diff --git a/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java b/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java index 75b2cfcc45..b29845d0d6 100644 --- a/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java +++ b/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java @@ -12,7 +12,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - package net.sf.acegisecurity.ui; import java.io.Serializable; @@ -27,16 +26,12 @@ import javax.servlet.http.HttpServletRequest; * @version $Id$ */ public class WebAuthenticationDetails implements Serializable { - //~ Instance fields ======================================================== - private String remoteAddress; private String sessionId; - //~ Constructors =========================================================== - /** * Constructor. - * + * *

* NB: This constructor will cause a HttpSession to be created * (this is considered reasonable as all Acegi Security authentication @@ -48,7 +43,14 @@ public class WebAuthenticationDetails implements Serializable { */ public WebAuthenticationDetails(HttpServletRequest request) { this.remoteAddress = request.getRemoteAddr(); - this.sessionId = request.getSession().getId(); + this.sessionId = request.getSession(true).getId(); + doPopulateAdditionalInformation(request); + } + + public WebAuthenticationDetails(HttpServletRequest request, + boolean forceSessionCreation) { + this.remoteAddress = request.getRemoteAddr(); + this.sessionId = request.getSession(forceSessionCreation).getId(); doPopulateAdditionalInformation(request); } @@ -56,8 +58,6 @@ public class WebAuthenticationDetails implements Serializable { throw new IllegalArgumentException("Cannot use default constructor"); } - //~ Methods ================================================================ - /** * Indicates the TCP/IP address the authentication request was received * from. @@ -92,5 +92,6 @@ public class WebAuthenticationDetails implements Serializable { * * @param request that the authentication request was received from */ - protected void doPopulateAdditionalInformation(HttpServletRequest request) {} + protected void doPopulateAdditionalInformation(HttpServletRequest request) { + } } diff --git a/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java b/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java index 4f8b5166bd..37003f933f 100644 --- a/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java +++ b/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java @@ -12,7 +12,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - package net.sf.acegisecurity.ui.basicauth; import net.sf.acegisecurity.Authentication; @@ -46,13 +45,13 @@ import javax.servlet.http.HttpServletResponse; /** * Processes a HTTP request's BASIC authorization headers, putting the result * into the ContextHolder. - * + * *

* For a detailed background on what this filter is designed to process, refer * to RFC 1945, Section * 11.1. Any realm name presented in the HTTP request is ignored. *

- * + * *

* In summary, this filter is responsible for processing any request that has a * HTTP request header of Authorization with an authentication @@ -61,28 +60,28 @@ import javax.servlet.http.HttpServletResponse; * "Aladdin" with password "open sesame" the following header would be * presented: *

- * + * *

* Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==. *

- * + * *

* This filter can be used to provide BASIC authentication services to both * remoting protocol clients (such as Hessian and SOAP) as well as standard * user agents (such as Internet Explorer and Netscape). *

- * + * *

* If authentication is successful, the resulting {@link Authentication} object * will be placed into the ContextHolder. *

- * + * *

* If authentication fails, an {@link AuthenticationEntryPoint} implementation * is called. Usually this should be {@link BasicProcessingFilterEntryPoint}, * which will prompt the user to authenticate again via BASIC authentication. *

- * + * *

* Basic authentication is an attractive protocol because it is simple and * widely deployed. However, it still transmits a password in clear text and @@ -91,7 +90,7 @@ import javax.servlet.http.HttpServletResponse; * authentication wherever possible. See {@link * net.sf.acegisecurity.ui.digestauth.DigestProcessingFilter}. *

- * + * *

* Do not use this class directly. Instead configure * web.xml to use the {@link @@ -102,17 +101,10 @@ import javax.servlet.http.HttpServletResponse; * @version $Id$ */ public class BasicProcessingFilter implements Filter, InitializingBean { - //~ Static fields/initializers ============================================= - private static final Log logger = LogFactory.getLog(BasicProcessingFilter.class); - - //~ Instance fields ======================================================== - private AuthenticationEntryPoint authenticationEntryPoint; private AuthenticationManager authenticationManager; - //~ Methods ================================================================ - public void setAuthenticationEntryPoint( AuthenticationEntryPoint authenticationEntryPoint) { this.authenticationEntryPoint = authenticationEntryPoint; @@ -138,7 +130,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean { "An AuthenticationEntryPoint is required"); } - public void destroy() {} + public void destroy() { + } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { @@ -174,7 +167,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean { UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); - authRequest.setDetails(new WebAuthenticationDetails(httpRequest)); + authRequest.setDetails(new WebAuthenticationDetails(httpRequest, + false)); Authentication authResult; @@ -183,8 +177,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean { } catch (AuthenticationException failed) { // Authentication failed if (logger.isDebugEnabled()) { - logger.debug("Authentication request for user: " + username - + " failed: " + failed.toString()); + logger.debug("Authentication request for user: " + + username + " failed: " + failed.toString()); } SecurityContextHolder.getContext().setAuthentication(null); @@ -195,7 +189,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean { // Authentication success if (logger.isDebugEnabled()) { - logger.debug("Authentication success: " + authResult.toString()); + logger.debug("Authentication success: " + + authResult.toString()); } SecurityContextHolder.getContext().setAuthentication(authResult); @@ -204,5 +199,6 @@ public class BasicProcessingFilter implements Filter, InitializingBean { chain.doFilter(request, response); } - public void init(FilterConfig arg0) throws ServletException {} + public void init(FilterConfig arg0) throws ServletException { + } } diff --git a/doc/xdocs/changes.xml b/doc/xdocs/changes.xml index 4d4b07a72b..18d082e8cd 100644 --- a/doc/xdocs/changes.xml +++ b/doc/xdocs/changes.xml @@ -28,6 +28,7 @@ SwitchUserProcessingFilter to provide user security context switching Java 1.5 annotation support + BasicAuthenticationProcessingFilter no longer creates HttpSession via WebAuthenticationDetails call JdbcDaoImpl modified to support synthetic primary keys Greatly improve BasicAclEntryAfterInvocationCollectionFilteringProvider performance with large collections (if the principal has access to relatively few collection elements) Reorder DaoAuthenticationProvider exception logic as per developer list discussion