SEC-603: Removed requirement for an entry point on BasicProcessingFilter if ignoreFailures is true.
This commit is contained in:
Luke Taylor
parent
5af9653a8e
commit
d7b3a1f734
|
|
@ -43,30 +43,45 @@ import org.springframework.util.Assert;
|
|||
|
||||
/**
|
||||
* Processes a HTTP request's BASIC authorization headers, putting the result into the
|
||||
* <code>SecurityContextHolder</code>.<p>For a detailed background on what this filter is designed to process,
|
||||
* refer to <A HREF="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section 11.1</A>. Any realm name presented in
|
||||
* the HTTP request is ignored.</p>
|
||||
* <p>In summary, this filter is responsible for processing any request that has a HTTP request header of
|
||||
* <code>SecurityContextHolder</code>.
|
||||
*
|
||||
* <p>
|
||||
* For a detailed background on what this filter is designed to process, refer to
|
||||
* <a href="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section 11.1</a>. Any realm name presented in
|
||||
* the HTTP request is ignored.
|
||||
*
|
||||
* <p>
|
||||
* In summary, this filter is responsible for processing any request that has a HTTP request header of
|
||||
* <code>Authorization</code> with an authentication scheme of <code>Basic</code> and a Base64-encoded
|
||||
* <code>username:password</code> token. For example, to authenticate user "Aladdin" with password "open sesame" the
|
||||
* following header would be presented:</p>
|
||||
* <p><code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.</p>
|
||||
* <p>This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as
|
||||
* Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).</p>
|
||||
* <P>If authentication is successful, the resulting {@link Authentication} object will be placed into the
|
||||
* <code>SecurityContextHolder</code>.</p>
|
||||
* <p>If authentication fails and <code>ignoreFailure</code> is <code>false</code> (the default), an {@link
|
||||
* AuthenticationEntryPoint} implementation is called. Usually this should be {@link BasicProcessingFilterEntryPoint},
|
||||
* which will prompt the user to authenticate again via BASIC authentication.</p>
|
||||
* <p>Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still
|
||||
* following header would be presented:
|
||||
* <pre>
|
||||
*
|
||||
* Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
|
||||
* </pre>
|
||||
*
|
||||
* <p>
|
||||
* This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as
|
||||
* Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).
|
||||
* <p>
|
||||
* If authentication is successful, the resulting {@link Authentication} object will be placed into the
|
||||
* <code>SecurityContextHolder</code>.
|
||||
*
|
||||
* <p>
|
||||
* If authentication fails and <code>ignoreFailure</code> is <code>false</code> (the default), an {@link
|
||||
* AuthenticationEntryPoint} implementation is called (unless the <tt>ignoreFailure</tt> property is set to
|
||||
* <tt>true</tt>). Usually this should be {@link BasicProcessingFilterEntryPoint}, which will prompt the user to
|
||||
* authenticate again via BASIC authentication.
|
||||
*
|
||||
* <p>
|
||||
* Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still
|
||||
* transmits a password in clear text and as such is undesirable in many situations. Digest authentication is also
|
||||
* provided by Spring Security and should be used instead of Basic authentication wherever possible. See {@link
|
||||
* org.springframework.security.ui.digestauth.DigestProcessingFilter}.</p>
|
||||
* <p>Note that if a {@link #rememberMeServices} is set, this filter will automatically send back remember-me
|
||||
* org.springframework.security.ui.digestauth.DigestProcessingFilter}.
|
||||
* <p>
|
||||
* Note that if a {@link RememberMeServices} is set, this filter will automatically send back remember-me
|
||||
* details to the client. Therefore, subsequent requests will not need to present a BASIC authentication header as
|
||||
* they will be authenticated using the remember-me mechanism.</p>
|
||||
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
|
||||
* org.springframework.security.util.FilterToBeanProxy}.</p>
|
||||
* they will be authenticated using the remember-me mechanism.
|
||||
*
|
||||
* @author Ben Alex
|
||||
* @version $Id$
|
||||
|
|
@ -88,8 +103,11 @@ public class BasicProcessingFilter extends SpringSecurityFilter implements Initi
|
|||
|
||||
public void afterPropertiesSet() throws Exception {
|
||||
Assert.notNull(this.authenticationManager, "An AuthenticationManager is required");
|
||||
|
||||
if(!isIgnoreFailure()) {
|
||||
Assert.notNull(this.authenticationEntryPoint, "An AuthenticationEntryPoint is required");
|
||||
}
|
||||
}
|
||||
|
||||
public void doFilterHttp(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain chain)
|
||||
throws IOException, ServletException {
|
||||
|
|
@ -189,35 +207,35 @@ public class BasicProcessingFilter extends SpringSecurityFilter implements Initi
|
|||
return false;
|
||||
}
|
||||
|
||||
public AuthenticationEntryPoint getAuthenticationEntryPoint() {
|
||||
protected AuthenticationEntryPoint getAuthenticationEntryPoint() {
|
||||
return authenticationEntryPoint;
|
||||
}
|
||||
|
||||
public AuthenticationManager getAuthenticationManager() {
|
||||
return authenticationManager;
|
||||
}
|
||||
|
||||
public boolean isIgnoreFailure() {
|
||||
return ignoreFailure;
|
||||
}
|
||||
|
||||
public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
|
||||
Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
|
||||
this.authenticationDetailsSource = authenticationDetailsSource;
|
||||
}
|
||||
|
||||
public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) {
|
||||
this.authenticationEntryPoint = authenticationEntryPoint;
|
||||
}
|
||||
|
||||
protected AuthenticationManager getAuthenticationManager() {
|
||||
return authenticationManager;
|
||||
}
|
||||
|
||||
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
|
||||
this.authenticationManager = authenticationManager;
|
||||
}
|
||||
|
||||
protected boolean isIgnoreFailure() {
|
||||
return ignoreFailure;
|
||||
}
|
||||
|
||||
public void setIgnoreFailure(boolean ignoreFailure) {
|
||||
this.ignoreFailure = ignoreFailure;
|
||||
}
|
||||
|
||||
public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
|
||||
Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
|
||||
this.authenticationDetailsSource = authenticationDetailsSource;
|
||||
}
|
||||
|
||||
public void setRememberMeServices(RememberMeServices rememberMeServices) {
|
||||
this.rememberMeServices = rememberMeServices;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue