From d7b3a1f7342d42f7bb73ae6cd20193a58b2b627a Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Mon, 18 Feb 2008 15:41:23 +0000
Subject: [PATCH] SEC-603: Removed requirement for an entry point on
 BasicProcessingFilter if ignoreFailures is true.

---
 .../ui/basicauth/BasicProcessingFilter.java   | 86 +++++++++++--------
 1 file changed, 52 insertions(+), 34 deletions(-)

diff --git a/core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java b/core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java
index bf84b8d53f..be56620196 100644
--- a/core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java
+++ b/core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java
@@ -43,30 +43,45 @@ import org.springframework.util.Assert;
 
 /**
  * Processes a HTTP request's BASIC authorization headers, putting the result into the
- * <code>SecurityContextHolder</code>.<p>For a detailed background on what this filter is designed to process,
- * refer to <A HREF="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section 11.1</A>. Any realm name presented in
- * the HTTP request is ignored.</p>
- *  <p>In summary, this filter is responsible for processing any request that has a HTTP request header of
+ * <code>SecurityContextHolder</code>.
+ *
+ * <p>
+ * For a detailed background on what this filter is designed to process, refer to
+ * <a href="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section 11.1</a>. Any realm name presented in
+ * the HTTP request is ignored.
+ *
+ * <p>
+ * In summary, this filter is responsible for processing any request that has a HTTP request header of
  * <code>Authorization</code> with an authentication scheme of <code>Basic</code> and a Base64-encoded
  * <code>username:password</code> token. For example, to authenticate user "Aladdin" with password "open sesame" the
- * following header would be presented:</p>
- *  <p><code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.</p>
- *  <p>This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as
- * Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).</p>
- *  <P>If authentication is successful, the resulting {@link Authentication} object will be placed into the
- * <code>SecurityContextHolder</code>.</p>
- *  <p>If authentication fails and <code>ignoreFailure</code> is <code>false</code> (the default), an {@link
- * AuthenticationEntryPoint} implementation is called. Usually this should be {@link BasicProcessingFilterEntryPoint},
- * which will prompt the user to authenticate again via BASIC authentication.</p>
- *  <p>Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still
+ * following header would be presented:
+ * <pre>
+ *
+ * Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
+ * </pre>
+ *
+ * <p>
+ * This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as
+ * Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).
+ * <p>
+ * If authentication is successful, the resulting {@link Authentication} object will be placed into the
+ * <code>SecurityContextHolder</code>.
+ *
+ * <p>
+ * If authentication fails and <code>ignoreFailure</code> is <code>false</code> (the default), an {@link
+ * AuthenticationEntryPoint} implementation is called (unless the <tt>ignoreFailure</tt> property is set to
+ * <tt>true</tt>). Usually this should be {@link BasicProcessingFilterEntryPoint}, which will prompt the user to
+ * authenticate again via BASIC authentication.
+ *
+ * <p>
+ * Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still
  * transmits a password in clear text and as such is undesirable in many situations. Digest authentication is also
  * provided by Spring Security and should be used instead of Basic authentication wherever possible. See {@link
- * org.springframework.security.ui.digestauth.DigestProcessingFilter}.</p>
- *  <p>Note that if a {@link #rememberMeServices} is set, this filter will automatically send back remember-me
+ * org.springframework.security.ui.digestauth.DigestProcessingFilter}.
+ * <p>
+ * Note that if a {@link RememberMeServices} is set, this filter will automatically send back remember-me
  * details to the client. Therefore, subsequent requests will not need to present a BASIC authentication header as
- * they will be authenticated using the remember-me mechanism.</p>
- *  <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
- * org.springframework.security.util.FilterToBeanProxy}.</p>
+ * they will be authenticated using the remember-me mechanism.
  *
  * @author Ben Alex
  * @version $Id$
@@ -88,7 +103,10 @@ public class BasicProcessingFilter extends SpringSecurityFilter implements Initi
 
     public void afterPropertiesSet() throws Exception {
         Assert.notNull(this.authenticationManager, "An AuthenticationManager is required");
-        Assert.notNull(this.authenticationEntryPoint, "An AuthenticationEntryPoint is required");
+
+        if(!isIgnoreFailure()) {
+            Assert.notNull(this.authenticationEntryPoint, "An AuthenticationEntryPoint is required");
+        }
     }
 
     public void doFilterHttp(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain chain)
@@ -189,33 +207,33 @@ public class BasicProcessingFilter extends SpringSecurityFilter implements Initi
         return false;
     }
 
-    public AuthenticationEntryPoint getAuthenticationEntryPoint() {
+    protected AuthenticationEntryPoint getAuthenticationEntryPoint() {
         return authenticationEntryPoint;
     }
 
-    public AuthenticationManager getAuthenticationManager() {
-        return authenticationManager;
-    }
-
-    public boolean isIgnoreFailure() {
-        return ignoreFailure;
-    }
-
-    public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
-        Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
-        this.authenticationDetailsSource = authenticationDetailsSource;
-    }
-
     public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) {
         this.authenticationEntryPoint = authenticationEntryPoint;
     }
 
+    protected AuthenticationManager getAuthenticationManager() {
+        return authenticationManager;
+    }
+
     public void setAuthenticationManager(AuthenticationManager authenticationManager) {
         this.authenticationManager = authenticationManager;
     }
 
+    protected boolean isIgnoreFailure() {
+        return ignoreFailure;
+    }
+
     public void setIgnoreFailure(boolean ignoreFailure) {
         this.ignoreFailure = ignoreFailure;
+    }    
+
+    public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
+        Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
+        this.authenticationDetailsSource = authenticationDetailsSource;
     }
 
     public void setRememberMeServices(RememberMeServices rememberMeServices) {