mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-03-09 06:50:05 +00:00
BasicAuthenticationProcessingFilter no longer creates HttpSession via WebAuthenticationDetails call.
This commit is contained in:
parent
c64a3770de
commit
35ca25f085
@ -12,7 +12,6 @@
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package net.sf.acegisecurity.ui;
|
||||
|
||||
import java.io.Serializable;
|
||||
@ -27,16 +26,12 @@ import javax.servlet.http.HttpServletRequest;
|
||||
* @version $Id$
|
||||
*/
|
||||
public class WebAuthenticationDetails implements Serializable {
|
||||
//~ Instance fields ========================================================
|
||||
|
||||
private String remoteAddress;
|
||||
private String sessionId;
|
||||
|
||||
//~ Constructors ===========================================================
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* NB: This constructor will cause a <code>HttpSession</code> to be created
|
||||
* (this is considered reasonable as all Acegi Security authentication
|
||||
@ -48,7 +43,14 @@ public class WebAuthenticationDetails implements Serializable {
|
||||
*/
|
||||
public WebAuthenticationDetails(HttpServletRequest request) {
|
||||
this.remoteAddress = request.getRemoteAddr();
|
||||
this.sessionId = request.getSession().getId();
|
||||
this.sessionId = request.getSession(true).getId();
|
||||
doPopulateAdditionalInformation(request);
|
||||
}
|
||||
|
||||
public WebAuthenticationDetails(HttpServletRequest request,
|
||||
boolean forceSessionCreation) {
|
||||
this.remoteAddress = request.getRemoteAddr();
|
||||
this.sessionId = request.getSession(forceSessionCreation).getId();
|
||||
doPopulateAdditionalInformation(request);
|
||||
}
|
||||
|
||||
@ -56,8 +58,6 @@ public class WebAuthenticationDetails implements Serializable {
|
||||
throw new IllegalArgumentException("Cannot use default constructor");
|
||||
}
|
||||
|
||||
//~ Methods ================================================================
|
||||
|
||||
/**
|
||||
* Indicates the TCP/IP address the authentication request was received
|
||||
* from.
|
||||
@ -92,5 +92,6 @@ public class WebAuthenticationDetails implements Serializable {
|
||||
*
|
||||
* @param request that the authentication request was received from
|
||||
*/
|
||||
protected void doPopulateAdditionalInformation(HttpServletRequest request) {}
|
||||
protected void doPopulateAdditionalInformation(HttpServletRequest request) {
|
||||
}
|
||||
}
|
||||
|
@ -12,7 +12,6 @@
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package net.sf.acegisecurity.ui.basicauth;
|
||||
|
||||
import net.sf.acegisecurity.Authentication;
|
||||
@ -46,13 +45,13 @@ import javax.servlet.http.HttpServletResponse;
|
||||
/**
|
||||
* Processes a HTTP request's BASIC authorization headers, putting the result
|
||||
* into the <code>ContextHolder</code>.
|
||||
*
|
||||
*
|
||||
* <P>
|
||||
* For a detailed background on what this filter is designed to process, refer
|
||||
* to <A HREF="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section
|
||||
* 11.1</A>. Any realm name presented in the HTTP request is ignored.
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* In summary, this filter is responsible for processing any request that has a
|
||||
* HTTP request header of <code>Authorization</code> with an authentication
|
||||
@ -61,28 +60,28 @@ import javax.servlet.http.HttpServletResponse;
|
||||
* "Aladdin" with password "open sesame" the following header would be
|
||||
* presented:
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* <code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* This filter can be used to provide BASIC authentication services to both
|
||||
* remoting protocol clients (such as Hessian and SOAP) as well as standard
|
||||
* user agents (such as Internet Explorer and Netscape).
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* <P>
|
||||
* If authentication is successful, the resulting {@link Authentication} object
|
||||
* will be placed into the <code>ContextHolder</code>.
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* If authentication fails, an {@link AuthenticationEntryPoint} implementation
|
||||
* is called. Usually this should be {@link BasicProcessingFilterEntryPoint},
|
||||
* which will prompt the user to authenticate again via BASIC authentication.
