The
* ObjectDefinitionSource required by this security interceptor is of type {@link
* FilterInvocationDefinitionSource}.
Refer to {@link AbstractSecurityInterceptor} for details on the workflow.
+ *Refer to {@link AbstractSecurityInterceptor} for details on the workflow.
* * @author Ben Alex * @version $Id$ */ -public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter { +public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter, Ordered { //~ Static fields/initializers ===================================================================================== private static final String FILTER_APPLIED = "__spring_security_filterSecurityInterceptor_filterApplied"; @@ -50,6 +52,15 @@ public class FilterSecurityInterceptor extends AbstractSecurityInterceptor imple //~ Methods ======================================================================================================== + /** + * Not used (we rely on IoC container lifecycle services instead) + * + * @param arg0 ignored + * + * @throws ServletException never thrown + */ + public void init(FilterConfig arg0) throws ServletException {} + /** * Not used (we rely on IoC container lifecycle services instead) */ @@ -80,15 +91,6 @@ public class FilterSecurityInterceptor extends AbstractSecurityInterceptor imple return FilterInvocation.class; } - /** - * Not used (we rely on IoC container lifecycle services instead) - * - * @param arg0 ignored - * - * @throws ServletException never thrown - */ - public void init(FilterConfig arg0) throws ServletException {} - public void invoke(FilterInvocation fi) throws IOException, ServletException { if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null) && observeOncePerRequest) { @@ -136,4 +138,8 @@ public class FilterSecurityInterceptor extends AbstractSecurityInterceptor imple public void setObserveOncePerRequest(boolean observeOncePerRequest) { this.observeOncePerRequest = observeOncePerRequest; } + + public int getOrder() { + return FilterChainOrderUtils.FILTER_SECURITY_INTERCEPTOR_ORDER; + } } diff --git a/core/src/main/java/org/springframework/security/ui/AbstractProcessingFilter.java b/core/src/main/java/org/springframework/security/ui/AbstractProcessingFilter.java index a56b144d09..f22fe37d03 100644 --- a/core/src/main/java/org/springframework/security/ui/AbstractProcessingFilter.java +++ b/core/src/main/java/org/springframework/security/ui/AbstractProcessingFilter.java @@ -50,12 +50,8 @@ import java.util.HashMap; import java.util.Iterator; import java.util.Map; -import javax.servlet.Filter; import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; @@ -139,8 +135,8 @@ import javax.servlet.http.HttpSession; * @version $Id: AbstractProcessingFilter.java 1909 2007-06-19 04:08:19Z * vishalpuri $ */ -public abstract class AbstractProcessingFilter implements Filter, InitializingBean, ApplicationEventPublisherAware, - MessageSourceAware { +public abstract class AbstractProcessingFilter extends SpringSecurityFilter implements InitializingBean, + ApplicationEventPublisherAware, MessageSourceAware { //~ Static fields/initializers ===================================================================================== public static final String SPRING_SECURITY_SAVED_REQUEST_KEY = "SPRING_SECURITY_SAVED_REQUEST_KEY"; @@ -239,26 +235,10 @@ public abstract class AbstractProcessingFilter implements Filter, InitializingBe */ public abstract Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException; - /** - * Does nothing. We use IoC container lifecycle services instead. - */ - public void destroy() { - } - - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, + public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { - if (!(request instanceof HttpServletRequest)) { - throw new ServletException("Can only process HttpServletRequest"); - } - if (!(response instanceof HttpServletResponse)) { - throw new ServletException("Can only process HttpServletResponse"); - } - - HttpServletRequest httpRequest = (HttpServletRequest) request; - HttpServletResponse httpResponse = (HttpServletResponse) response; - - if (requiresAuthentication(httpRequest, httpResponse)) { + if (requiresAuthentication(request, response)) { if (logger.isDebugEnabled()) { logger.debug("Request is to process authentication"); } @@ -266,12 +246,12 @@ public abstract class AbstractProcessingFilter implements Filter, InitializingBe Authentication authResult; try { - onPreAuthentication(httpRequest, httpResponse); - authResult = attemptAuthentication(httpRequest); + onPreAuthentication(request, response); + authResult = attemptAuthentication(request); } catch (AuthenticationException failed) { // Authentication failed - unsuccessfulAuthentication(httpRequest, httpResponse, failed); + unsuccessfulAuthentication(request, response, failed); return; } @@ -281,7 +261,7 @@ public abstract class AbstractProcessingFilter implements Filter, InitializingBe chain.doFilter(request, response); } - successfulAuthentication(httpRequest, httpResponse, authResult); + successfulAuthentication(request, response, authResult); return; } @@ -330,16 +310,6 @@ public abstract class AbstractProcessingFilter implements Filter, InitializingBe return rememberMeServices; } - /** - * Does nothing. We use IoC container lifecycle services