Removed unecessary rethrow of AuthenticationException from AbstractSecurityInterceptor and tidied up javadoc etc.

core/src/main/java/org/springframework/security/intercept/AbstractSecurityInterceptor.java

@@ -21,7 +21,6 @@ import org.springframework.security.SpringSecurityMessageSource;
 import org.springframework.security.AfterInvocationManager;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationCredentialsNotFoundException;
-import org.springframework.security.AuthenticationException;
 import org.springframework.security.AuthenticationManager;
 import org.springframework.security.ConfigAttribute;
 import org.springframework.security.ConfigAttributeDefinition;
@@ -56,75 +55,74 @@ import java.util.Set;
 
 /**
  * Abstract class that implements security interception for secure objects.
- * <p>
+ * <p/>
- * The <code>AbstractSecurityInterceptor</code> will ensure the proper startup
+ * The <code>AbstractSecurityInterceptor</code> will ensure the proper startup configuration of the security
- * configuration of the security interceptor. It will also implement the proper
+ * interceptor. It will also implement the proper handling of secure object invocations, namely:
- * handling of secure object invocations, being:
  * <ol>
- * <li>Obtain the {@link Authentication} object from the
+ * <li>Obtain the {@link Authentication} object from the {@link SecurityContextHolder}.</li>
- * {@link SecurityContextHolder}.</li>
+ * <p/>
- * <li>Determine if the request relates to a secured or public invocation by
+ * <li>Determine if the request relates to a secured or public invocation by ooking up the secure object request
- * looking up the secure object request against the
+ * against the {@link ObjectDefinitionSource}.</li>
- * {@link ObjectDefinitionSource}.</li>
+ * <p/>
  * <li>For an invocation that is secured (there is a
  * <code>ConfigAttributeDefinition</code> for the secure object invocation):
+ * <p/>
  * <ol type="a">
+ * <p/>
  * <li>If either the {@link org.springframework.security.Authentication#isAuthenticated()}
  * returns <code>false</code>, or the {@link #alwaysReauthenticate} is
- * <code>true</code>, authenticate the request against the configured
+ * <code>true</code>, authenticate the request against the configured {@link AuthenticationManager}.
- * {@link AuthenticationManager}. When authenticated, replace the
+ * When authenticated, replace the <code>Authentication</code> object on the
- * <code>Authentication</code> object on the
  * <code>SecurityContextHolder</code> with the returned value.</li>
- * <li>Authorize the request against the configured
+ * <p/>
- * {@link AccessDecisionManager}.</li>
+ * <li>Authorize the request against the configured {@link AccessDecisionManager}.</li>
+ * <p/>
  * <li>Perform any run-as replacement via the configured {@link RunAsManager}.</li>
- * <li>Pass control back to the concrete subclass, which will actually proceed
+ * <p/>
- * with executing the object. A {@link InterceptorStatusToken} is returned so
+ * <li>Pass control back to the concrete subclass, which will actually proceed with executing the object.
- * that after the subclass has finished proceeding with execution of the object,
+ * A {@link InterceptorStatusToken} is returned so that after the subclass has finished proceeding with
- * its finally clause can ensure the <code>AbstractSecurityInterceptor</code>
+ * execution of the object, its finally clause can ensure the <code>AbstractSecurityInterceptor</code>
  * is re-called and tidies up correctly.</li>
- * <li>The concrete subclass will re-call the
+ * <p/>
- * <code>AbstractSecurityInterceptor</code> via the
+ * <li>The concrete subclass will re-call the <code>AbstractSecurityInterceptor</code> via the
  * {@link #afterInvocation(InterceptorStatusToken, Object)} method.</li>
- * <li>If the <code>RunAsManager</code> replaced the
+ * <p/>
- * <code>Authentication</code> object, return the
+ * <li>If the <code>RunAsManager</code> replaced the <code>Authentication</code> object, return the
- * <code>SecurityContextHolder</code> to the object that existed after the
+ * <code>SecurityContextHolder</code> to the object that existed after the call to
- * call to <code>AuthenticationManager</code>.</li>
+ * <code>AuthenticationManager</code>.</li>
+ * <p/>
  * <li>If an <code>AfterInvocationManager</code> is defined, invoke the
  * invocation manager and allow it to replace the object due to be returned to
  * the caller.</li>
  * </ol>
+ * <p/>
  * </li>
- * <li>For an invocation that is public (there is no
+ * <p/>
- * <code>ConfigAttributeDefinition</code> for the secure object invocation):
+ * <li>For an invocation that is public (there is no <code>ConfigAttributeDefinition</code> for the secure object
+ * invocation):
  * <ol type="a">
- * <li>As described above, the concrete subclass will be returned an
+ * <p/>
- * <code>InterceptorStatusToken</code> which is subsequently re-presented to
+ * <li>As described above, the concrete subclass will be returned an <code>InterceptorStatusToken</code> which is
- * the <code>AbstractSecurityInterceptor</code> after the secure object has
+ * subsequently re-presented to the <code>AbstractSecurityInterceptor</code> after the secure object has been executed.
- * been executed. The <code>AbstractSecurityInterceptor</code> will take no
+ * The <code>AbstractSecurityInterceptor</code> will take no further action when its
- * further action when its {@link #afterInvocation(InterceptorStatusToken,
+ * {@link #afterInvocation(InterceptorStatusToken, Object)} is called.</li>
- * Object)} is called.</li>
  * </ol>
  * </li>
- * <li>Control again returns to the concrete subclass, along with the
+ * <p/>
- * <code>Object</code> that should be returned to the caller. The subclass
+ * <li>Control again returns to the concrete subclass, along with the <code>Object</code> that should be returned to
- * will then return that result or exception to the original caller.</li>
+ * the caller. The subclass will then return that result or exception to the original caller.</li>
  * </ol>
- * </p>
  *
  * @author Ben Alex
- * @version $Id: AbstractSecurityInterceptor.java 1790 2007-03-30 18:27:19Z
+ * @version $Id$
- * luke_t $
  */
 public abstract class AbstractSecurityInterceptor implements InitializingBean, ApplicationEventPublisherAware,
         MessageSourceAware {
-	// ~ Static fields/initializers
+    //~ Static fields/initializers =====================================================================================
-	// =====================================================================================
 
