SEC-144: Separate SecurityEnforcementFilter from FilterSecurityInterceptor.

core/src/main/java/org/acegisecurity/InsufficientAuthenticationException.java

@@ -24,7 +24,7 @@ package org.acegisecurity;
  * this exception if they are dissatisfied with the level of the
  * authentication, such as if performed using a remember-me mechanism or
  * anonymously. The commonly used {@link
- * org.acegisecurity.intercept.web.SecurityEnforcementFilter} will thus
+ * org.acegisecurity.ui.ExceptionTranslationFilter} will thus
  * cause the <code>AuthenticationEntryPoint</code> to be called, allowing the
  * principal to authenticate with a stronger level of authentication.
  * </p>

core/src/main/java/org/acegisecurity/intercept/web/FilterSecurityInterceptor.java

@@ -1,4 +1,4 @@
-/* Copyright 2004, 2005 Acegi Technology Pty Limited
+/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,18 +19,19 @@ import org.acegisecurity.intercept.AbstractSecurityInterceptor;
 import org.acegisecurity.intercept.InterceptorStatusToken;
 import org.acegisecurity.intercept.ObjectDefinitionSource;
 
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
 
 /**
  * Performs security handling of HTTP resources via a filter implementation.
  * 
- * <P>
- * End users should <B>only</B> use this class to configure their HTTP security
- * configuration in an application context. They should <B>not</B> attempt to
- * invoke the <code>FilterSecurityInterceptor</code> except as a standard bean
- * registration in an application context. At runtime, this class will provide
- * services to web applications via the {@link SecurityEnforcementFilter}.
- * </p>
- * 
  * <p>
  * The <code>ObjectDefinitionSource</code> required by this security
  * interceptor is of type {@link FilterInvocationDefinitionSource}.
@@ -43,7 +44,8 @@ import org.acegisecurity.intercept.ObjectDefinitionSource;
  * @author Ben Alex
  * @version $Id$
  */
-public class FilterSecurityInterceptor extends AbstractSecurityInterceptor {
+public class FilterSecurityInterceptor extends AbstractSecurityInterceptor
+    implements Filter {
     //~ Static fields/initializers =============================================
 
     private static final String FILTER_APPLIED = "__acegi_filterSecurityInterceptor_filterApplied";
@@ -55,41 +57,47 @@ public class FilterSecurityInterceptor extends AbstractSecurityInterceptor {
 
     //~ Methods ================================================================
 
-    public void setObjectDefinitionSource(
+    /**
-        FilterInvocationDefinitionSource newSource) {
+     * Not used (we rely on IoC container lifecycle services instead)
-        this.objectDefinitionSource = newSource;
+     */
+    public void destroy() {}
+
+    /**
+     * Method that is actually called by the filter chain. Simply delegates to
+     * the {@link #invoke(FilterInvocation)} method.
+     *
+     * @param request the servlet request
+     * @param response the servlet response
+     * @param chain the filter chain
+     *
+     * @throws IOException if the filter chain fails
+     * @throws ServletException if the filter chain fails
+     */
+    public void doFilter(ServletRequest request, ServletResponse response,
+        FilterChain chain) throws IOException, ServletException {
+        FilterInvocation fi = new FilterInvocation(request, response, chain);
+        invoke(fi);
     }
 
     public FilterInvocationDefinitionSource getObjectDefinitionSource() {
         return this.objectDefinitionSource;
     }
 
-    public void setObserveOncePerRequest(boolean observeOncePerRequest) {
-        this.observeOncePerRequest = observeOncePerRequest;
-    }
-
-    /**
-     * Indicates whether once-per-request handling will be observed. By default
-     * this is <code>true</code>, meaning the
-     * <code>FilterSecurityInterceptor</code> will only execute
-     * once-per-request. Sometimes users may wish it to execute more than once
-     * per request, such as when JSP forwards are being used and filter
-     * security is desired on each included fragment of the HTTP request.
-     *
-     * @return <code>true</code> (the default) if once-per-request is honoured,
-     *         otherwise <code>false</code> if
-     *         <code>FilterSecurityInterceptor</code> will enforce
-     *         authorizations for each and every fragment of the HTTP request.
-     */
-    public boolean isObserveOncePerRequest() {
-        return observeOncePerRequest;
-    }
-
     public Class getSecureObjectClass() {
         return FilterInvocation.class;
     }
 
-    public void invoke(FilterInvocation fi) throws Throwable {
+    /**
+     * Not used (we rely on IoC container lifecycle services instead)
+     *
+     * @param arg0 ignored
+     *
+     * @throws ServletException never thrown
+     */
+    public void init(FilterConfig arg0) throws ServletException {}
+
+    public void invoke(FilterInvocation fi)
+        throws IOException, ServletException {
         if ((fi.getRequest() != null)
             && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
             && observeOncePerRequest) {
@@ -112,7 +120,33 @@ public class FilterSecurityInterceptor extends AbstractSecurityInterceptor {
         }
     }
 
+    /**
+     * Indicates whether once-per-request handling will be observed. By default
+     * this is <code>true</code>, meaning the
+     * <code>FilterSecurityInterceptor</code> will only execute
+     * once-per-request. Sometimes users may wish it to execute more than once
+     * per request, such as when JSP forwards are being used and filter
+     * security is desired on each included fragment of the HTTP request.
+     *
+     * @return <code>true</code> (the default) if once-per-request is honoured,
+     *         otherwise <code>false</code> if
+     *         <code>FilterSecurityInterceptor</code> will enforce
+     *         authorizations for each and every fragment of the HTTP request.
+     */
+    public boolean isObserveOncePerRequest() {
+        return observeOncePerRequest;
+    }
+
     public ObjectDefinitionSource obtainObjectDefinitionSource() {
         return this.objectDefinitionSource;
     }
+
+    public void setObjectDefinitionSource(
+        FilterInvocationDefinitionSource newSource) {
+        this.objectDefinitionSource = newSource;
+    }
+
+    public void setObserveOncePerRequest(boolean observeOncePerRequest) {
+        this.observeOncePerRequest = observeOncePerRequest;
+    }
 }

core/src/main/java/org/acegisecurity/ui/AuthenticationEntryPoint.java

@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-package org.acegisecurity.intercept.web;
+package org.acegisecurity.ui;
 
 import org.acegisecurity.AuthenticationException;
 
@@ -25,7 +25,7 @@ import javax.servlet.ServletResponse;
 
 
 /**
- * Used by {@link SecurityEnforcementFilter} to commence an authentication
+ * Used by {@link ExceptionTranslationFilter} to commence an authentication
  * scheme.
  *
  * @author Ben Alex

core/src/main/java/org/acegisecurity/ui/ExceptionTranslationFilter.java

@@ -1,4 +1,4 @@
-/* Copyright 2004, 2005 Acegi Technology Pty Limited
+/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -12,15 +12,19 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.acegisecurity.intercept.web;
+
+package org.acegisecurity.ui;
 
 import org.acegisecurity.AccessDeniedException;
 import org.acegisecurity.AuthenticationException;
 import org.acegisecurity.AuthenticationTrustResolver;
 import org.acegisecurity.AuthenticationTrustResolverImpl;
 import org.acegisecurity.InsufficientAuthenticationException;
+
 import org.acegisecurity.context.SecurityContextHolder;
-import org.acegisecurity.ui.AbstractProcessingFilter;
+
+import org.acegisecurity.intercept.web.FilterInvocation;
+
 import org.acegisecurity.util.PortResolver;
 import org.acegisecurity.util.PortResolverImpl;
 
@@ -44,11 +48,13 @@ import javax.servlet.http.HttpServletResponse;
 
 
 /**
- * Wraps requests to the {@link FilterSecurityInterceptor}.
+ * Handles any <code>AccessDeniedException</code> and
+ * <code>AuthenticationException</code> thrown within the filter chain.
  * 
  * <p>
- * This filter is necessary because it provides the bridge between incoming
+ * This filter is necessary because it provides the bridge between Java
- * requests and the <code>FilterSecurityInterceptor</code> instance.
+ * exceptions and HTTP responses. It is solely concerned with maintaining the
+ * user interface. This filter does not do any actual security enforcement.
  * </p>
  * 
  * <p>
@@ -77,11 +83,6 @@ import javax.servlet.http.HttpServletResponse;
  * 
  * <ul>
  * <li>
- * <code>filterSecurityInterceptor</code> indicates the
- * <code>FilterSecurityInterceptor</code> to delegate HTTP security decisions
- * to.
- * </li>
- * <li>
  * <code>authenticationEntryPoint</code> indicates the handler that should
  * commence the authentication process if an
  * <code>AuthenticationException</code> is detected. Note that this may also
@@ -103,83 +104,30 @@ import javax.servlet.http.HttpServletResponse;
  * @author colin sampaleanu
  * @version $Id$
  */
-public class SecurityEnforcementFilter implements Filter, InitializingBean {
+public class ExceptionTranslationFilter implements Filter, InitializingBean {
-    private static final Log logger = LogFactory.getLog(SecurityEnforcementFilter.class);
+    //~ Static fields/initializers =============================================
+
+    private static final Log logger = LogFactory.getLog(ExceptionTranslationFilter.class);
     public static final String ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY = "ACEGI_SECURITY_403_EXCEPTION";
+
+    //~ Instance fields ========================================================
+
     private AuthenticationEntryPoint authenticationEntryPoint;
     private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
-    private FilterSecurityInterceptor filterSecurityInterceptor;
     private PortResolver portResolver = new PortResolverImpl();
     private boolean createSessionAllowed = true;
 
-    public void setAuthenticationEntryPoint(
+    //~ Methods ================================================================
-        AuthenticationEntryPoint authenticationEntryPoint) {
-        this.authenticationEntryPoint = authenticationEntryPoint;
-    }
-
-    public AuthenticationEntryPoint getAuthenticationEntryPoint() {
-        return authenticationEntryPoint;
-    }
-
-    public void setAuthenticationTrustResolver(
-        AuthenticationTrustResolver authenticationTrustResolver) {
-        this.authenticationTrustResolver = authenticationTrustResolver;
-    }
-
-    /**
-     * If <code>true</code>, indicates that <code>SecurityEnforcementFilter</code> is permitted
-     * to store the target URL and exception information in the <code>HttpSession</code> (the
-     * default). In situations where you do not wish to unnecessarily create <code>HttpSession</code>s
-     * - because the user agent will know the failed URL, such as with BASIC or Digest authentication
-     * - you may wish to set this property to <code>false</code>. Remember to also set the
-     * {@link org.acegisecurity.context.HttpSessionContextIntegrationFilter#allowSessionCreation}
-     * to <code>false</code> if you set this property to <code>false</code>.
-     *
-     * @return <code>true</code> if the <code>HttpSession</code> will be used to store information
-     * about the failed request, <code>false</code> if the <code>HttpSession</code> will not be
-     * used
-     */
-    public boolean isCreateSessionAllowed() {
-        return createSessionAllowed;
-    }
-
-    public void setCreateSessionAllowed(boolean createSessionAllowed) {
-        this.createSessionAllowed = createSessionAllowed;
-    }
-
-    public AuthenticationTrustResolver getAuthenticationTrustResolver() {
-        return authenticationTrustResolver;
-    }
-
-    public void setFilterSecurityInterceptor(
-        FilterSecurityInterceptor filterSecurityInterceptor) {
-        this.filterSecurityInterceptor = filterSecurityInterceptor;
-    }
-
-    public FilterSecurityInterceptor getFilterSecurityInterceptor() {
-        return filterSecurityInterceptor;
-    }
-
-    public void setPortResolver(PortResolver portResolver) {
-        this.portResolver = portResolver;
-    }
-
-    public PortResolver getPortResolver() {
-        return portResolver;
-    }
 
     public void afterPropertiesSet() throws Exception {
         Assert.notNull(authenticationEntryPoint,
             "authenticationEntryPoint must be specified");
-        Assert.notNull(filterSecurityInterceptor,
-            "filterSecurityInterceptor must be specified");
         Assert.notNull(portResolver, "portResolver must be specified");
         Assert.notNull(authenticationTrustResolver,
             "authenticationTrustResolver must be specified");
     }
 
-    public void destroy() {
+    public void destroy() {}
-    }
 
     public void doFilter(ServletRequest request, ServletResponse response,
         FilterChain chain) throws IOException, ServletException {
@@ -191,10 +139,8 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
             throw new ServletException("HttpServletResponse required");
         }
 
-        FilterInvocation fi = new FilterInvocation(request, response, chain);
-
         try {
-            filterSecurityInterceptor.invoke(fi);
+            chain.doFilter(request, response);
 
             if (logger.isDebugEnabled()) {
                 logger.debug("Chain processed normally");
@@ -205,7 +151,7 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
                     authentication);
             }
 
-            sendStartAuthentication(fi, authentication);
+            sendStartAuthentication(request, response, chain, authentication);
         } catch (AccessDeniedException accessDenied) {
             if (authenticationTrustResolver.isAnonymous(
                     SecurityContextHolder.getContext().getAuthentication())) {
@@ -214,7 +160,7 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
                         accessDenied);
                 }
 
-                sendStartAuthentication(fi,
+                sendStartAuthentication(request, response, chain,
                     new InsufficientAuthenticationException(
                         "Full authentication is required to access this resource"));
             } else {
@@ -223,7 +169,7 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
                         accessDenied);
                 }
 
-                sendAccessDeniedError(fi, accessDenied);
+                sendAccessDeniedError(request, response, chain, accessDenied);
             }
         } catch (ServletException e) {
             throw e;
@@ -234,48 +180,86 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
         }
     }
 
-    public void init(FilterConfig filterConfig) throws ServletException {
+    public AuthenticationEntryPoint getAuthenticationEntryPoint() {
+        return authenticationEntryPoint;
     }
 
-    protected void sendAccessDeniedError(FilterInvocation fi,
+    public AuthenticationTrustResolver getAuthenticationTrustResolver() {
+        return authenticationTrustResolver;
+    }
+
+    public PortResolver getPortResolver() {
+        return portResolver;
+    }
+
+    public void init(FilterConfig filterConfig) throws ServletException {}
+
+    /**
+     * If <code>true</code>, indicates that
+     * <code>SecurityEnforcementFilter</code> is permitted to store the target
+     * URL and exception information in the <code>HttpSession</code> (the
+     * default). In situations where you do not wish to unnecessarily create
+     * <code>HttpSession</code>s - because the user agent will know the failed
+     * URL, such as with BASIC or Digest authentication - you may wish to set
+     * this property to <code>false</code>. Remember to also set the {@link
+     * org.acegisecurity.context.HttpSessionContextIntegrationFilter#allowSessionCreation}
+     * to <code>false</code> if you set this property to <code>false</code>.
+     *
+     * @return <code>true</code> if the <code>HttpSession</code> will be used
+     *         to store information about the failed request,
+     *         <code>false</code> if the <code>HttpSession</code> will not be
+     *         used
+     */
+    public boolean isCreateSessionAllowed() {
+        return createSessionAllowed;
+    }
+
+    protected void sendAccessDeniedError(ServletRequest request,
+        ServletResponse response, FilterChain chain,
         AccessDeniedException accessDenied)
         throws ServletException, IOException {
         if (createSessionAllowed) {
-            ((HttpServletRequest) fi.getRequest()).getSession().setAttribute(ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY,
+            ((HttpServletRequest) request).getSession()
+             .setAttribute(ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY,
                 accessDenied);
         }
 
-        ((HttpServletResponse) fi.getResponse()).sendError(HttpServletResponse.SC_FORBIDDEN,
+        ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN,
             accessDenied.getMessage()); // 403
     }
 
-    protected void sendStartAuthentication(FilterInvocation fi,
+    protected void sendStartAuthentication(ServletRequest request,
+        ServletResponse response, FilterChain chain,
         AuthenticationException reason) throws ServletException, IOException {
-        HttpServletRequest request = (HttpServletRequest) fi.getRequest();
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
 
-        int port = portResolver.getServerPort(request);
+        int port = portResolver.getServerPort(httpRequest);
         boolean includePort = true;
 
-        if ("http".equals(request.getScheme().toLowerCase()) && (port == 80)) {
+        if ("http".equals(httpRequest.getScheme().toLowerCase())
+            && (port == 80)) {
             includePort = false;
         }
 
-        if ("https".equals(request.getScheme().toLowerCase()) && (port == 443)) {
+        if ("https".equals(httpRequest.getScheme().toLowerCase())
+            && (port == 443)) {
             includePort = false;
         }
 
-        String targetUrl = request.getScheme() + "://" +
+        String targetUrl = httpRequest.getScheme() + "://"
-            request.getServerName() + ((includePort) ? (":" + port) : "") +
+            + httpRequest.getServerName() + ((includePort) ? (":" + port) : "")
-            request.getContextPath() + fi.getRequestUrl();
+            + httpRequest.getContextPath()
+            + new FilterInvocation(request, response, chain).getRequestUrl();
 
         if (logger.isDebugEnabled()) {
             logger.debug(
-                "Authentication entry point being called; target URL added to Session: " +
+                "Authentication entry point being called; target URL added to Session: "
-                targetUrl);
+                + targetUrl);
         }
 
         if (createSessionAllowed) {
-            ((HttpServletRequest) request).getSession().setAttribute(AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY,
+            httpRequest.getSession()
+                       .setAttribute(AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY,
                 targetUrl);
         }
 
@@ -283,7 +267,25 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
         // existing Authentication is no longer considered valid
         SecurityContextHolder.getContext().setAuthentication(null);
 
-        authenticationEntryPoint.commence(request,
+        authenticationEntryPoint.commence(httpRequest,
-            (HttpServletResponse) fi.getResponse(), reason);
+            (HttpServletResponse) response, reason);
+    }
+
+    public void setAuthenticationEntryPoint(
+        AuthenticationEntryPoint authenticationEntryPoint) {
+        this.authenticationEntryPoint = authenticationEntryPoint;
+    }
+
+    public void setAuthenticationTrustResolver(
+        AuthenticationTrustResolver authenticationTrustResolver) {
+        this.authenticationTrustResolver = authenticationTrustResolver;
+    }
+
+    public void setCreateSessionAllowed(boolean createSessionAllowed) {
+        this.createSessionAllowed = createSessionAllowed;
+    }
+
+    public void setPortResolver(PortResolver portResolver) {
+        this.portResolver = portResolver;
     }
 }

core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java

@@ -19,8 +19,8 @@ import org.acegisecurity.Authentication;
 import org.acegisecurity.AuthenticationException;
 import org.acegisecurity.AuthenticationManager;
 import org.acegisecurity.context.SecurityContextHolder;
-import org.acegisecurity.intercept.web.AuthenticationEntryPoint;
 import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
+import org.acegisecurity.ui.AuthenticationEntryPoint;
 import org.acegisecurity.ui.WebAuthenticationDetails;
 
 import org.apache.commons.codec.binary.Base64;

core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilterEntryPoint.java

@@ -16,7 +16,7 @@
 package org.acegisecurity.ui.basicauth;
 
 import org.acegisecurity.AuthenticationException;
-import org.acegisecurity.intercept.web.AuthenticationEntryPoint;
+import org.acegisecurity.ui.AuthenticationEntryPoint;
 
 import org.springframework.beans.factory.InitializingBean;
 

core/src/main/java/org/acegisecurity/ui/cas/CasProcessingFilterEntryPoint.java

@@ -16,7 +16,7 @@
 package org.acegisecurity.ui.cas;
 
 import org.acegisecurity.AuthenticationException;
-import org.acegisecurity.intercept.web.AuthenticationEntryPoint;
+import org.acegisecurity.ui.AuthenticationEntryPoint;
 
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.util.Assert;

core/src/main/java/org/acegisecurity/ui/digestauth/DigestProcessingFilter.java

@@ -84,7 +84,7 @@ import org.springframework.util.StringUtils;
  * 
  * <p>
  * If authentication fails, an {@link
- * org.acegisecurity.intercept.web.AuthenticationEntryPoint
+ * org.acegisecurity.ui.AuthenticationEntryPoint
  * AuthenticationEntryPoint} implementation is called. This must always be
  * {@link DigestProcessingFilterEntryPoint}, which will prompt the user to
  * authenticate again via Digest authentication.

core/src/main/java/org/acegisecurity/ui/digestauth/DigestProcessingFilterEntryPoint.java

@@ -16,7 +16,7 @@
 package org.acegisecurity.ui.digestauth;
 
 import org.acegisecurity.AuthenticationException;
-import org.acegisecurity.intercept.web.AuthenticationEntryPoint;
+import org.acegisecurity.ui.AuthenticationEntryPoint;
 
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.digest.DigestUtils;

core/src/main/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilterEntryPoint.java

@@ -15,7 +15,7 @@
 package org.acegisecurity.ui.webapp;
 
 import org.acegisecurity.AuthenticationException;
-import org.acegisecurity.intercept.web.AuthenticationEntryPoint;
+import org.acegisecurity.ui.AuthenticationEntryPoint;
 import org.acegisecurity.util.PortMapper;
 import org.acegisecurity.util.PortMapperImpl;
 import org.acegisecurity.util.PortResolver;

core/src/main/java/org/acegisecurity/ui/x509/X509ProcessingFilterEntryPoint.java

@@ -15,7 +15,7 @@
 
 package org.acegisecurity.ui.x509;
 
-import org.acegisecurity.intercept.web.AuthenticationEntryPoint;
+import org.acegisecurity.ui.AuthenticationEntryPoint;
 import org.acegisecurity.AuthenticationException;
 
 import javax.servlet.ServletRequest;
@@ -42,7 +42,7 @@ import org.apache.commons.logging.LogFactory;
  *
  * @author Luke Taylor
  * @version $Id$
- * @see org.acegisecurity.intercept.web.SecurityEnforcementFilter
+ * @see org.acegisecurity.ui.ExceptionTranslationFilter
  */
 public class X509ProcessingFilterEntryPoint implements AuthenticationEntryPoint {
     //~ Static fields/initializers =============================================

core/src/test/java/org/acegisecurity/MockAuthenticationEntryPoint.java

@@ -15,7 +15,7 @@
 
 package org.acegisecurity;
 
-import org.acegisecurity.intercept.web.AuthenticationEntryPoint;
+import org.acegisecurity.ui.AuthenticationEntryPoint;
 
 import java.io.IOException;
 

core/src/test/java/org/acegisecurity/ui/ExceptionTranslationFilterTests.java

@@ -1,4 +1,4 @@
-/* Copyright 2004, 2005 Acegi Technology Pty Limited
+/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,7 +13,14 @@
  * limitations under the License.
  */
 
-package org.acegisecurity.intercept.web;
+package org.acegisecurity.ui;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 
 import junit.framework.TestCase;
 
@@ -27,43 +34,40 @@ import org.acegisecurity.context.SecurityContextHolder;
 import org.acegisecurity.context.SecurityContextImpl;
 import org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken;
 import org.acegisecurity.ui.webapp.AuthenticationProcessingFilter;
-
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 
-import java.io.IOException;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-
 
 /**
- * Tests {@link SecurityEnforcementFilter}.
+ * Tests {@link ExceptionTranslationFilter}.
  *
  * @author Ben Alex
  * @version $Id$
  */
-public class SecurityEnforcementFilterTests extends TestCase {
+public class ExceptionTranslationFilterTests extends TestCase {
     //~ Constructors ===========================================================
 
-    public SecurityEnforcementFilterTests() {
+    public ExceptionTranslationFilterTests() {
         super();
     }
 
-    public SecurityEnforcementFilterTests(String arg0) {
+    public ExceptionTranslationFilterTests(String arg0) {
         super(arg0);
     }
 
     //~ Methods ================================================================
 
+    public static void main(String[] args) {
+        junit.textui.TestRunner.run(ExceptionTranslationFilterTests.class);
+    }
+
     public final void setUp() throws Exception {
         super.setUp();
     }
 
-    public static void main(String[] args) {
+    protected void tearDown() throws Exception {
-        junit.textui.TestRunner.run(SecurityEnforcementFilterTests.class);
+        super.tearDown();
+        SecurityContextHolder.setContext(new SecurityContextImpl());
     }
 
     public void testAccessDeniedWhenAnonymous() throws Exception {
@@ -76,21 +80,17 @@ public class SecurityEnforcementFilterTests extends TestCase {
         request.setContextPath("/mycontext");
         request.setRequestURI("/mycontext/secure/page.html");
 
-        // Setup our expectation that the filter chain will not be invoked, as access is denied
+        // Setup the FilterChain to thrown an access denied exception
-        MockFilterChain chain = new MockFilterChain(false);
+        MockFilterChain chain = new MockFilterChain(true, false, false, false);
-
-        // Setup the FilterSecurityInterceptor thrown an access denied exception
-        MockFilterSecurityInterceptor interceptor = new MockFilterSecurityInterceptor(true,
-                false, false, false);
 
         // Setup SecurityContextHolder, as filter needs to check if user is anonymous
-        SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken(
+        SecurityContextHolder.getContext()
+                             .setAuthentication(new AnonymousAuthenticationToken(
                 "ignored", "ignored",
                 new GrantedAuthority[] {new GrantedAuthorityImpl("IGNORED")}));
 
         // Test
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
-        filter.setFilterSecurityInterceptor(interceptor);
         filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(
                 "/login.jsp"));
 
@@ -98,7 +98,8 @@ public class SecurityEnforcementFilterTests extends TestCase {
         filter.doFilter(request, response, chain);
         assertEquals("/mycontext/login.jsp", response.getRedirectedUrl());
         assertEquals("http://www.example.com/mycontext/secure/page.html",
-            request.getSession().getAttribute(AuthenticationProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY));
+            request.getSession()
+                   .getAttribute(AuthenticationProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY));
     }
 
     public void testAccessDeniedWhenNonAnonymous() throws Exception {
@@ -106,19 +107,14 @@ public class SecurityEnforcementFilterTests extends TestCase {
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setServletPath("/secure/page.html");
 
-        // Setup our expectation that the filter chain will not be invoked, as access is denied
+        // Setup the FilterChain to thrown an access denied exception
-        MockFilterChain chain = new MockFilterChain(false);
+        MockFilterChain chain = new MockFilterChain(true, false, false, false);
-
-        // Setup the FilterSecurityInterceptor thrown an access denied exception
-        MockFilterSecurityInterceptor interceptor = new MockFilterSecurityInterceptor(true,
-                false, false, false);
 
         // Setup SecurityContextHolder, as filter needs to check if user is anonymous
         SecurityContextHolder.getContext().setAuthentication(null);
 
         // Test
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
-        filter.setFilterSecurityInterceptor(interceptor);
         filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(
                 "/login.jsp"));
 
@@ -127,17 +123,17 @@ public class SecurityEnforcementFilterTests extends TestCase {
         assertEquals(403, response.getStatus());
         assertEquals(AccessDeniedException.class,
             request.getSession()
-                   .getAttribute(SecurityEnforcementFilter.ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY)
+                   .getAttribute(ExceptionTranslationFilter.ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY)
                    .getClass());
     }
 
     public void testDoFilterWithNonHttpServletRequestDetected()
         throws Exception {
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
 
         try {
             filter.doFilter(null, new MockHttpServletResponse(),
-                new MockFilterChain());
+                new MockFilterChain(false, false, false, false));
             fail("Should have thrown ServletException");
         } catch (ServletException expected) {
             assertEquals("HttpServletRequest required", expected.getMessage());
@@ -146,11 +142,11 @@ public class SecurityEnforcementFilterTests extends TestCase {
 
     public void testDoFilterWithNonHttpServletResponseDetected()
         throws Exception {
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
 
         try {
             filter.doFilter(new MockHttpServletRequest(null, null), null,
-                new MockFilterChain());
+                new MockFilterChain(false, false, false, false));
             fail("Should have thrown ServletException");
         } catch (ServletException expected) {
             assertEquals("HttpServletResponse required", expected.getMessage());
@@ -158,10 +154,7 @@ public class SecurityEnforcementFilterTests extends TestCase {
     }
 
     public void testGettersSetters() {
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
-        filter.setFilterSecurityInterceptor(new MockFilterSecurityInterceptor(
-                false, false, false, false));
-        assertTrue(filter.getFilterSecurityInterceptor() != null);
 
         filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(
                 "/login.jsp"));
@@ -182,16 +175,11 @@ public class SecurityEnforcementFilterTests extends TestCase {
         request.setContextPath("/mycontext");
         request.setRequestURI("/mycontext/secure/page.html");
 
-        // Setup our expectation that the filter chain will not be invoked, as access is denied
+        // Setup the FilterChain to thrown an authentication failure exception
-        MockFilterChain chain = new MockFilterChain(false);
+        MockFilterChain chain = new MockFilterChain(false, true, false, false);
-
-        // Setup the FilterSecurityInterceptor thrown an authentication failure exceptions
-        MockFilterSecurityInterceptor interceptor = new MockFilterSecurityInterceptor(false,
-                true, false, false);
 
         // Test
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
-        filter.setFilterSecurityInterceptor(interceptor);
         filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(
                 "/login.jsp"));
         filter.setPortResolver(new MockPortResolver(80, 443));
@@ -201,7 +189,8 @@ public class SecurityEnforcementFilterTests extends TestCase {
         filter.doFilter(request, response, chain);
         assertEquals("/mycontext/login.jsp", response.getRedirectedUrl());
         assertEquals("http://www.example.com/mycontext/secure/page.html",
-            request.getSession().getAttribute(AuthenticationProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY));
+            request.getSession()
+                   .getAttribute(AuthenticationProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY));
     }
 
     public void testRedirectedToLoginFormAndSessionShowsOriginalTargetWithExoticPortWhenAuthenticationException()
@@ -215,16 +204,11 @@ public class SecurityEnforcementFilterTests extends TestCase {
         request.setContextPath("/mycontext");
         request.setRequestURI("/mycontext/secure/page.html");
 
-        // Setup our expectation that the filter chain will not be invoked, as access is denied
+        // Setup the FilterChain to thrown an authentication failure exception
-        MockFilterChain chain = new MockFilterChain(false);
+        MockFilterChain chain = new MockFilterChain(false, true, false, false);
-
-        // Setup the FilterSecurityInterceptor thrown an authentication failure exceptions
-        MockFilterSecurityInterceptor interceptor = new MockFilterSecurityInterceptor(false,
-                true, false, false);
 
         // Test
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
-        filter.setFilterSecurityInterceptor(interceptor);
         filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(
                 "/login.jsp"));
         filter.setPortResolver(new MockPortResolver(8080, 8443));
@@ -234,14 +218,13 @@ public class SecurityEnforcementFilterTests extends TestCase {
         filter.doFilter(request, response, chain);
         assertEquals("/mycontext/login.jsp", response.getRedirectedUrl());
         assertEquals("http://www.example.com:8080/mycontext/secure/page.html",
-            request.getSession().getAttribute(AuthenticationProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY));
+            request.getSession()
+                   .getAttribute(AuthenticationProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY));
     }
 
     public void testStartupDetectsMissingAuthenticationEntryPoint()
         throws Exception {
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
-        filter.setFilterSecurityInterceptor(new MockFilterSecurityInterceptor(
-                false, false, false, false));
 
         try {
             filter.afterPropertiesSet();
@@ -252,26 +235,9 @@ public class SecurityEnforcementFilterTests extends TestCase {
         }
     }
 
-    public void testStartupDetectsMissingFilterSecurityInterceptor()
-        throws Exception {
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
-        filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(
-                "/login.jsp"));
-
-        try {
-            filter.afterPropertiesSet();
-            fail("Should have thrown IllegalArgumentException");
-        } catch (IllegalArgumentException expected) {
-            assertEquals("filterSecurityInterceptor must be specified",
-                expected.getMessage());
-        }
-    }
-
     public void testStartupDetectsMissingPortResolver()
         throws Exception {
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
-        filter.setFilterSecurityInterceptor(new MockFilterSecurityInterceptor(
-                false, false, false, false));
         filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(
                 "/login.jsp"));
         filter.setPortResolver(null);
@@ -289,16 +255,11 @@ public class SecurityEnforcementFilterTests extends TestCase {
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setServletPath("/secure/page.html");
 
-        // Setup our expectation that the filter chain will be invoked, as access is granted
+        // Setup the FilterChain to thrown no exceptions
-        MockFilterChain chain = new MockFilterChain(true);
+        MockFilterChain chain = new MockFilterChain(false, false, false, false);
-
-        // Setup the FilterSecurityInterceptor to not thrown any exceptions
-        MockFilterSecurityInterceptor interceptor = new MockFilterSecurityInterceptor(false,
-                false, false, false);
 
         // Test
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
-        filter.setFilterSecurityInterceptor(interceptor);
         filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(
                 "/login.jsp"));
 
@@ -308,7 +269,7 @@ public class SecurityEnforcementFilterTests extends TestCase {
 
     public void testSuccessfulStartupAndShutdownDown()
         throws Exception {
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
 
         filter.init(null);
         filter.destroy();
@@ -316,10 +277,7 @@ public class SecurityEnforcementFilterTests extends TestCase {
     }
 
     public void testThrowIOException() throws Exception {
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
-
-        filter.setFilterSecurityInterceptor(new MockFilterSecurityInterceptor(
-                false, false, false, true));
 
         filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(""));
 
@@ -327,7 +285,8 @@ public class SecurityEnforcementFilterTests extends TestCase {
 
         try {
             filter.doFilter(new MockHttpServletRequest(),
-                new MockHttpServletResponse(), new MockFilterChain(false));
+                new MockHttpServletResponse(),
+                new MockFilterChain(false, false, false, true));
             fail("Should have thrown IOException");
         } catch (IOException e) {
             assertNull("The IOException thrown should not have been wrapped",
@@ -336,10 +295,7 @@ public class SecurityEnforcementFilterTests extends TestCase {
     }
 
     public void testThrowServletException() throws Exception {
-        SecurityEnforcementFilter filter = new SecurityEnforcementFilter();
+        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
-
-        filter.setFilterSecurityInterceptor(new MockFilterSecurityInterceptor(
-                false, false, true, false));
 
         filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(""));
 
@@ -347,7 +303,8 @@ public class SecurityEnforcementFilterTests extends TestCase {
 
         try {
             filter.doFilter(new MockHttpServletRequest(),
-                new MockHttpServletResponse(), new MockFilterChain(false));
+                new MockHttpServletResponse(),
+                new MockFilterChain(false, false, true, false));
             fail("Should have thrown ServletException");
         } catch (ServletException e) {
             assertNull("The ServletException thrown should not have been wrapped",
@@ -355,42 +312,15 @@ public class SecurityEnforcementFilterTests extends TestCase {
         }
     }
 
-    protected void tearDown() throws Exception {
-        super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
-    }
-
     //~ Inner Classes ==========================================================
 
     private class MockFilterChain implements FilterChain {
-        private boolean expectToProceed;
-
-        public MockFilterChain(boolean expectToProceed) {
-            this.expectToProceed = expectToProceed;
-        }
-
-        private MockFilterChain() {
-            super();
-        }
-
-        public void doFilter(ServletRequest request, ServletResponse response)
-            throws IOException, ServletException {
-            if (expectToProceed) {
-                assertTrue(true);
-            } else {
-                fail("Did not expect filter chain to proceed");
-            }
-        }
-    }
-
-    private class MockFilterSecurityInterceptor
-        extends FilterSecurityInterceptor {
         private boolean throwAccessDenied;
         private boolean throwAuthenticationFailure;
         private boolean throwIOException;
         private boolean throwServletException;
 
-        public MockFilterSecurityInterceptor(boolean throwAccessDenied,
+        public MockFilterChain(boolean throwAccessDenied,
             boolean throwAuthenticationFailure, boolean throwServletException,
             boolean throwIOException) {
             this.throwAccessDenied = throwAccessDenied;
@@ -399,7 +329,8 @@ public class SecurityEnforcementFilterTests extends TestCase {
             this.throwIOException = throwIOException;
         }
 
-        public void invoke(FilterInvocation fi) throws Throwable {
+        public void doFilter(ServletRequest request, ServletResponse response)
+            throws IOException, ServletException {
             if (throwAccessDenied) {
                 throw new AccessDeniedException("As requested");
             }
@@ -415,8 +346,6 @@ public class SecurityEnforcementFilterTests extends TestCase {
             if (throwIOException) {
                 throw new IOException("As requested");
             }
-
-            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
         }
     }
 }

doc/xdocs/upgrade/upgrade-090-100.html

@@ -48,6 +48,24 @@ applications:
 	point to an implementation of org.acegisecurity.providers.ProviderManager.
 	</li>
 	
+	<li>
+	org.acegisecurity.intercept.web.AuthenticationEntryPoint has moved to a new location,
+	org.acegisecurity.ui.AuthenticationEntryPoint.
+	</li>
+	
+	<li>
+	org.acegisecurity.intercept.web.SecurityEnforcementFilter has moved to a new location and name,
+	org.acegisecurity.ui.ExceptionTranslationFilter. In addition, the "filterSecurityInterceptor"
+	property on the old SecurityEnforcementFilter class has been removed. This is because
+	SecurityEnforcementFilter will no longer delegate to FilterSecurityInterceptor as it has in the
+	past. Because this delegation feature has been removed (see SEC-144 for a background as to why),
+	please add a new filter definition for FilterSecurityInterceptor to the end of your
+	FilterChainProxy. Generally you'll also rename the old SecurityEnforcementFilter entry in your
+	FilterChainProxy to ExceptionTranslationFilter, more accurately reflecting its purpose.
+	If you are not using FilterChainProxy (although we recommend that you do), you will need to add
+	an additional filter entry to web.xml and use FilterToBeanProxy to access the FilterSecurityInterceptor.
+	</li>
+	
     </ul>
 
 </body>

samples/acegifier/src/main/resources/web-to-spring.xsl

@@ -48,7 +48,7 @@
         <xsl:message terminate="yes">Unsupported auth-method in web.xml, must be FORM or BASIC</xsl:message>
     </xsl:otherwise>
 </xsl:choose>
-<xsl:text>,rememberMeProcessingFilter,anonymousProcessingFilter,securityEnforcementFilter</xsl:text>
+<xsl:text>,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor</xsl:text>
 </xsl:variable>
     
 <!-- 
@@ -137,13 +137,12 @@
 </xsl:template>
 
 <!-- 
- | Processes the login-config definition and inserts the SecurityEnforcementFilter with 
+ | Processes the login-config definition and inserts the ExceptionTranslationFilter with 
  | the appropriate beans for either form or basic authentication.
  -->
 <xsl:template match="login-config">
 
-   <bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
+   <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
-      <property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
       <property name="authenticationEntryPoint">
     <xsl:choose>
         <xsl:when test="$auth-method = 'FORM'">

samples/acegifier/src/test/java/acegifier/WebXmlConverterTests.java

@@ -7,10 +7,9 @@ import javax.xml.transform.TransformerFactoryConfigurationError;
 
 import junit.framework.TestCase;
 
