org.springframework.security.ui

Class AbstractProcessingFilter

java.lang.Object

org.springframework.security.ui.SpringSecurityFilter

org.springframework.security.ui.AbstractProcessingFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.MessageSourceAware, org.springframework.core.Ordered

Direct Known Subclasses:

AuthenticationProcessingFilter

public abstract class AbstractProcessingFilter
extends SpringSecurityFilter
implements org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.MessageSourceAware

Abstract processor of browser-based HTTP-based authentication requests.

This filter is responsible for processing authentication requests. If authentication is successful, the resulting Authentication object will be placed into the SecurityContext, which is guaranteed to have already been created by an earlier filter.

If authentication fails, the AuthenticationException will be placed into the HttpSession with the attribute defined by SPRING_SECURITY_LAST_EXCEPTION_KEY.

To use this filter, it is necessary to specify the following properties:

• defaultTargetUrl indicates the URL that should be used for redirection if the HttpSession attribute named SPRING_SECURITY_SAVED_REQUEST_KEY does not indicate the target URL once authentication is completed successfully. eg: /. The defaultTargetUrl will be treated as relative to the web-app's context path, and should include the leading /. Alternatively, inclusion of a scheme name (eg http:// or https://) as the prefix will denote a fully-qualified URL and this is also supported. More complex behaviour can be implemented by using a customised TargetUrlResolver.
• authenticationFailureUrl (optional) indicates the URL that should be used for redirection if the authentication request fails. eg: /login.jsp?login_error=1. If not configured, sendError will be called on the response, with the error code SC_UNAUTHORIZED.
• filterProcessesUrl indicates the URL that this filter will respond to. This parameter varies by subclass.
• alwaysUseDefaultTargetUrl causes successful authentication to always redirect to the defaultTargetUrl, even if the HttpSession attribute named SPRING_SECURITY_SAVED_REQUEST_KEY defines the intended target URL.

To configure this filter to redirect to specific pages as the result of specific AuthenticationExceptions you can do the following. Configure the exceptionMappings property in your application xml. This property is a java.util.Properties object that maps a fully-qualified exception class name to a redirection url target. For example:

  <property name="exceptionMappings">
    <props>
      <prop> key="org.springframework.security.BadCredentialsException">/bad_credentials.jsp</prop>
    </props>
  </property>
 

The example above would redirect all BadCredentialsExceptions thrown, to a page in the web-application called /bad_credentials.jsp.

Any AuthenticationException thrown that cannot be matched in the exceptionMappings will be redirected to the authenticationFailureUrl

If authentication is successful, an InteractiveAuthenticationSuccessEvent will be published to the application context. No events will be published if authentication was unsuccessful, because this would generally be recorded via an AuthenticationManager-specific application event.

The filter has an optional attribute invalidateSessionOnSuccessfulAuthentication that will invalidate the current session on successful authentication. This is to protect against session fixation attacks (see this Wikipedia article for more information). The behaviour is turned off by default. Additionally there is a property migrateInvalidatedSessionAttributes which tells if on session invalidation we are to migrate all session attributes from the old session to a newly created one. This is turned on by default, but not used unless invalidateSessionOnSuccessfulAuthentication is true. If you are using this feature in combination with concurrent session control, you should set the sessionRegistry property to make sure that the session information is updated consistently.

Version:

$Id$

Author:

Ben Alex

Field Summary

Fields

Modifier and Type	Field and Description
protected AuthenticationDetailsSource	authenticationDetailsSource
protected org.springframework.context.ApplicationEventPublisher	eventPublisher
protected org.springframework.context.support.MessageSourceAccessor	messages
static java.lang.String	SPRING_SECURITY_LAST_EXCEPTION_KEY
static java.lang.String	SPRING_SECURITY_SAVED_REQUEST_KEY

Fields inherited from class org.springframework.security.ui.SpringSecurityFilter

logger

Fields inherited from interface org.springframework.core.Ordered

HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE

Constructor Summary

Constructors

Constructor and Description
AbstractProcessingFilter()

