SEC-1350: Improved Javadoc for AbstractPreAuthenticatedProcessingFilter

Added clarification that the credentials returned
by the subclass should not be null or they will
typically be rejected by the provider. Also added
some general overview.
This commit is contained in:
Luke Taylor 2010-01-05 16:01:55 +00:00
parent 93973a4b75
commit f5d36aef65
1 changed files with 15 additions and 9 deletions

View File

@ -25,8 +25,19 @@ import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean; import org.springframework.web.filter.GenericFilterBean;
/** /**
* Base class for processing filters that handle pre-authenticated authentication requests. Subclasses must implement * Base class for processing filters that handle pre-authenticated authentication requests, where it is assumed
* the {@code getPreAuthenticatedPrincipal()} and {@code getPreAuthenticatedCredentials()} methods. * that the principal has already been authenticated by an external system.
* <p>
* The purpose is then only to extract the necessary information on the principal from the incoming request, rather
* than to authenticate them. External authentication systems may provide this information via request data such as
* headers or cookies which the pre-authentication system can extract. It is assumed that the external system is
* responsible for the accuracy of the data and preventing the submission of forged values.
*
* Subclasses must implement the {@code getPreAuthenticatedPrincipal()} and {@code getPreAuthenticatedCredentials()}
* methods. Subclasses of this filter are typically used in combination with a
* {@code PreAuthenticatedAuthenticationProvider}, which is used to load additional data for the user.
* This provider will reject null credentials, so the {@link #getPreAuthenticatedCredentials} method should not return
* null for a valid principal.
* <p> * <p>
* If the security context already contains an {@code Authentication} object (either from a invocation of the * If the security context already contains an {@code Authentication} object (either from a invocation of the
* filter or because of some other authentication mechanism), the filter will do nothing by default. You can force * filter or because of some other authentication mechanism), the filter will do nothing by default. You can force
@ -47,15 +58,10 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
InitializingBean, ApplicationEventPublisherAware { InitializingBean, ApplicationEventPublisherAware {
private ApplicationEventPublisher eventPublisher = null; private ApplicationEventPublisher eventPublisher = null;
private AuthenticationDetailsSource authenticationDetailsSource = new WebAuthenticationDetailsSource(); private AuthenticationDetailsSource authenticationDetailsSource = new WebAuthenticationDetailsSource();
private AuthenticationManager authenticationManager = null; private AuthenticationManager authenticationManager = null;
private boolean continueFilterChainOnUnsuccessfulAuthentication = true; private boolean continueFilterChainOnUnsuccessfulAuthentication = true;
private boolean checkForPrincipalChanges; private boolean checkForPrincipalChanges;
private boolean invalidateSessionOnPrincipalChange = true; private boolean invalidateSessionOnPrincipalChange = true;
/** /**
@ -229,8 +235,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
protected abstract Object getPreAuthenticatedPrincipal(HttpServletRequest request); protected abstract Object getPreAuthenticatedPrincipal(HttpServletRequest request);
/** /**
* Override to extract the credentials (if applicable) from the current request. Some implementations * Override to extract the credentials (if applicable) from the current request. Should not return null for a valid
* may return a dummy value. * principal, though some implementations may return a dummy value.
*/ */
protected abstract Object getPreAuthenticatedCredentials(HttpServletRequest request); protected abstract Object getPreAuthenticatedCredentials(HttpServletRequest request);
} }