mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-10 04:13:31 +00:00
BasicAuthenticationProcessingFilter no longer creates HttpSession via WebAuthenticationDetails call.
This commit is contained in:
Ben Alex
parent
c64a3770de
commit
35ca25f085
@ -12,7 +12,6 @@
|
|||||||
* See the License for the specific language governing permissions and
|
* See the License for the specific language governing permissions and
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
package net.sf.acegisecurity.ui;
|
package net.sf.acegisecurity.ui;
|
||||||
|
|
||||||
import java.io.Serializable;
|
import java.io.Serializable;
|
||||||
@ -27,16 +26,12 @@ import javax.servlet.http.HttpServletRequest;
|
|||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public class WebAuthenticationDetails implements Serializable {
|
public class WebAuthenticationDetails implements Serializable {
|
||||||
//~ Instance fields ========================================================
|
|
||||||
|
|
||||||
private String remoteAddress;
|
private String remoteAddress;
|
||||||
private String sessionId;
|
private String sessionId;
|
||||||
|
|
||||||
//~ Constructors ===========================================================
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Constructor.
|
* Constructor.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* NB: This constructor will cause a <code>HttpSession</code> to be created
|
* NB: This constructor will cause a <code>HttpSession</code> to be created
|
||||||
* (this is considered reasonable as all Acegi Security authentication
|
* (this is considered reasonable as all Acegi Security authentication
|
||||||
@ -48,7 +43,14 @@ public class WebAuthenticationDetails implements Serializable {
|
|||||||
*/
|
*/
|
||||||
public WebAuthenticationDetails(HttpServletRequest request) {
|
public WebAuthenticationDetails(HttpServletRequest request) {
|
||||||
this.remoteAddress = request.getRemoteAddr();
|
this.remoteAddress = request.getRemoteAddr();
|
||||||
this.sessionId = request.getSession().getId();
|
this.sessionId = request.getSession(true).getId();
|
||||||
|
doPopulateAdditionalInformation(request);
|
||||||
|
}
|
||||||
|
|
||||||
|
public WebAuthenticationDetails(HttpServletRequest request,
|
||||||
|
boolean forceSessionCreation) {
|
||||||
|
this.remoteAddress = request.getRemoteAddr();
|
||||||
|
this.sessionId = request.getSession(forceSessionCreation).getId();
|
||||||
doPopulateAdditionalInformation(request);
|
doPopulateAdditionalInformation(request);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -56,8 +58,6 @@ public class WebAuthenticationDetails implements Serializable {
|
|||||||
throw new IllegalArgumentException("Cannot use default constructor");
|
throw new IllegalArgumentException("Cannot use default constructor");
|
||||||
}
|
}
|
||||||
|
|
||||||
//~ Methods ================================================================
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates the TCP/IP address the authentication request was received
|
* Indicates the TCP/IP address the authentication request was received
|
||||||
* from.
|
* from.
|
||||||
@ -92,5 +92,6 @@ public class WebAuthenticationDetails implements Serializable {
|
|||||||
*
|
*
|
||||||
* @param request that the authentication request was received from
|
* @param request that the authentication request was received from
|
||||||
*/
|
*/
|
||||||
protected void doPopulateAdditionalInformation(HttpServletRequest request) {}
|
protected void doPopulateAdditionalInformation(HttpServletRequest request) {
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -12,7 +12,6 @@
|
|||||||
* See the License for the specific language governing permissions and
|
* See the License for the specific language governing permissions and
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
package net.sf.acegisecurity.ui.basicauth;
|
package net.sf.acegisecurity.ui.basicauth;
|
||||||
|
|
||||||
import net.sf.acegisecurity.Authentication;
|
import net.sf.acegisecurity.Authentication;
|
||||||
@ -46,13 +45,13 @@ import javax.servlet.http.HttpServletResponse;
|
|||||||
/**
|
/**
|
||||||
* Processes a HTTP request's BASIC authorization headers, putting the result
|
* Processes a HTTP request's BASIC authorization headers, putting the result
|
||||||
* into the <code>ContextHolder</code>.