     protected static final Log logger = LogFactory.getLog(AbstractSecurityInterceptor.class);
 
-	// ~ Instance fields
+    //~ Instance fields ================================================================================================
-	// ================================================================================================
 
     private AccessDecisionManager accessDecisionManager;
 
@@ -144,20 +142,15 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
 
     private boolean validateConfigAttributes = true;
 
-	// ~ Methods
+    //~ Methods ========================================================================================================
-	// ========================================================================================================
 
     /**
      * Completes the work of the <code>AbstractSecurityInterceptor</code>
      * after the secure object invocation has been complete
      *
-	 * @param token as returned by the {@link #beforeInvocation(Object)}}
+     * @param token as returned by the {@link #beforeInvocation(Object)}} method
-	 * method
+     * @param returnedObject any object returned from the secure object invocation (may be<code>null</code>)
-	 * @param returnedObject any object returned from the secure object
+     * @return the object the secure object invocation should ultimately return to its caller (may be <code>null</code>)
-	 * invocation (may be<code>null</code>)
-	 *
-	 * @return the object the secure object invocation should ultimately return
-	 * to its caller (may be <code>null</code>)
      */
     protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {
         if (token == null) {
@@ -294,13 +287,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
         Authentication authenticated;
 
         if (!SecurityContextHolder.getContext().getAuthentication().isAuthenticated() || alwaysReauthenticate) {
-			try {
+            authenticated =
-				authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext()
+                    this.authenticationManager.authenticate(SecurityContextHolder.getContext().getAuthentication());
-						.getAuthentication());
-			}
-			catch (AuthenticationException authenticationException) {
-				throw authenticationException;
-			}
 
             // We don't authenticated.setAuthentication(true), because each
             // provider should do that
@@ -309,8 +297,7 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
             }
 
             SecurityContextHolder.getContext().setAuthentication(authenticated);
-		}
+        } else {
-		else {
             authenticated = SecurityContextHolder.getContext().getAuthentication();
 
             if (logger.isDebugEnabled()) {
@@ -347,8 +334,7 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
 
             // no further work post-invocation
             return new InterceptorStatusToken(authenticated, false, attr, object);
-		}
+        } else {
-		else {
             if (logger.isDebugEnabled()) {
                 logger.debug("Switching to RunAs Authentication: " + runAs.toString());
             }
@@ -363,9 +349,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
     /**
      * Helper method which generates an exception containing the passed reason,
      * and publishes an event to the application context.
-	 * <p>
+     * <p/>
      * Always throws an exception.
-	 * </p>
      *
      * @param reason        to be provided in the exception detail
      * @param secureObject  that was being called
@@ -437,10 +422,9 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
      * re-authentication will not occur if the principal has already been
      * authenticated.
      *
-	 * @param alwaysReauthenticate <code>true</code> to force
+     * @param alwaysReauthenticate <code>true</code> to force <code>AbstractSecurityInterceptor</code> to
-	 * <code>AbstractSecurityInterceptor</code> to disregard the value of
+     * disregard the value of <code>Authentication.isAuthenticated()</code> and always re-authenticate the request
-	 * <code>Authentication.isAuthenticated()</code> and always
+     * (defaults to <code>false</code>).
-	 * re-authenticate the request (defaults to <code>false</code>).
      */
     public void setAlwaysReauthenticate(boolean alwaysReauthenticate) {
         this.alwaysReauthenticate = alwaysReauthenticate;

core/src/main/java/org/springframework/security/intercept/InterceptorStatusToken.java

@@ -20,10 +20,11 @@ import org.springframework.security.ConfigAttributeDefinition;
 
 
 /**
- * A return object received by {@link AbstractSecurityInterceptor} subclasses.<P>This class reflects the status of
+ * A return object received by {@link AbstractSecurityInterceptor} subclasses.
- * the security interception, so that the final call to {@link
+ * <p>
- * org.springframework.security.intercept.AbstractSecurityInterceptor#afterInvocation(InterceptorStatusToken, Object)} can tidy
+ * This class reflects the status of the security interception, so that the final call to
- * up correctly.</p>
+ * {@link org.springframework.security.intercept.AbstractSecurityInterceptor#afterInvocation(InterceptorStatusToken, Object)}
+ * can tidy up correctly.
  *
  * @author Ben Alex
  * @version $Id$