SEC-603: Removed requirement for an entry point on BasicProcessingFilter if ignoreFailures is true.

2025-10-30 22:28:46 +00:00 · 2008-02-18 15:41:23 +00:00 · 2008-02-18 15:41:23 +00:00 · d7b3a1f734
commit d7b3a1f734
parent 5af9653a8e
1 changed files with 52 additions and 34 deletions
--- a/core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java
+++ b/core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java
@ -43,30 +43,45 @@ import org.springframework.util.Assert;

 /**
 * Processes a HTTP request's BASIC authorization headers, putting the result into the
- * <code>SecurityContextHolder</code>.<p>For a detailed background on what this filter is designed to process,
- * refer to <A HREF="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section 11.1</A>. Any realm name presented in
- * the HTTP request is ignored.</p>
- *  <p>In summary, this filter is responsible for processing any request that has a HTTP request header of
+ * <code>SecurityContextHolder</code>.
+ *
+ * <p>
+ * For a detailed background on what this filter is designed to process, refer to
+ * <a href="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section 11.1</a>. Any realm name presented in
+ * the HTTP request is ignored.
+ *
+ * <p>
+ * In summary, this filter is responsible for processing any request that has a HTTP request header of
 * <code>Authorization</code> with an authentication scheme of <code>Basic</code> and a Base64-encoded
 * <code>username:password</code> token. For example, to authenticate user "Aladdin" with password "open sesame" the
- * following header would be presented:</p>
- *  <p><code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.</p>
- *  <p>This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as
- * Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).</p>
- *  <P>If authentication is successful, the resulting {@link Authentication} object will be placed into the
- * <code>SecurityContextHolder</code>.</p>
- *  <p>If authentication fails and <code>ignoreFailure</code> is <code>false</code> (the default), an {@link
- * AuthenticationEntryPoint} implementation is called. Usually this should be {@link BasicProcessingFilterEntryPoint},
- * which will prompt the user to authenticate again via BASIC authentication.</p>
- *  <p>Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still
+ * following header would be presented:
+ * <pre>
+ *
+ * Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
+ * </pre>
+ *
+ * <p>
+ * This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as
+ * Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).
+ * <p>
+ * If authentication is successful, the resulting {@link Authentication} object will be placed into the
+ * <code>SecurityContextHolder</code>.
+ *
+ * <p>
+ * If authentication fails and <code>ignoreFailure</code> is <code>false</code> (the default), an {@link
+ * AuthenticationEntryPoint} implementation is called (unless the <tt>ignoreFailure</tt> property is set to
+ * <tt>true</tt>). Usually this should be {@link BasicProcessingFilterEntryPoint}, which will prompt the user to
+ * authenticate again via BASIC authentication.
+ *
+ * <p>
+ * Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still
 * transmits a password in clear text and as such is undesirable in many situations. Digest authentication is also
 * provided by Spring Security and should be used instead of Basic authentication wherever possible. See {@link
- * org.springframework.security.ui.digestauth.DigestProcessingFilter}.</p>
- *  <p>Note that if a {@link #rememberMeServices} is set, this filter will automatically send back remember-me
+ * org.springframework.security.ui.digestauth.DigestProcessingFilter}.
+ * <p>
+ * Note that if a {@link RememberMeServices} is set, this filter will automatically send back remember-me
 * details to the client. Therefore, subsequent requests will not need to present a BASIC authentication header as
- * they will be authenticated using the remember-me mechanism.</p>
- *  <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
- * org.springframework.security.util.FilterToBeanProxy}.</p>
+ * they will be authenticated using the remember-me mechanism.
 *
 * @author Ben Alex
 * @version $Id$
@ -88,7 +103,10 @@ public class BasicProcessingFilter extends SpringSecurityFilter implements Initi

    public void afterPropertiesSet() throws Exception {
        Assert.notNull(this.authenticationManager, "An AuthenticationManager is required");
-        Assert.notNull(this.authenticationEntryPoint, "An AuthenticationEntryPoint is required");
+
+        if(!isIgnoreFailure()) {
+            Assert.notNull(this.authenticationEntryPoint, "An AuthenticationEntryPoint is required");
+        }
    }

    public void doFilterHttp(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain chain)
@ -189,35 +207,35 @@ public class BasicProcessingFilter extends SpringSecurityFilter implements Initi
        return false;
    }

-    public AuthenticationEntryPoint getAuthenticationEntryPoint() {
+    protected AuthenticationEntryPoint getAuthenticationEntryPoint() {
        return authenticationEntryPoint;
    }

-    public AuthenticationManager getAuthenticationManager() {
-        return authenticationManager;
-    }
-
-    public boolean isIgnoreFailure() {
-        return ignoreFailure;
-    }
-
-    public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
-        Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
-        this.authenticationDetailsSource = authenticationDetailsSource;
-    }
-
    public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) {
        this.authenticationEntryPoint = authenticationEntryPoint;
    }

+    protected AuthenticationManager getAuthenticationManager() {
+        return authenticationManager;
+    }
+
    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

+    protected boolean isIgnoreFailure() {
+        return ignoreFailure;
+    }
+
    public void setIgnoreFailure(boolean ignoreFailure) {
        this.ignoreFailure = ignoreFailure;
    }    

+    public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
+        Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
+        this.authenticationDetailsSource = authenticationDetailsSource;
+    }
+
    public void setRememberMeServices(RememberMeServices rememberMeServices) {
        this.rememberMeServices = rememberMeServices;
    }