| java.lang.Object | |||
| ↳ | org.springframework.web.filter.GenericFilterBean | ||
| ↳ | org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter | ||
| ↳ | org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter | ||
Class Overview
Processes an authentication form submission. Called AuthenticationProcessingFilter prior to Spring Security
3.0.
Login forms must present two parameters to this filter: a username and
password. The default parameter names to use are contained in the
static fields SPRING_SECURITY_FORM_USERNAME_KEY and SPRING_SECURITY_FORM_PASSWORD_KEY.
The parameter names can also be changed by setting the usernameParameter and passwordParameter
properties.
This filter by default responds to the URL /j_spring_security_check.
Summary
| Constants | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| String | SPRING_SECURITY_FORM_PASSWORD_KEY | ||||||||||
| String | SPRING_SECURITY_FORM_USERNAME_KEY | ||||||||||
| String | SPRING_SECURITY_LAST_USERNAME_KEY |
This constant is deprecated.
If you want to retain the username, cache it in a customized AuthenticationFailureHandler
|
|||||||||
|
[Expand]
Inherited Constants | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
 From class
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
| |||||||||||
|
[Expand]
Inherited Fields | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
From class
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
| |||||||||||
|
From class
org.springframework.web.filter.GenericFilterBean
| |||||||||||
| Public Constructors | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Public Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Performs actual authentication.
| |||||||||||
Sets the parameter name which will be used to obtain the password from the login request..
| |||||||||||
Defines whether only HTTP POST requests will be allowed by this filter.
| |||||||||||
Sets the parameter name which will be used to obtain the username from the login request.
| |||||||||||
| Protected Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Enables subclasses to override the composition of the password, such as by including additional values
and a separator.
| |||||||||||
Enables subclasses to override the composition of the username, such as by including additional values
and a separator.
| |||||||||||
Provided so that subclasses may configure what is put into the authentication request's details
property.
| |||||||||||
|
[Expand]
Inherited Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
From class
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
| |||||||||||
|
From class
org.springframework.web.filter.GenericFilterBean
| |||||||||||
|
From class
java.lang.Object
| |||||||||||
|
From interface
javax.servlet.Filter
| |||||||||||
|
From interface
org.springframework.beans.factory.BeanNameAware
| |||||||||||
|
From interface
org.springframework.beans.factory.DisposableBean
| |||||||||||
|
From interface
org.springframework.beans.factory.InitializingBean
| |||||||||||
|
From interface
org.springframework.context.ApplicationEventPublisherAware
| |||||||||||
|
From interface
org.springframework.context.MessageSourceAware
| |||||||||||
|
From interface
org.springframework.web.context.ServletContextAware
| |||||||||||
Constants
public static final String SPRING_SECURITY_LAST_USERNAME_KEY
This constant is deprecated.
If you want to retain the username, cache it in a customized AuthenticationFailureHandler
Public Constructors
public UsernamePasswordAuthenticationFilter ()
Public Methods
public Authentication attemptAuthentication (HttpServletRequest request, HttpServletResponse response)
Performs actual authentication.
The implementation should do one of the following:
- Return a populated authentication token for the authenticated user, indicating successful authentication
- Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
- Throw an AuthenticationException if the authentication process fails
Parameters
| request | from which to extract parameters and perform the authentication |
|---|---|
| response | the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OpenID). |
Returns
- the authenticated user token, or null if authentication is incomplete.
Throws
| AuthenticationException |
|---|
public void setPasswordParameter (String passwordParameter)
Sets the parameter name which will be used to obtain the password from the login request..
Parameters
| passwordParameter | the parameter name. Defaults to "j_password". |
|---|
public void setPostOnly (boolean postOnly)
Defines whether only HTTP POST requests will be allowed by this filter. If set to true, and an authentication request is received which is not a POST request, an exception will be raised immediately and authentication will not be attempted. The unsuccessfulAuthentication() method will be called as if handling a failed authentication.
Defaults to true but may be overridden by subclasses.
public void setUsernameParameter (String usernameParameter)
Sets the parameter name which will be used to obtain the username from the login request.
Parameters
| usernameParameter | the parameter name. Defaults to "j_username". |
|---|
Protected Methods
protected String obtainPassword (HttpServletRequest request)
Enables subclasses to override the composition of the password, such as by including additional values and a separator.
This might be used for example if a postcode/zipcode was required in addition to the
password. A delimiter such as a pipe (|) should be used to separate the password and extended value(s). The
AuthenticationDao will need to generate the expected password in a corresponding manner.
Parameters
| request | so that request attributes can be retrieved |
|---|
Returns
- the password that will be presented in the
Authenticationrequest token to theAuthenticationManager
protected String obtainUsername (HttpServletRequest request)
Enables subclasses to override the composition of the username, such as by including additional values and a separator.
Parameters
| request | so that request attributes can be retrieved |
|---|
Returns
- the username that will be presented in the
Authenticationrequest token to theAuthenticationManager
protected void setDetails (HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest)
Provided so that subclasses may configure what is put into the authentication request's details property.
Parameters
| request | that an authentication request is being created for |
|---|---|
| authRequest | the authentication request object that should have its details set |