SEC-1350: Improved Javadoc for AbstractPreAuthenticatedProcessingFilter
Added clarification that the credentials returned by the subclass should not be null or they will typically be rejected by the provider. Also added some general overview.
This commit is contained in:
parent
93973a4b75
commit
f5d36aef65
|
@ -25,8 +25,19 @@ import org.springframework.util.Assert;
|
||||||
import org.springframework.web.filter.GenericFilterBean;
|
import org.springframework.web.filter.GenericFilterBean;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Base class for processing filters that handle pre-authenticated authentication requests. Subclasses must implement
|
* Base class for processing filters that handle pre-authenticated authentication requests, where it is assumed
|
||||||
* the {@code getPreAuthenticatedPrincipal()} and {@code getPreAuthenticatedCredentials()} methods.
|
* that the principal has already been authenticated by an external system.
|
||||||
|
* <p>
|
||||||
|
* The purpose is then only to extract the necessary information on the principal from the incoming request, rather
|
||||||
|
* than to authenticate them. External authentication systems may provide this information via request data such as
|
||||||
|
* headers or cookies which the pre-authentication system can extract. It is assumed that the external system is
|
||||||
|
* responsible for the accuracy of the data and preventing the submission of forged values.
|
||||||
|
*
|
||||||
|
* Subclasses must implement the {@code getPreAuthenticatedPrincipal()} and {@code getPreAuthenticatedCredentials()}
|
||||||
|
* methods. Subclasses of this filter are typically used in combination with a
|
||||||
|
* {@code PreAuthenticatedAuthenticationProvider}, which is used to load additional data for the user.
|
||||||
|
* This provider will reject null credentials, so the {@link #getPreAuthenticatedCredentials} method should not return
|
||||||
|
* null for a valid principal.
|
||||||
* <p>
|
* <p>
|
||||||
* If the security context already contains an {@code Authentication} object (either from a invocation of the
|
* If the security context already contains an {@code Authentication} object (either from a invocation of the
|
||||||
* filter or because of some other authentication mechanism), the filter will do nothing by default. You can force
|
* filter or because of some other authentication mechanism), the filter will do nothing by default. You can force
|
||||||
|
@ -47,15 +58,10 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
|
||||||
InitializingBean, ApplicationEventPublisherAware {
|
InitializingBean, ApplicationEventPublisherAware {
|
||||||
|
|
||||||
private ApplicationEventPublisher eventPublisher = null;
|
private ApplicationEventPublisher eventPublisher = null;
|
||||||
|
|
||||||
private AuthenticationDetailsSource authenticationDetailsSource = new WebAuthenticationDetailsSource();
|
private AuthenticationDetailsSource authenticationDetailsSource = new WebAuthenticationDetailsSource();
|
||||||
|
|
||||||
private AuthenticationManager authenticationManager = null;
|
private AuthenticationManager authenticationManager = null;
|
||||||
|
|
||||||
private boolean continueFilterChainOnUnsuccessfulAuthentication = true;
|
private boolean continueFilterChainOnUnsuccessfulAuthentication = true;
|
||||||
|
|
||||||
private boolean checkForPrincipalChanges;
|
private boolean checkForPrincipalChanges;
|
||||||
|
|
||||||
private boolean invalidateSessionOnPrincipalChange = true;
|
private boolean invalidateSessionOnPrincipalChange = true;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -229,8 +235,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
|
||||||
protected abstract Object getPreAuthenticatedPrincipal(HttpServletRequest request);
|
protected abstract Object getPreAuthenticatedPrincipal(HttpServletRequest request);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Override to extract the credentials (if applicable) from the current request. Some implementations
|
* Override to extract the credentials (if applicable) from the current request. Should not return null for a valid
|
||||||
* may return a dummy value.
|
* principal, though some implementations may return a dummy value.
|
||||||
*/
|
*/
|
||||||
protected abstract Object getPreAuthenticatedCredentials(HttpServletRequest request);
|
protected abstract Object getPreAuthenticatedCredentials(HttpServletRequest request);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue