaviour can be implemented by using a customised TargetUrlResolver
.authenticationFailureUrl
(optional) indicates the URL that should be
used for redirection if the authentication request fails. eg:
/login.jsp?login_error=1
. If not configured, sendError will be
called on the response, with the error code SC_UNAUTHORIZED.filterProcessesUrl
indicates the URL that this filter
will respond to. This parameter varies by subclass.alwaysUseDefaultTargetUrl
causes successful
authentication to always redirect to the defaultTargetUrl
,
even if the HttpSession
attribute named SPRING_SECURITY_SAVED_REQUEST_KEY
defines the intended target URL.
To configure this filter to redirect to specific pages as the result of
specific AuthenticationException
s you can do the following.
Configure the exceptionMappings
property in your application
xml. This property is a java.util.Properties object that maps a
fully-qualified exception class name to a redirection url target. For
example:
<property name="exceptionMappings"> <props> <prop> key="org.springframework.security.BadCredentialsException">/bad_credentials.jsp</prop> </props> </property>The example above would redirect all
BadCredentialsException
s thrown, to a page in the
web-application called /bad_credentials.jsp.
Any AuthenticationException
thrown that cannot be matched in the
exceptionMappings
will be redirected to the
authenticationFailureUrl
If authentication is successful, an InteractiveAuthenticationSuccessEvent
will be published to the application context. No events will be published if
authentication was unsuccessful, because this would generally be recorded via
an AuthenticationManager
-specific application event.
The filter has an optional attribute invalidateSessionOnSuccessfulAuthentication that will invalidate the current session on successful authentication. This is to protect against session fixation attacks (see this Wikipedia article for more information). The behaviour is turned off by default. Additionally there is a property migrateInvalidatedSessionAttributes which tells if on session invalidation we are to migrate all session attributes from the old session to a newly created one. This is turned on by default, but not used unless invalidateSessionOnSuccessfulAuthentication is true. If you are using this feature in combination with concurrent session control, you should set the sessionRegistry property to make sure that the session information is updated consistently.
Field Summary | |
---|---|
protected AuthenticationDetailsSource |
authenticationDetailsSource
|
protected ApplicationEventPublisher |
eventPublisher
|
protected MessageSourceAccessor |
messages
|
static String |
SPRING_SECURITY_LAST_EXCEPTION_KEY
|
static String |
SPRING_SECURITY_SAVED_REQUEST_KEY
|
Fields inherited from class org.springframework.security.ui.SpringSecurityFilter |
---|
logger |
Fields inherited from interface org.springframework.core.Ordered |
---|
HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE |
Constructor Summary | |
---|---|
AbstractProcessingFilter()
|
Methods inherited from class org.springframework.security.ui.SpringSecurityFilter |
---|
destroy, doFilter, init, toString |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
Methods inherited from interface org.springframework.core.Ordered |
---|
getOrder |
Field Detail |
---|
public static final String SPRING_SECURITY_SAVED_REQUEST_KEY
public static final String SPRING_SECURITY_LAST_EXCEPTION_KEY
protected ApplicationEventPublisher eventPublisher
protected AuthenticationDetailsSource authenticationDetailsSource
protected MessageSourceAccessor messages
Constructor Detail |
---|
public AbstractProcessingFilter()
Method Detail |
---|
public void afterPropertiesSet() throws Exception
afterPropertiesSet
in interface InitializingBean
Exception
public abstract Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException
request
- from which to extract parameters and perform the
authentication
AuthenticationException
- if authentication failspublic void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException
doFilterHttp
in class SpringSecurityFilter
IOException
ServletException
public static String obtainFullSavedRequestUrl(HttpServletRequest request)
protected void onPreAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException
AuthenticationException
IOException
protected void onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException
IOException
protected void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException
IOException
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response)
Indicates whether this filter should attempt to process a login request for the current invocation.
It strips any parameters from the "path" section of the request URL (such
as the jsessionid parameter in
http://host/myapp/index.html;jsessionid=blah) before matching
against the filterProcessesUrl
property.
Subclasses may override for special requirements, such as Tapestry integration.
request
- as received from the filter chainresponse
- as received from the filter chain
true
if the filter should attempt authentication,
false
otherwiseprotected void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException
IOException
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException, ServletException
IOException
ServletException
protected String determineTargetUrl(HttpServletRequest request)
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException
IOException
ServletException
protected String determineFailureUrl(HttpServletRequest request, AuthenticationException failed)
public String getAuthenticationFailureUrl()
public void setAuthenticationFailureUrl(String authenticationFailureUrl)
protected AuthenticationManager getAuthenticationManager()
public void setAuthenticationManager(AuthenticationManager authenticationManager)
public abstract String getDefaultFilterProcessesUrl()
filterProcessesUrl
for the
implementation.
filterProcessesUrl
public String getDefaultTargetUrl()
public void setDefaultTargetUrl(String defaultTargetUrl)
protected Properties getExceptionMappings()
public void setExceptionMappings(Properties exceptionMappings)
public String getFilterProcessesUrl()
public void setFilterProcessesUrl(String filterProcessesUrl)
public RememberMeServices getRememberMeServices()
public void setRememberMeServices(RememberMeServices rememberMeServices)
public void setAlwaysUseDefaultTargetUrl(boolean alwaysUseDefaultTargetUrl)
public void setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)
public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)
setApplicationEventPublisher
in interface ApplicationEventPublisherAware
public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
public void setMessageSource(MessageSource messageSource)
setMessageSource
in interface MessageSourceAware
public void setInvalidateSessionOnSuccessfulAuthentication(boolean invalidateSessionOnSuccessfulAuthentication)
public void setMigrateInvalidatedSessionAttributes(boolean migrateInvalidatedSessionAttributes)
public AuthenticationDetailsSource getAuthenticationDetailsSource()
public void setUseRelativeContext(boolean useRelativeContext)
protected boolean getAllowSessionCreation()
public void setAllowSessionCreation(boolean allowSessionCreation)
protected TargetUrlResolver getTargetUrlResolver()
public void setTargetUrlResolver(TargetUrlResolver targetUrlResolver)
targetUrlResolver
- the targetUrlResolver to setpublic void setServerSideRedirect(boolean serverSideRedirect)
serverSideRedirect
- public void setSessionRegistry(SessionRegistry sessionRegistry)
|
Spring Security Framework | |||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |