java.lang.Object | ||
↳ | org.springframework.web.filter.GenericFilterBean | |
↳ | org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter |
Known Direct Subclasses |
Abstract processor of browser-based HTTP-based authentication requests.
This filter will intercept a request and attempt to perform authentication from that request if
the request URL matches the value of the filterProcessesUrl property. This behaviour can modified by
overriding the method requiresAuthentication
.
Authentication is performed by the attemptAuthentication
method, which must be implemented by subclasses.
Authentication
object will be placed into the
SecurityContext
for the current thread, which is guaranteed to have already been created by an earlier
filter.
The configured AuthenticationSuccessHandler
will
then be called to take the redirect to the appropriate destination after a successful login. The default behaviour
is implemented in a SavedRequestAwareAuthenticationSuccessHandler
which will make use of any
DefaultSavedRequest set by the ExceptionTranslationFilter and redirect the user to the URL contained
therein. Otherwise it will redirect to the webapp root "/". You can customize this behaviour by injecting a
differently configured instance of this class, or by using a different implementation.
See the successfulAuthentication
method for more information.
AuthenticationFailureHandler
to allow the
failure information to be conveyed to the client. The default implementation is
SimpleUrlAuthenticationFailureHandler
, which sends a 401 error code to the client. It may also be configured
with a failure URL as an alternative. Again you can inject whatever behaviour you require here.
InteractiveAuthenticationSuccessEvent
will be published via the
application context. No events will be published if authentication was unsuccessful, because this would generally be
recorded via an AuthenticationManager
-specific application event.
SessionAuthenticationStrategy
which will be invoked immediately after a
successful call to attemptAuthentication()
. Different implementations
can be injected
to enable things like
session-fixation attack prevention or to control the number of simultaneous sessions a principal may have.
Constants | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
String | SPRING_SECURITY_LAST_EXCEPTION_KEY |
This constant is deprecated.
Use the value in WebAttributes directly.
|
Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
authenticationDetailsSource | |||||||||||
eventPublisher | |||||||||||
messages |
[Expand]
Inherited Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.web.filter.GenericFilterBean
|
Protected Constructors | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Performs actual authentication.
| |||||||||||
Invokes the
requiresAuthentication
method to determine whether the request is for authentication and should be handled by this filter. | |||||||||||
Sets the strategy used to handle a successful authentication.
| |||||||||||
Indicates if the filter chain should be continued prior to delegation to
successfulAuthentication(HttpServletRequest, HttpServletResponse, Authentication) , which may be useful in certain environment (such as
Tapestry applications). | |||||||||||
The session handling strategy which will be invoked immediately after an authentication request is
successfully processed by the AuthenticationManager.
|
Protected Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Indicates whether this filter should attempt to process a login request for the current invocation.
| |||||||||||
Default behaviour for successful authentication.
| |||||||||||
This method is deprecated.
since 3.1. Use
successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication) instead.
| |||||||||||
Default behaviour for unsuccessful authentication.
|
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.web.filter.GenericFilterBean
| |||||||||||
From class
java.lang.Object
| |||||||||||
From interface
javax.servlet.Filter
| |||||||||||
From interface
org.springframework.beans.factory.BeanNameAware
| |||||||||||
From interface
org.springframework.beans.factory.DisposableBean
| |||||||||||
From interface
org.springframework.beans.factory.InitializingBean
| |||||||||||
From interface
org.springframework.context.ApplicationEventPublisherAware
| |||||||||||
From interface
org.springframework.context.MessageSourceAware
| |||||||||||
From interface
org.springframework.web.context.ServletContextAware
|
This constant is deprecated.
Use the value in WebAttributes
directly.
defaultFilterProcessesUrl | the default value for filterProcessesUrl. |
---|
Performs actual authentication.
The implementation should do one of the following:
request | from which to extract parameters and perform the authentication |
---|---|
response | the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OpenID). |
AuthenticationException | if authentication fails. |
---|---|
IOException | |
ServletException |
Invokes the requiresAuthentication
method to determine whether the request is for authentication and should be handled by this filter.
If it is an authentication request, the
attemptAuthentication
will be invoked
to perform the authentication. There are then three possible outcomes:
successfulAuthentication
methodunsuccessfulAuthentication
method will be invokedIOException | |
---|---|
ServletException |
Sets the strategy used to handle a successful authentication.
By default a SavedRequestAwareAuthenticationSuccessHandler
is used.
Indicates if the filter chain should be continued prior to delegation to
successfulAuthentication(HttpServletRequest, HttpServletResponse, Authentication)
, which may be useful in certain environment (such as
Tapestry applications). Defaults to false
.
The session handling strategy which will be invoked immediately after an authentication request is successfully processed by the AuthenticationManager. Used, for example, to handle changing of the session identifier to prevent session fixation attacks.
sessionStrategy | the implementation to use. If not set a null implementation is used. |
---|
Indicates whether this filter should attempt to process a login request for the current invocation.
It strips any parameters from the "path" section of the request URL (such
as the jsessionid parameter in
http://host/myapp/index.html;jsessionid=blah) before matching
against the filterProcessesUrl
property.
Subclasses may override for special requirements, such as Tapestry integration.
true
if the filter should attempt authentication, false
otherwise.
Default behaviour for successful authentication.
SecurityContextHolder
SessionAuthenticationStrategy
to handle any session-related behaviour
(such as creating a new session to protect against session-fixation attacks).InteractiveAuthenticationSuccessEvent
via the configured
ApplicationEventPublisherAuthenticationSuccessHandler
.authResult | the object returned from the attemptAuthentication method. |
---|
IOException | |
ServletException | |
IOException |
This method is deprecated.
since 3.1. Use successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication)
instead.
Default behaviour for successful authentication.
SecurityContextHolder
SessionAuthenticationStrategy
to handle any session-related behaviour
(such as creating a new session to protect against session-fixation attacks).InteractiveAuthenticationSuccessEvent
via the configured
ApplicationEventPublisherAuthenticationSuccessHandler
.authResult | the object returned from the attemptAuthentication method. |
---|
IOException | |
---|---|
ServletException |
Default behaviour for unsuccessful authentication.
SecurityContextHolder
AuthenticationFailureHandler
.IOException | |
---|---|
ServletException |