org.springframework.security.web.servletapi
Class SecurityContextHolderAwareRequestFilter

java.lang.Object
  org.springframework.web.filter.GenericFilterBean
      org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter

All Implemented Interfaces:

javax.servlet.Filter, Aware, BeanNameAware, DisposableBean, InitializingBean, EnvironmentAware, ServletContextAware

public class SecurityContextHolderAwareRequestFilter
extends GenericFilterBean

A Filter which populates the ServletRequest with a request wrapper which implements the servlet API security methods.

In pre servlet 3 environment the wrapper class used is SecurityContextHolderAwareRequestWrapper. See its javadoc for the methods that are implemented.

In a servlet 3 environment SecurityContextHolderAwareRequestWrapper is extended to provide the following additional methods:

• HttpServletRequest.authenticate(HttpServletResponse) - Allows the user to determine if they are authenticated and if not send the user to the login page. See setAuthenticationEntryPoint(AuthenticationEntryPoint).
• HttpServletRequest.login(String, String) - Allows the user to authenticate using the AuthenticationManager. See setAuthenticationManager(AuthenticationManager).
• HttpServletRequest.logout() - Allows the user to logout using the LogoutHandlers configured in Spring Security. See setLogoutHandlers(List).
• AsyncContext.start(Runnable) - Automatically copy the SecurityContext from the SecurityContextHolder found on the Thread that invoked AsyncContext.start(Runnable) to the Thread that processes the Runnable.

Author:

Orlando Garcia Carmona, Ben Alex, Luke Taylor, Rob Winch

Field Summary

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

SecurityContextHolderAwareRequestFilter()

Method Summary

void	afterPropertiesSet()
void	doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain)
void	setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) Sets the AuthenticationEntryPoint used when integrating HttpServletRequest with Servlet 3 APIs.
void	setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager) Sets the AuthenticationManager used when integrating HttpServletRequest with Servlet 3 APIs.
void	setLogoutHandlers(List<LogoutHandler> logoutHandlers) Sets the LogoutHandlers used when integrating with HttpServletRequest with Servlet 3 APIs.
void	setRolePrefix(String rolePrefix)

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SecurityContextHolderAwareRequestFilter

public SecurityContextHolderAwareRequestFilter()

Method Detail

setRolePrefix

public void setRolePrefix(String rolePrefix)

setAuthenticationEntryPoint

public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)

Sets the AuthenticationEntryPoint used when integrating HttpServletRequest with Servlet 3 APIs. Specifically, it will be used when HttpServletRequest.authenticate(HttpServletResponse) is called and the user is not authenticated.

If the value is null (default), then the default container behavior will be be retained when invoking HttpServletRequest.authenticate(HttpServletResponse).

Parameters:

authenticationEntryPoint - the AuthenticationEntryPoint to use when invoking HttpServletRequest.authenticate(HttpServletResponse) if the user is not authenticated.

Throws:

IllegalStateException - if the Servlet 3 APIs are not found on the classpath

setAuthenticationManager

public void setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager)

Sets the AuthenticationManager used when integrating HttpServletRequest with Servlet 3 APIs. Specifically, it will be used when HttpServletRequest.login(String, String) is invoked to determine if the user is authenticated.

If the value is null (default), then the default container behavior will be retained when invoking HttpServletRequest.login(String, String).

Parameters:

authenticationManager - the AuthenticationManager to use when invoking HttpServletRequest.login(String, String)

Throws:

IllegalStateException - if the Servlet 3 APIs are not found on the classpath

setLogoutHandlers

public void setLogoutHandlers(List<LogoutHandler> logoutHandlers)

Sets the LogoutHandlers used when integrating with HttpServletRequest with Servlet 3 APIs. Specifically it will be used when HttpServletRequest.logout() is invoked in order to log the user out. So long as the LogoutHandlers do not commit the HttpServletResponse (expected), then the user is in charge of handling the response.

If the value is null (default), the default container behavior will be retained when invoking HttpServletRequest.logout().

Parameters:

logoutHandlers - the Lists when invoking HttpServletRequest.logout().

Throws:

IllegalStateException - if the Servlet 3 APIs are not found on the classpath

doFilter

public void doFilter(javax.servlet.ServletRequest req,
                     javax.servlet.ServletResponse res,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

afterPropertiesSet

public void afterPropertiesSet()
                        throws javax.servlet.ServletException

Specified by:

afterPropertiesSet in interface InitializingBean

Overrides:

afterPropertiesSet in class GenericFilterBean

Throws:

javax.servlet.ServletException