instead. - * - * @param arg0 ignored - * - * @throws ServletException ignored - */ - public void init(FilterConfig arg0) throws ServletException { - } - public boolean isAlwaysUseDefaultTargetUrl() { return alwaysUseDefaultTargetUrl; } diff --git a/core/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java b/core/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java index ce8f6cd9e4..d539bdb0e1 100644 --- a/core/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java +++ b/core/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java @@ -21,11 +21,8 @@ import org.springframework.security.AuthenticationException; import org.springframework.security.AuthenticationTrustResolver; import org.springframework.security.AuthenticationTrustResolverImpl; import org.springframework.security.InsufficientAuthenticationException; - import org.springframework.security.context.SecurityContextHolder; - import org.springframework.security.ui.savedrequest.SavedRequest; - import org.springframework.security.util.PortResolver; import org.springframework.security.util.PortResolverImpl; @@ -38,9 +35,7 @@ import org.springframework.util.Assert; import java.io.IOException; -import javax.servlet.Filter; import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; @@ -85,7 +80,7 @@ import javax.servlet.http.HttpServletResponse; * @author colin sampaleanu * @version $Id$ */ -public class ExceptionTranslationFilter implements Filter, InitializingBean { +public class ExceptionTranslationFilter extends SpringSecurityFilter implements InitializingBean { //~ Static fields/initializers ===================================================================================== @@ -107,15 +102,8 @@ public class ExceptionTranslationFilter implements Filter, InitializingBean { Assert.notNull(authenticationTrustResolver, "authenticationTrustResolver must be specified"); } - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, + public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { - if (!(request instanceof HttpServletRequest)) { - throw new ServletException("HttpServletRequest required"); - } - - if (!(response instanceof HttpServletResponse)) { - throw new ServletException("HttpServletResponse required"); - } try { chain.doFilter(request, response); @@ -223,7 +211,7 @@ public class ExceptionTranslationFilter implements Filter, InitializingBean { // existing Authentication is no longer considered valid SecurityContextHolder.getContext().setAuthentication(null); - authenticationEntryPoint.commence(httpRequest, (HttpServletResponse) response, reason); + authenticationEntryPoint.commence(httpRequest, response, reason); } public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler) { @@ -247,9 +235,7 @@ public class ExceptionTranslationFilter implements Filter, InitializingBean { this.portResolver = portResolver; } - public void init(FilterConfig filterConfig) throws ServletException { - } - - public void destroy() { + public int getOrder() { + return FilterChainOrderUtils.EXCEPTION_TRANSLATION_FILTER_ORDER; } } diff --git a/core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java b/core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java index 63723f739e..8d4b265697 100644 --- a/core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java +++ b/core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java @@ -17,12 +17,8 @@ package org.springframework.security.ui.basicauth; import java.io.IOException; -import javax.servlet.Filter; import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -34,6 +30,8 @@ import org.springframework.security.providers.UsernamePasswordAuthenticationToke import org.springframework.security.ui.AuthenticationDetailsSource; import org.springframework.security.ui.AuthenticationDetailsSourceImpl; import org.springframework.security.ui.AuthenticationEntryPoint; +import org.springframework.security.ui.SpringSecurityFilter; +import org.springframework.security.ui.FilterChainOrderUtils; import org.springframework.security.ui.rememberme.RememberMeServices; import org.apache.commons.codec.binary.Base64; import org.apache.commons.logging.Log; @@ -72,7 +70,7 @@ import org.springframework.util.Assert; * @author Ben Alex * @version $Id$ */ -public class BasicProcessingFilter implements Filter, InitializingBean { +public class BasicProcessingFilter extends SpringSecurityFilter implements InitializingBean { //~ Static fields/initializers ===================================================================================== private static final Log logger = LogFactory.getLog(BasicProcessingFilter.class); @@ -92,22 +90,9 @@ public class BasicProcessingFilter implements Filter, InitializingBean { Assert.notNull(this.authenticationEntryPoint, "An AuthenticationEntryPoint is required"); } - public void destroy() {} - - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) + public void doFilterHttp(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain chain) throws IOException, ServletException { - if (!(request instanceof HttpServletRequest)) { - throw new ServletException("Can only process HttpServletRequest"); - } - - if (!