BasicAuthenticationProcessingFilter no longer creates HttpSession via WebAuthenticationDetails call.

This commit is contained in:
Ben Alex 2005-09-08 11:15:48 +00:00
parent c64a3770de
commit 35ca25f085
3 changed files with 30 additions and 32 deletions

View File

@ -12,7 +12,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.sf.acegisecurity.ui;
import java.io.Serializable;
@ -27,16 +26,12 @@ import javax.servlet.http.HttpServletRequest;
* @version $Id$
*/
public class WebAuthenticationDetails implements Serializable {
//~ Instance fields ========================================================
private String remoteAddress;
private String sessionId;
//~ Constructors ===========================================================
/**
* Constructor.
*
*
* <p>
* NB: This constructor will cause a <code>HttpSession</code> to be created
* (this is considered reasonable as all Acegi Security authentication
@ -48,7 +43,14 @@ public class WebAuthenticationDetails implements Serializable {
*/
public WebAuthenticationDetails(HttpServletRequest request) {
this.remoteAddress = request.getRemoteAddr();
this.sessionId = request.getSession().getId();
this.sessionId = request.getSession(true).getId();
doPopulateAdditionalInformation(request);
}
public WebAuthenticationDetails(HttpServletRequest request,
boolean forceSessionCreation) {
this.remoteAddress = request.getRemoteAddr();
this.sessionId = request.getSession(forceSessionCreation).getId();
doPopulateAdditionalInformation(request);
}
@ -56,8 +58,6 @@ public class WebAuthenticationDetails implements Serializable {
throw new IllegalArgumentException("Cannot use default constructor");
}
//~ Methods ================================================================
/**
* Indicates the TCP/IP address the authentication request was received
* from.
@ -92,5 +92,6 @@ public class WebAuthenticationDetails implements Serializable {
*
* @param request that the authentication request was received from
*/
protected void doPopulateAdditionalInformation(HttpServletRequest request) {}
protected void doPopulateAdditionalInformation(HttpServletRequest request) {
}
}

View File

@ -12,7 +12,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.sf.acegisecurity.ui.basicauth;
import net.sf.acegisecurity.Authentication;
@ -46,13 +45,13 @@ import javax.servlet.http.HttpServletResponse;
/**
* Processes a HTTP request's BASIC authorization headers, putting the result
* into the <code>ContextHolder</code>.
*
*
* <P>
* For a detailed background on what this filter is designed to process, refer
* to <A HREF="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section
* 11.1</A>. Any realm name presented in the HTTP request is ignored.
* </p>
*
*
* <p>
* In summary, this filter is responsible for processing any request that has a
* HTTP request header of <code>Authorization</code> with an authentication
@ -61,28 +60,28 @@ import javax.servlet.http.HttpServletResponse;
* "Aladdin" with password "open sesame" the following header would be
* presented:
* </p>
*
*
* <p>
* <code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.
* </p>
*
*
* <p>
* This filter can be used to provide BASIC authentication services to both
* remoting protocol clients (such as Hessian and SOAP) as well as standard
* user agents (such as Internet Explorer and Netscape).
* </p>
*
*
* <P>
* If authentication is successful, the resulting {@link Authentication} object
* will be placed into the <code>ContextHolder</code>.
* </p>
*
*
* <p>
* If authentication fails, an {@link AuthenticationEntryPoint} implementation
* is called. Usually this should be {@link BasicProcessingFilterEntryPoint},
* which will prompt the user to authenticate again via BASIC authentication.
* </p>
*
*
* <P>
* Basic authentication is an attractive protocol because it is simple and
* widely deployed. However, it still transmits a password in clear text and
@ -91,7 +90,7 @@ import javax.servlet.http.HttpServletResponse;
* authentication wherever possible. See {@link
* net.sf.acegisecurity.ui.digestauth.DigestProcessingFilter}.
* </p>
*
*
* <P>
* <B>Do not use this class directly.</B> Instead configure
* <code>web.xml</code> to use the {@link
@ -102,17 +101,10 @@ import javax.servlet.http.HttpServletResponse;
* @version $Id$
*/
public class BasicProcessingFilter implements Filter, InitializingBean {
//~ Static fields/initializers =============================================
private static final Log logger = LogFactory.getLog(BasicProcessingFilter.class);
//~ Instance fields ========================================================
private AuthenticationEntryPoint authenticationEntryPoint;
private AuthenticationManager authenticationManager;
//~ Methods ================================================================
public void setAuthenticationEntryPoint(
AuthenticationEntryPoint authenticationEntryPoint) {
this.authenticationEntryPoint = authenticationEntryPoint;
@ -138,7 +130,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
"An AuthenticationEntryPoint is required");
}
public void destroy() {}
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
@ -174,7 +167,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
password);
authRequest.setDetails(new WebAuthenticationDetails(httpRequest));
authRequest.setDetails(new WebAuthenticationDetails(httpRequest,
false));
Authentication authResult;
@ -183,8 +177,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
} catch (AuthenticationException failed) {
// Authentication failed
if (logger.isDebugEnabled()) {
logger.debug("Authentication request for user: " + username
+ " failed: " + failed.toString());
logger.debug("Authentication request for user: " +
username + " failed: " + failed.toString());
}
SecurityContextHolder.getContext().setAuthentication(null);
@ -195,7 +189,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
// Authentication success
if (logger.isDebugEnabled()) {
logger.debug("Authentication success: " + authResult.toString());
logger.debug("Authentication success: " +
authResult.toString());
}
SecurityContextHolder.getContext().setAuthentication(authResult);
@ -204,5 +199,6 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
chain.doFilter(request, response);
}
public void init(FilterConfig arg0) throws ServletException {}
public void init(FilterConfig arg0) throws ServletException {
}
}

View File

@ -28,6 +28,7 @@
<release version="0.9.0" date="In CVS">
<action dev="markstg" type="add">SwitchUserProcessingFilter to provide user security context switching</action>
<action dev="markstg" type="add">Java 1.5 annotation support</action>
<action dev="benalex" type="update">BasicAuthenticationProcessingFilter no longer creates HttpSession via WebAuthenticationDetails call</action>
<action dev="benalex" type="update">JdbcDaoImpl modified to support synthetic primary keys</action>
<action dev="benalex" type="update">Greatly improve BasicAclEntryAfterInvocationCollectionFilteringProvider performance with large collections (if the principal has access to relatively few collection elements)</action>
<action dev="benalex" type="update">Reorder DaoAuthenticationProvider exception logic as per developer list discussion</action>