Method Summary

Methods

Modifier and Type	Method and Description
void	afterPropertiesSet()
abstract Authentication	attemptAuthentication(javax.servlet.http.HttpServletRequest request) Performs actual authentication.
protected java.lang.String	determineFailureUrl(javax.servlet.http.HttpServletRequest request, AuthenticationException failed)
protected java.lang.String	determineTargetUrl(javax.servlet.http.HttpServletRequest request)
void	doFilterHttp(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
protected boolean	getAllowSessionCreation()
AuthenticationDetailsSource	getAuthenticationDetailsSource()
java.lang.String	getAuthenticationFailureUrl()
protected AuthenticationManager	getAuthenticationManager()
abstract java.lang.String	getDefaultFilterProcessesUrl() Specifies the default filterProcessesUrl for the implementation.
java.lang.String	getDefaultTargetUrl() Supplies the default target Url that will be used if no saved request is found or the alwaysUseDefaultTargetUrl propert is set to true.
protected java.util.Properties	getExceptionMappings()
java.lang.String	getFilterProcessesUrl()
RememberMeServices	getRememberMeServices()
protected TargetUrlResolver	getTargetUrlResolver()
static java.lang.String	obtainFullSavedRequestUrl(javax.servlet.http.HttpServletRequest request)
protected void	onPreAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authResult)
protected void	onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthenticationException failed)
protected boolean	requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Indicates whether this filter should attempt to process a login request for the current invocation.
protected void	sendRedirect(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String url)
void	setAllowSessionCreation(boolean allowSessionCreation)
void	setAlwaysUseDefaultTargetUrl(boolean alwaysUseDefaultTargetUrl)
void	setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher eventPublisher)
void	setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
void	setAuthenticationFailureUrl(java.lang.String authenticationFailureUrl)
void	setAuthenticationManager(AuthenticationManager authenticationManager)
void	setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)
void	setDefaultTargetUrl(java.lang.String defaultTargetUrl)
void	setExceptionMappings(java.util.Properties exceptionMappings)
void	setFilterProcessesUrl(java.lang.String filterProcessesUrl)
void	setInvalidateSessionOnSuccessfulAuthentication(boolean invalidateSessionOnSuccessfulAuthentication)
void	setMessageSource(org.springframework.context.MessageSource messageSource)
void	setMigrateInvalidatedSessionAttributes(boolean migrateInvalidatedSessionAttributes)
void	setRememberMeServices(RememberMeServices rememberMeServices)
void	setServerSideRedirect(boolean serverSideRedirect) Tells if we are to do a server side include of the error URL instead of a 302 redirect.
void	setSessionRegistry(SessionRegistry sessionRegistry) The session registry needs to be set if session fixation attack protection is in use (and concurrent session control is enabled).
void	setTargetUrlResolver(TargetUrlResolver targetUrlResolver)
void	setUseRelativeContext(boolean useRelativeContext)
protected void	successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authResult)
protected void	unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthenticationException failed)

Methods inherited from class org.springframework.security.ui.SpringSecurityFilter

destroy, doFilter, init, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.springframework.core.Ordered

getOrder

Field Detail

SPRING_SECURITY_SAVED_REQUEST_KEY

public static final java.lang.String SPRING_SECURITY_SAVED_REQUEST_KEY

See Also:

Constant Field Values

SPRING_SECURITY_LAST_EXCEPTION_KEY

public static final java.lang.String SPRING_SECURITY_LAST_EXCEPTION_KEY

See Also:

Constant Field Values

eventPublisher

protected org.springframework.context.ApplicationEventPublisher eventPublisher

authenticationDetailsSource

protected AuthenticationDetailsSource authenticationDetailsSource

messages

protected org.springframework.context.support.MessageSourceAccessor messages

Constructor Detail

AbstractProcessingFilter

public AbstractProcessingFilter()

Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws java.lang.Exception

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Throws:

java.lang.Exception

attemptAuthentication

public abstract Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request)
                                              throws AuthenticationException

Performs actual authentication.

Parameters:

request - from which to extract parameters and perform the authentication

Returns:

the authenticated user

Throws:

AuthenticationException - if authentication fails

doFilterHttp

public void doFilterHttp(javax.servlet.http.HttpServletRequest request,
                javax.servlet.http.HttpServletResponse response,
                javax.servlet.FilterChain chain)
                  throws java.io.IOException,
                         javax.servlet.ServletException

Specified by:

doFilterHttp in class SpringSecurityFilter

Throws:

java.io.IOException

javax.servlet.ServletException

obtainFullSavedRequestUrl

public static java.lang.String obtainFullSavedRequestUrl(javax.servlet.http.HttpServletRequest request)

onPreAuthentication

protected void onPreAuthentication(javax.servlet.http.HttpServletRequest request,
                       javax.servlet.http.HttpServletResponse response)
                            throws AuthenticationException,
                                   java.io.IOException

Throws:

AuthenticationException

java.io.IOException

onSuccessfulAuthentication

protected void onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
                              javax.servlet.http.HttpServletResponse response,
                              Authentication authResult)
                                   throws java.io.IOException

Throws:

java.io.IOException

onUnsuccessfulAuthentication

protected void onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response,
                                AuthenticationException failed)
                                     throws java.io.IOException

Throws:

java.io.IOException

requiresAuthentication

protected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request,
                             javax.servlet.http.HttpServletResponse response)

Indicates whether this filter should attempt to process a login request for the current invocation.

It strips any parameters from the "path" section of the request URL (such as the jsessionid parameter in http://host/myapp/index.html;jsessionid=blah) before matching against the filterProcessesUrl property.