(response instanceof HttpServletResponse)) { - throw new ServletException("Can only process HttpServletResponse"); - } - - HttpServletRequest httpRequest = (HttpServletRequest) request; - HttpServletResponse httpResponse = (HttpServletResponse) response; - String header = httpRequest.getHeader("Authorization"); if (logger.isDebugEnabled()) { @@ -130,7 +115,7 @@ public class BasicProcessingFilter implements Filter, InitializingBean { if (authenticationIsRequired(username)) { UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); - authRequest.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request)); + authRequest.setDetails(authenticationDetailsSource.buildDetails(httpRequest)); Authentication authResult; @@ -149,9 +134,9 @@ public class BasicProcessingFilter implements Filter, InitializingBean { } if (ignoreFailure) { - chain.doFilter(request, response); + chain.doFilter(httpRequest, httpResponse); } else { - authenticationEntryPoint.commence(request, response, failed); + authenticationEntryPoint.commence(httpRequest, httpResponse, failed); } return; @@ -170,7 +155,7 @@ public class BasicProcessingFilter implements Filter, InitializingBean { } } - chain.doFilter(request, response); + chain.doFilter(httpRequest, httpResponse); } private boolean authenticationIsRequired(String username) { @@ -200,8 +185,6 @@ public class BasicProcessingFilter implements Filter, InitializingBean { return authenticationManager; } - public void init(FilterConfig arg0) throws ServletException {} - public boolean isIgnoreFailure() { return ignoreFailure; } @@ -227,4 +210,7 @@ public class BasicProcessingFilter implements Filter, InitializingBean { this.rememberMeServices = rememberMeServices; } + public int getOrder() { + return FilterChainOrderUtils.BASIC_PROCESSING_FILTER_ORDER; + } } diff --git a/core/src/main/java/org/springframework/security/ui/cas/CasProcessingFilter.java b/core/src/main/java/org/springframework/security/ui/cas/CasProcessingFilter.java index 80865b4ac7..eb3a75ccbc 100644 --- a/core/src/main/java/org/springframework/security/ui/cas/CasProcessingFilter.java +++ b/core/src/main/java/org/springframework/security/ui/cas/CasProcessingFilter.java @@ -21,6 +21,7 @@ import org.springframework.security.AuthenticationException; import org.springframework.security.providers.UsernamePasswordAuthenticationToken; import org.springframework.security.ui.AbstractProcessingFilter; +import org.springframework.security.ui.FilterChainOrderUtils; import javax.servlet.FilterConfig; import javax.servlet.ServletException; @@ -71,7 +72,7 @@ public class CasProcessingFilter extends AbstractProcessingFilter { UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); - authRequest.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request)); + authRequest.setDetails(authenticationDetailsSource.buildDetails(request)); return this.getAuthenticationManager().authenticate(authRequest); } @@ -85,5 +86,7 @@ public class CasProcessingFilter extends AbstractProcessingFilter { return "/j_spring_cas_security_check"; } - public void init(FilterConfig filterConfig) throws ServletException {} + public int getOrder() { + return FilterChainOrderUtils.CAS_PROCESSING_FILTER_ORDER; + } } diff --git a/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java b/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java index 8586db20b9..4c332e603b 100644 --- a/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java +++ b/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java @@ -27,6 +27,8 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.security.Authentication; +import org.springframework.security.ui.SpringSecurityFilter; +import org.springframework.security.ui.FilterChainOrderUtils; import org.springframework.security.util.RedirectUtils; import org.springframework.security.context.SecurityContextHolder; import org.apache.commons.logging.Log; @@ -51,7 +53,7 @@ import org.springframework.util.Assert; * @author Ben Alex * @version $Id$ */ -public class LogoutFilter implements Filter { +public class LogoutFilter extends SpringSecurityFilter { //~ Static fields/initializers ===================================================================================== private static final Log logger = LogFactory.getLog(LogoutFilter.class); @@ -74,26 +76,10 @@ public class LogoutFilter implements Filter { //~ Methods ======================================================================================================== - /** - * Not used. Use IoC container lifecycle methods instead. - */ - public void destroy() { - } - - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, + public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { - if (!(request instanceof HttpServletRequest)) { - throw new ServletException("Can only process HttpServletRequest"); - } - if (!