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* <P>
|
||||
* Basic authentication is an attractive protocol because it is simple and
|
||||
* widely deployed. However, it still transmits a password in clear text and
|
||||
@ -91,7 +90,7 @@ import javax.servlet.http.HttpServletResponse;
|
||||
* authentication wherever possible. See {@link
|
||||
* net.sf.acegisecurity.ui.digestauth.DigestProcessingFilter}.
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* <P>
|
||||
* <B>Do not use this class directly.</B> Instead configure
|
||||
* <code>web.xml</code> to use the {@link
|
||||
@ -102,17 +101,10 @@ import javax.servlet.http.HttpServletResponse;
|
||||
* @version $Id$
|
||||
*/
|
||||
public class BasicProcessingFilter implements Filter, InitializingBean {
|
||||
//~ Static fields/initializers =============================================
|
||||
|
||||
private static final Log logger = LogFactory.getLog(BasicProcessingFilter.class);
|
||||
|
||||
//~ Instance fields ========================================================
|
||||
|
||||
private AuthenticationEntryPoint authenticationEntryPoint;
|
||||
private AuthenticationManager authenticationManager;
|
||||
|
||||
//~ Methods ================================================================
|
||||
|
||||
public void setAuthenticationEntryPoint(
|
||||
AuthenticationEntryPoint authenticationEntryPoint) {
|
||||
this.authenticationEntryPoint = authenticationEntryPoint;
|
||||
@ -138,7 +130,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
|
||||
"An AuthenticationEntryPoint is required");
|
||||
}
|
||||
|
||||
public void destroy() {}
|
||||
public void destroy() {
|
||||
}
|
||||
|
||||
public void doFilter(ServletRequest request, ServletResponse response,
|
||||
FilterChain chain) throws IOException, ServletException {
|
||||
@ -174,7 +167,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
|
||||
|
||||
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
|
||||
password);
|
||||
authRequest.setDetails(new WebAuthenticationDetails(httpRequest));
|
||||
authRequest.setDetails(new WebAuthenticationDetails(httpRequest,
|
||||
false));
|
||||
|
||||
Authentication authResult;
|
||||
|
||||
@ -183,8 +177,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
|
||||
} catch (AuthenticationException failed) {
|
||||
// Authentication failed
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Authentication request for user: " + username
|
||||
+ " failed: " + failed.toString());
|
||||
logger.debug("Authentication request for user: " +
|
||||
username + " failed: " + failed.toString());
|
||||
}
|
||||
|
||||
SecurityContextHolder.getContext().setAuthentication(null);
|
||||
@ -195,7 +189,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
|
||||
|
||||
// Authentication success
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Authentication success: " + authResult.toString());
|
||||
logger.debug("Authentication success: " +
|
||||
authResult.toString());
|
||||
}
|
||||
|
||||
SecurityContextHolder.getContext().setAuthentication(authResult);
|
||||
@ -204,5 +199,6 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
|
||||
chain.doFilter(request, response);
|
||||
}
|
||||
|
||||
public void init(FilterConfig arg0) throws ServletException {}
|
||||
public void init(FilterConfig arg0) throws ServletException {
|
||||
}
|
||||
}
|
||||
|
@ -28,6 +28,7 @@
|
||||
<release version="0.9.0" date="In CVS">
|
||||
<action dev="markstg" type="add">SwitchUserProcessingFilter to provide user security context switching</action>
|
||||
<action dev="markstg" type="add">Java 1.5 annotation support</action>
|
||||
<action dev="benalex" type="update">BasicAuthenticationProcessingFilter no longer creates HttpSession via WebAuthenticationDetails call</action>
|
||||
<action dev="benalex" type="update">JdbcDaoImpl modified to support synthetic primary keys</action>
|
||||
<action dev="benalex" type="update">Greatly improve BasicAclEntryAfterInvocationCollectionFilteringProvider performance with large collections (if the principal has access to relatively few collection elements)</action>
|
||||
<action dev="benalex" type="update">Reorder DaoAuthenticationProvider exception logic as per developer list discussion</action>
|
||||
|
Loading…
x
Reference in New Issue
Block a user