|
* into the <code>ContextHolder</code>.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* For a detailed background on what this filter is designed to process, refer
|
* For a detailed background on what this filter is designed to process, refer
|
||||||
* to <A HREF="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section
|
* to <A HREF="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section
|
||||||
* 11.1</A>. Any realm name presented in the HTTP request is ignored.
|
* 11.1</A>. Any realm name presented in the HTTP request is ignored.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* In summary, this filter is responsible for processing any request that has a
|
* In summary, this filter is responsible for processing any request that has a
|
||||||
* HTTP request header of <code>Authorization</code> with an authentication
|
* HTTP request header of <code>Authorization</code> with an authentication
|
||||||
@ -61,28 +60,28 @@ import javax.servlet.http.HttpServletResponse;
|
|||||||
* "Aladdin" with password "open sesame" the following header would be
|
* "Aladdin" with password "open sesame" the following header would be
|
||||||
* presented:
|
* presented:
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* <code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.
|
* <code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* This filter can be used to provide BASIC authentication services to both
|
* This filter can be used to provide BASIC authentication services to both
|
||||||
* remoting protocol clients (such as Hessian and SOAP) as well as standard
|
* remoting protocol clients (such as Hessian and SOAP) as well as standard
|
||||||
* user agents (such as Internet Explorer and Netscape).
|
* user agents (such as Internet Explorer and Netscape).
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* If authentication is successful, the resulting {@link Authentication} object
|
* If authentication is successful, the resulting {@link Authentication} object
|
||||||
* will be placed into the <code>ContextHolder</code>.
|
* will be placed into the <code>ContextHolder</code>.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* If authentication fails, an {@link AuthenticationEntryPoint} implementation
|
* If authentication fails, an {@link AuthenticationEntryPoint} implementation
|
||||||
* is called. Usually this should be {@link BasicProcessingFilterEntryPoint},
|
* is called. Usually this should be {@link BasicProcessingFilterEntryPoint},
|
||||||
* which will prompt the user to authenticate again via BASIC authentication.
|
* which will prompt the user to authenticate again via BASIC authentication.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Basic authentication is an attractive protocol because it is simple and
|
* Basic authentication is an attractive protocol because it is simple and
|
||||||
* widely deployed. However, it still transmits a password in clear text and
|
* widely deployed. However, it still transmits a password in clear text and
|
||||||
@ -91,7 +90,7 @@ import javax.servlet.http.HttpServletResponse;
|
|||||||
* authentication wherever possible. See {@link
|
* authentication wherever possible. See {@link
|
||||||
* net.sf.acegisecurity.ui.digestauth.DigestProcessingFilter}.
|
* net.sf.acegisecurity.ui.digestauth.DigestProcessingFilter}.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* <B>Do not use this class directly.</B> Instead configure
|
* <B>Do not use this class directly.</B> Instead configure
|
||||||
* <code>web.xml</code> to use the {@link
|
* <code>web.xml</code> to use the {@link
|
||||||
@ -102,17 +101,10 @@ import javax.servlet.http.HttpServletResponse;
|
|||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public class BasicProcessingFilter implements Filter, InitializingBean {
|
public class BasicProcessingFilter implements Filter, InitializingBean {
|
||||||
//~ Static fields/initializers =============================================
|
|
||||||
|
|
||||||
private static final Log logger = LogFactory.getLog(BasicProcessingFilter.class);
|
private static final Log logger = LogFactory.getLog(BasicProcessingFilter.class);
|
||||||
|
|
||||||
//~ Instance fields ========================================================
|
|
||||||
|
|
||||||
private AuthenticationEntryPoint authenticationEntryPoint;
|
private AuthenticationEntryPoint authenticationEntryPoint;
|
||||||
private AuthenticationManager authenticationManager;
|
private AuthenticationManager authenticationManager;
|
||||||
|
|
||||||
//~ Methods ================================================================
|
|
||||||
|
|
||||||
public void setAuthenticationEntryPoint(
|
public void setAuthenticationEntryPoint(
|
||||||
AuthenticationEntryPoint authenticationEntryPoint) {
|
AuthenticationEntryPoint authenticationEntryPoint) {
|
||||||
this.authenticationEntryPoint = authenticationEntryPoint;
|
this.authenticationEntryPoint = authenticationEntryPoint;
|
||||||
@ -138,7 +130,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
|
|||||||
"An AuthenticationEntryPoint is required");
|
"An AuthenticationEntryPoint is required");
|
||||||
}
|
}
|
||||||
|
|
||||||
public void destroy() {}
|
public void destroy() {
|
||||||
|
}
|
||||||
|
|
||||||
public void doFilter(ServletRequest request, ServletResponse response,
|
public void doFilter(ServletRequest request, ServletResponse response,
|
||||||
FilterChain chain) throws IOException, ServletException {
|
FilterChain chain) throws IOException, ServletException {
|
||||||
@ -174,7 +167,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
|
|||||||
|
|
||||||
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
|
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
|
||||||
password);
|
password);
|
||||||
authRequest.setDetails(new WebAuthenticationDetails(httpRequest));
|
authRequest.setDetails(new WebAuthenticationDetails(httpRequest,
|
||||||
|
false));
|
||||||
|
|
||||||
Authentication authResult;
|
Authentication authResult;
|
||||||
|
|
||||||
@ -183,8 +177,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
|
|||||||
} catch (AuthenticationException failed) {
|
} catch (AuthenticationException failed) {
|
||||||
// Authentication failed
|
// Authentication failed
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug("Authentication request for user: " + username
|
logger.debug("Authentication request for user: " +
|
||||||
+ " failed: " + failed.toString());
|
username + " failed: " + failed.toString());
|
||||||
}
|
}
|
||||||
|
|
||||||
SecurityContextHolder.getContext().setAuthentication(null);
|
SecurityContextHolder.getContext().setAuthentication(null);
|
||||||
@ -195,7 +189,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
|
|||||||
|
|
||||||
// Authentication success
|
// Authentication success
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug("Authentication success: " + authResult.toString());
|
logger.debug("Authentication success: " +
|
||||||
|
authResult.toString());
|
||||||
}
|
}
|
||||||
|
|
||||||
SecurityContextHolder.getContext().setAuthentication(authResult);
|
SecurityContextHolder.getContext().setAuthentication(authResult);
|
||||||
@ -204,5 +199,6 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
|
|||||||
chain.doFilter(request, response);
|
chain.doFilter(request, response);
|
||||||
}
|
}
|
||||||
|
|
||||||
public void init(FilterConfig arg0) throws ServletException {}
|
public void init(FilterConfig arg0) throws ServletException {
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -28,6 +28,7 @@
|
|||||||
<release version="0.9.0" date="In CVS">
|
<release version="0.9.0" date="In CVS">
|
||||||
<action dev="markstg" type="add">SwitchUserProcessingFilter to provide user security context switching</action>
|
<action dev="markstg" type="add">SwitchUserProcessingFilter to provide user security context switching</action>
|
||||||
<action dev="markstg" type="add">Java 1.5 annotation support</action>
|
<action dev="markstg" type="add">Java 1.5 annotation support</action>
|
||||||
|
<action dev="benalex" type="update">BasicAuthenticationProcessingFilter no longer creates HttpSession via WebAuthenticationDetails call</action>
|
||||||
<action dev="benalex" type="update">JdbcDaoImpl modified to support synthetic primary keys</action>
|
<action dev="benalex" type="update">JdbcDaoImpl modified to support synthetic primary keys</action>
|
||||||
<action dev="benalex" type="update">Greatly improve BasicAclEntryAfterInvocationCollectionFilteringProvider performance with large collections (if the principal has access to relatively few collection elements)</action>
|
<action dev="benalex" type="update">Greatly improve BasicAclEntryAfterInvocationCollectionFilteringProvider performance with large collections (if the principal has access to relatively few collection elements)</action>
|
||||||
<action dev="benalex" type="update">Reorder DaoAuthenticationProvider exception logic as per developer list discussion</action>
|
<action dev="benalex" type="update">Reorder DaoAuthenticationProvider exception logic as per developer list discussion</action>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user