(response instanceof HttpServletResponse)) { - throw new ServletException("Can only process HttpServletResponse"); - } - - HttpServletRequest httpRequest = (HttpServletRequest) request; - HttpServletResponse httpResponse = (HttpServletResponse) response; - - if (requiresLogout(httpRequest, httpResponse)) { + if (requiresLogout(request, response)) { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); if (logger.isDebugEnabled()) { @@ -101,10 +87,10 @@ public class LogoutFilter implements Filter { } for (int i = 0; i < handlers.length; i++) { - handlers[i].logout(httpRequest, httpResponse, auth); + handlers[i].logout(request, response, auth); } - sendRedirect(httpRequest, httpResponse, logoutSuccessUrl); + sendRedirect(request, response, logoutSuccessUrl); return; } @@ -112,16 +98,6 @@ public class LogoutFilter implements Filter { chain.doFilter(request, response); } - /** - * Not used. Use IoC container lifecycle methods instead. - * - * @param arg0 ignored - * - * @throws ServletException ignored - */ - public void init(FilterConfig arg0) throws ServletException { - } - /** * Allow subclasses to modify when a logout should take place. * @@ -180,4 +156,8 @@ public class LogoutFilter implements Filter { public void setUseRelativeContext(boolean useRelativeContext) { this.useRelativeContext = useRelativeContext; } + + public int getOrder() { + return FilterChainOrderUtils.LOGOUT_FILTER_ORDER; + } } diff --git a/core/src/main/java/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.java b/core/src/main/java/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.java index 05c6981357..3ed59ff922 100644 --- a/core/src/main/java/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.java +++ b/core/src/main/java/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.java @@ -21,10 +21,9 @@ import org.springframework.security.AuthenticationException; import org.springframework.security.providers.UsernamePasswordAuthenticationToken; import org.springframework.security.ui.AbstractProcessingFilter; +import org.springframework.security.ui.FilterChainOrderUtils; import org.springframework.util.Assert; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; @@ -90,8 +89,6 @@ public class AuthenticationProcessingFilter extends AbstractProcessingFilter { return "/j_spring_security_check"; } - public void init(FilterConfig filterConfig) throws ServletException {} - /** * Enables subclasses to override the composition of the password, such as by including additional values * and a separator.This might be used for example if a postcode/zipcode was required in addition to the @@ -150,4 +147,16 @@ public class AuthenticationProcessingFilter extends AbstractProcessingFilter { Assert.hasText(passwordParameter, "Password parameter must not be empty or null"); this.passwordParameter = passwordParameter; } + + public int getOrder() { + return FilterChainOrderUtils.AUTH_PROCESSING_FILTER_ORDER; + } + + String getUsernameParameter() { + return usernameParameter; + } + + String getPasswordParameter() { + return passwordParameter; + } } diff --git a/core/src/test/java/org/springframework/security/ui/AbstractProcessingFilterTests.java b/core/src/test/java/org/springframework/security/ui/AbstractProcessingFilterTests.java index f883be9754..72ccb1022a 100644 --- a/core/src/test/java/org/springframework/security/ui/AbstractProcessingFilterTests.java +++ b/core/src/test/java/org/springframework/security/ui/AbstractProcessingFilterTests.java @@ -480,6 +480,10 @@ public class AbstractProcessingFilterTests extends TestCase { public boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) { return super.requiresAuthentication(request, response); } + + public int getOrder() { + return 0; + } } private class MockFilterChain implements FilterChain { diff --git a/core/src/test/java/org/springframework/security/ui/ExceptionTranslationFilterTests.java b/core/src/test/java/org/springframework/security/ui/ExceptionTranslationFilterTests.java index ce4e0dc5fd..acc0d51704 100644 --- a/core/src/test/java/org/springframework/security/ui/ExceptionTranslationFilterTests.java +++ b/core/src/test/java/org/springframework/security/ui/ExceptionTranslationFilterTests.java @@ -46,8 +46,7 @@ import javax.servlet.ServletResponse; * benalex $ */ public class ExceptionTranslationFilterTests extends TestCase { - // ~ Constructors - // =================================================================================================== + //~ Constructors =================================================================================================== public ExceptionTranslationFilterTests() { super(); @@ -57,16 +56,8 @@ public class ExceptionTranslationFilterTests extends TestCase { super(arg0); } - // ~ Methods - // ======================================================================================================== + //~ Methods ======================================================================================================== - public static void main(String[] args) { - junit.textui.TestRunner.run(ExceptionTranslationFilterTests.class); - } - - public final void setUp() throws Exception { - super.setUp(); - } protected void tearDown() throws Exception { super.tearDown(); @@ -139,7 +130,7 @@ public class ExceptionTranslationFilterTests extends TestCase { fail("Should have thrown ServletException"); } catch (ServletException expected) { - assertEquals("HttpServletRequest required", expected.getMessage()); + assertEquals("Can only process HttpServletRequest", expected.getMessage()); } } @@ -152,7 +143,7 @@ public class ExceptionTranslationFilterTests extends TestCase { fail("Should have thrown ServletException"); } catch (ServletException expected) { - assertEquals("HttpServletResponse required", expected.getMessage()); + assertEquals("Can only process HttpServletResponse", expected.getMessage()); } }