Subclasses may override for special requirements, such as Tapestry integration.

Parameters:

request - as received from the filter chain

response - as received from the filter chain

Returns:

true if the filter should attempt authentication, false otherwise

sendRedirect

protected void sendRedirect(javax.servlet.http.HttpServletRequest request,
                javax.servlet.http.HttpServletResponse response,
                java.lang.String url)
                     throws java.io.IOException

Throws:

java.io.IOException

successfulAuthentication

protected void successfulAuthentication(javax.servlet.http.HttpServletRequest request,
                            javax.servlet.http.HttpServletResponse response,
                            Authentication authResult)
                                 throws java.io.IOException,
                                        javax.servlet.ServletException

Throws:

java.io.IOException

javax.servlet.ServletException

determineTargetUrl

protected java.lang.String determineTargetUrl(javax.servlet.http.HttpServletRequest request)

unsuccessfulAuthentication

protected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
                              javax.servlet.http.HttpServletResponse response,
                              AuthenticationException failed)
                                   throws java.io.IOException,
                                          javax.servlet.ServletException

Throws:

java.io.IOException

javax.servlet.ServletException

determineFailureUrl

protected java.lang.String determineFailureUrl(javax.servlet.http.HttpServletRequest request,
                                   AuthenticationException failed)

getAuthenticationFailureUrl

public java.lang.String getAuthenticationFailureUrl()

setAuthenticationFailureUrl

public void setAuthenticationFailureUrl(java.lang.String authenticationFailureUrl)

getAuthenticationManager

protected AuthenticationManager getAuthenticationManager()

setAuthenticationManager

public void setAuthenticationManager(AuthenticationManager authenticationManager)

getDefaultFilterProcessesUrl

public abstract java.lang.String getDefaultFilterProcessesUrl()

Specifies the default filterProcessesUrl for the implementation.

Returns:

the default filterProcessesUrl

getDefaultTargetUrl

public java.lang.String getDefaultTargetUrl()

Supplies the default target Url that will be used if no saved request is found or the alwaysUseDefaultTargetUrl propert is set to true. Override this method of you want to provide a customized default Url (for example if you want different Urls depending on the authorities of the user who has just logged in).

Returns:

the defaultTargetUrl property

setDefaultTargetUrl

public void setDefaultTargetUrl(java.lang.String defaultTargetUrl)

getExceptionMappings

protected java.util.Properties getExceptionMappings()

setExceptionMappings

public void setExceptionMappings(java.util.Properties exceptionMappings)

getFilterProcessesUrl

public java.lang.String getFilterProcessesUrl()

setFilterProcessesUrl

public void setFilterProcessesUrl(java.lang.String filterProcessesUrl)

getRememberMeServices

public RememberMeServices getRememberMeServices()

setRememberMeServices

public void setRememberMeServices(RememberMeServices rememberMeServices)

setAlwaysUseDefaultTargetUrl

public void setAlwaysUseDefaultTargetUrl(boolean alwaysUseDefaultTargetUrl)

setContinueChainBeforeSuccessfulAuthentication

public void setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication)

setApplicationEventPublisher

public void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher eventPublisher)

Specified by:

setApplicationEventPublisher in interface org.springframework.context.ApplicationEventPublisherAware

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)

setMessageSource

public void setMessageSource(org.springframework.context.MessageSource messageSource)

Specified by:

setMessageSource in interface org.springframework.context.MessageSourceAware

setInvalidateSessionOnSuccessfulAuthentication

public void setInvalidateSessionOnSuccessfulAuthentication(boolean invalidateSessionOnSuccessfulAuthentication)

setMigrateInvalidatedSessionAttributes

public void setMigrateInvalidatedSessionAttributes(boolean migrateInvalidatedSessionAttributes)

getAuthenticationDetailsSource

public AuthenticationDetailsSource getAuthenticationDetailsSource()

setUseRelativeContext

public void setUseRelativeContext(boolean useRelativeContext)

getAllowSessionCreation

protected boolean getAllowSessionCreation()

setAllowSessionCreation

public void setAllowSessionCreation(boolean allowSessionCreation)

getTargetUrlResolver

protected TargetUrlResolver getTargetUrlResolver()

Returns:

the targetUrlResolver

setTargetUrlResolver

public void setTargetUrlResolver(TargetUrlResolver targetUrlResolver)

Parameters:

targetUrlResolver - the targetUrlResolver to set

setServerSideRedirect

public void setServerSideRedirect(boolean serverSideRedirect)

Tells if we are to do a server side include of the error URL instead of a 302 redirect.

Parameters:

serverSideRedirect -

setSessionRegistry

public void setSessionRegistry(SessionRegistry sessionRegistry)

The session registry needs to be set if session fixation attack protection is in use (and concurrent session control is enabled).