-import org.acegisecurity.intercept.web.FilterSecurityInterceptor;
-import org.acegisecurity.intercept.web.SecurityEnforcementFilter;
 import org.acegisecurity.providers.ProviderManager;
 import org.acegisecurity.providers.dao.DaoAuthenticationProvider;
+import org.acegisecurity.ui.ExceptionTranslationFilter;
 import org.acegisecurity.userdetails.UserDetails;
 import org.acegisecurity.userdetails.memory.InMemoryDaoImpl;
 import org.acegisecurity.util.InMemoryResource;
@@ -73,11 +72,10 @@ public class WebXmlConverterTests extends TestCase {
         assertNotNull(bf.getBean("rememberMeProcessingFilter"));
         assertNotNull(bf.getBean("rememberMeAuthenticationProvider"));
 
-        SecurityEnforcementFilter sef =
+        ExceptionTranslationFilter etf =
-                (SecurityEnforcementFilter) bf.getBean("securityEnforcementFilter");
+                (ExceptionTranslationFilter) bf.getBean("exceptionTranslationFilter");
-        assertNotNull(sef);
+        assertNotNull(etf);
-        assertNotNull(sef.getAuthenticationEntryPoint());
+        assertNotNull(etf.getAuthenticationEntryPoint());
-        FilterSecurityInterceptor fsi = sef.getFilterSecurityInterceptor();
         System.out.println(prettyPrint(converter.getNewWebXml()));
         System.out.println(prettyPrint(converter.getAcegiBeans()));
 

samples/contacts-tiger/src/main/webapp/filter/WEB-INF/applicationContext-acegi-security.xml

@@ -16,19 +16,19 @@
 
 	<!--  if you wish to use channel security, add "channelProcessingFilter," in front
 	      of "httpSessionContextIntegrationFilter" in the list below -->
-	<bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy">
+	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
       <property name="filterInvocationDefinitionSource">
          <value>
 		    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
 		    PATTERN_TYPE_APACHE_ANT
-            /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,basicProcessingFilter,rememberMeProcessingFilter,anonymousProcessingFilter,securityEnforcementFilter
+            /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,basicProcessingFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
          </value>
       </property>
     </bean>
 
    <!-- ======================== AUTHENTICATION ======================= -->
 
-   <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
+   <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
       <property name="providers">
          <list>
             <ref local="daoAuthenticationProvider"/>
@@ -38,13 +38,13 @@
       </property>
    </bean>
 
-   <bean id="jdbcDaoImpl" class="net.sf.acegisecurity.providers.dao.jdbc.JdbcDaoImpl">
+   <bean id="jdbcDaoImpl" class="org.acegisecurity.providers.dao.jdbc.JdbcDaoImpl">
       <property name="dataSource"><ref bean="dataSource"/></property>
    </bean>
 
-   <bean id="passwordEncoder" class="net.sf.acegisecurity.providers.encoding.Md5PasswordEncoder"/>
+   <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5PasswordEncoder"/>
 
-   <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
+   <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
       <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
       <property name="userCache"><ref local="userCache"/></property>
       <property name="passwordEncoder"><ref local="passwordEncoder"/></property>
@@ -61,44 +61,44 @@
       </property>
    </bean>
    
-   <bean id="userCache" class="net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
+   <bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
       <property name="cache"><ref local="userCacheBackend"/></property>
    </bean>
 
    <!-- Automatically receives AuthenticationEvent messages -->
-   <bean id="loggerListener" class="net.sf.acegisecurity.event.authentication.LoggerListener"/>
+   <bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>
 
-   <bean id="basicProcessingFilter" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter">
+   <bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
       <property name="authenticationManager"><ref local="authenticationManager"/></property>
       <property name="authenticationEntryPoint"><ref local="basicProcessingFilterEntryPoint"/></property>
    </bean>
 
-   <bean id="basicProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
+   <bean id="basicProcessingFilterEntryPoint" class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
       <property name="realmName"><value>Contacts Realm</value></property>
    </bean>
 
-   <bean id="anonymousProcessingFilter" class="net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
+   <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
       <property name="key"><value>foobar</value></property>
       <property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property>
    </bean>
 
-   <bean id="anonymousAuthenticationProvider" class="net.sf.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
+   <bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
       <property name="key"><value>foobar</value></property>
    </bean>
 
-   <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
+   <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
    </bean>
 
-   <bean id="rememberMeProcessingFilter" class="net.sf.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
+   <bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
       <property name="rememberMeServices"><ref local="rememberMeServices"/></property>
    </bean>
 
-   <bean id="rememberMeServices" class="net.sf.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
+   <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
       <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
       <property name="key"><value>springRocks</value></property>
    </bean>
    
-   <bean id="rememberMeAuthenticationProvider" class="net.sf.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
+   <bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
       <property name="key"><value>springRocks</value></property>
    </bean>
 
@@ -107,7 +107,7 @@
    <!-- You will need to uncomment the "Acegi Channel Processing Filter"
         <filter-mapping> in web.xml for the following beans to be used -->
 
-   <bean id="channelProcessingFilter" class="net.sf.acegisecurity.securechannel.ChannelProcessingFilter">
+   <bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">
       <property name="channelDecisionManager"><ref local="channelDecisionManager"/></property>
       <property name="filterInvocationDefinitionSource">
          <value>
@@ -120,7 +120,7 @@
       </property>
    </bean>
 
-   <bean id="channelDecisionManager" class="net.sf.acegisecurity.securechannel.ChannelDecisionManagerImpl">
+   <bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
       <property name="channelProcessors">
          <list>
             <ref local="secureChannelProcessor"/>
@@ -129,17 +129,16 @@
       </property>
    </bean>
 
-   <bean id="secureChannelProcessor" class="net.sf.acegisecurity.securechannel.SecureChannelProcessor"/>
+   <bean id="secureChannelProcessor" class="org.acegisecurity.securechannel.SecureChannelProcessor"/>
-   <bean id="insecureChannelProcessor" class="net.sf.acegisecurity.securechannel.InsecureChannelProcessor"/>
+   <bean id="insecureChannelProcessor" class="org.acegisecurity.securechannel.InsecureChannelProcessor"/>
 
    <!-- ===================== HTTP REQUEST SECURITY ==================== -->
 
-   <bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
+   <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
-      <property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
       <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
    </bean>
 
-   <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
+   <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
       <property name="authenticationManager"><ref bean="authenticationManager"/></property>
       <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property>
       <property name="defaultTargetUrl"><value>/</value></property>
@@ -147,12 +146,12 @@
       <property name="rememberMeServices"><ref local="rememberMeServices"/></property>
    </bean>
 
-   <bean id="authenticationProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
+   <bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
       <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
       <property name="forceHttps"><value>false</value></property>
    </bean>
 
-   <bean id="httpRequestAccessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
+   <bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
       <property name="allowIfAllAbstainDecisions"><value>false</value></property>
       <property name="decisionVoters">
          <list>
@@ -164,7 +163,7 @@
    <!-- Note the order that entries are placed against the objectDefinitionSource is critical.
         The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
         Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*) expressions last -->
-   <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
+   <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
       <property name="authenticationManager"><ref bean="authenticationManager"/></property>
       <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
       <property name="objectDefinitionSource">

samples/contacts/src/main/webapp/cas/WEB-INF/applicationContext-acegi-security.xml

@@ -19,7 +19,7 @@
          <value>
 		    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
 		    PATTERN_TYPE_APACHE_ANT
-            /**=channelProcessingFilter,httpSessionContextIntegrationFilter,casProcessingFilter,basicProcessingFilter,securityEnforcementFilter
+            /**=channelProcessingFilter,httpSessionContextIntegrationFilter,casProcessingFilter,basicProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
          </value>
       </property>
     </bean>
@@ -121,8 +121,7 @@
 
 	<!-- ===================== HTTP REQUEST SECURITY ==================== -->
 
-	<bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
+	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
-		<property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
 		<property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property>
 	</bean>
 

samples/contacts/src/main/webapp/filter/WEB-INF/applicationContext-acegi-security.xml

@@ -21,7 +21,7 @@
          <value>
 		    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
 		    PATTERN_TYPE_APACHE_ANT
-            /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,basicProcessingFilter,rememberMeProcessingFilter,anonymousProcessingFilter,securityEnforcementFilter,switchUserProcessingFilter
+            /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,basicProcessingFilter,rememberMeProcessingFilter,anonymousProcessingFilter,switchUserProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
          </value>
       </property>
     </bean>
@@ -135,8 +135,7 @@
 
    <!-- ===================== HTTP REQUEST SECURITY ==================== -->
 
-   <bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
+   <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
-      <property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
       <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
    </bean>
 

samples/contacts/src/main/webapp/ldap/WEB-INF/applicationContext-acegi-security.xml

@@ -21,7 +21,7 @@
          <value>
         CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
         PATTERN_TYPE_APACHE_ANT
-            /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,securityEnforcementFilter
+            /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
          </value>
       </property>
    </bean>
@@ -66,8 +66,7 @@
 
    <!-- ===================== HTTP REQUEST SECURITY ==================== -->
 
-   <bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
+   <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
-      <property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
       <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
    </bean>
 

samples/contacts/src/main/webapp/x509/WEB-INF/applicationContext-acegi-security.xml

@@ -19,7 +19,7 @@
          <value>
 		    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
 		    PATTERN_TYPE_APACHE_ANT
-            /**=channelProcessingFilter,httpSessionContextIntegrationFilter,x509ProcessingFilter,securityEnforcementFilter
+            /**=channelProcessingFilter,httpSessionContextIntegrationFilter,x509ProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
          </value>
       </property>
     </bean>
@@ -103,8 +103,7 @@
 
 	<!-- ===================== HTTP REQUEST SECURITY ==================== -->
 
-	<bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
+	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
-		<property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
 		<property name="authenticationEntryPoint"><ref local="x509ProcessingFilterEntryPoint"/></property>
 	</bean>
 

sandbox/src/main/java/org/acegisecurity/intercept/web/SandboxSecurityEnforcementFilter.java

@@ -32,6 +32,8 @@ import org.acegisecurity.AuthenticationTrustResolverImpl;
 import org.acegisecurity.InsufficientAuthenticationException;
 import org.acegisecurity.context.SecurityContextHolder;
 import org.acegisecurity.ui.AbstractProcessingFilter;
+import org.acegisecurity.ui.AuthenticationEntryPoint;
+import org.acegisecurity.ui.ExceptionTranslationFilter;
 import org.acegisecurity.util.PortResolver;
 import org.acegisecurity.util.PortResolverImpl;
 import org.acegisecurity.wrapper.redirect.SavedHttpServletRequest;
@@ -104,7 +106,7 @@ import org.springframework.util.Assert;
  */
 public class SandboxSecurityEnforcementFilter implements Filter, InitializingBean {
 	
-    private static final Log logger = LogFactory.getLog(SecurityEnforcementFilter.class);
+    private static final Log logger = LogFactory.getLog(ExceptionTranslationFilter.class);
     
     public static final String ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY = "ACEGI_SECURITY_403_EXCEPTION";
     public static final String SAVED_REQUEST_SESSION_ATTRIBUTE = "org.acegisecurity.intercept.web.SAVED_REQUEST_SESSION_ATTRIBUTE";

sandbox/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilter.java

@@ -17,8 +17,8 @@ import org.acegisecurity.AuthenticationException;
 import org.acegisecurity.AuthenticationManager;
 import org.acegisecurity.BadCredentialsException;
 import org.acegisecurity.context.SecurityContextHolder;
-import org.acegisecurity.intercept.web.AuthenticationEntryPoint;
 import org.acegisecurity.providers.smb.NtlmAuthenticationToken;
+import org.acegisecurity.ui.AuthenticationEntryPoint;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;

sandbox/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilterEntryPoint.java

@@ -16,7 +16,7 @@
 package org.acegisecurity.ui.ntlm;
 
 import org.acegisecurity.AuthenticationException;
-import org.acegisecurity.intercept.web.AuthenticationEntryPoint;
+import org.acegisecurity.ui.AuthenticationEntryPoint;
 
 import java.io.IOException;
 

sandbox/src/main/java/org/acegisecurity/wrapper/redirect/SavedHttpServletRequest.java

@@ -26,7 +26,7 @@ import java.util.Map;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 
-import org.acegisecurity.intercept.web.SecurityEnforcementFilter;
+import org.acegisecurity.ui.ExceptionTranslationFilter;
 import org.acegisecurity.wrapper.SecurityContextHolderAwareRequestWrapper;
 
 /**
@@ -47,7 +47,7 @@ import org.acegisecurity.wrapper.SecurityContextHolderAwareRequestWrapper;
  * </p>
  * <p>The original source code from Apache Tomcat<p>
  *
- * @see SecurityEnforcementFilter
+ * @see ExceptionTranslationFilter
  * @see SecurityContextHolderAwareRequestWrapper
  * @author Craig R. McClanahan
  * @author Andrey Grebnev <a href="mailto:andrey.grebnev@blandware.com">&lt;andrey.grebnev@blandware.com&gt;</a>