org.acegisecurity.ui
Class ExceptionTranslationFilter

java.lang.Object
  org.acegisecurity.ui.ExceptionTranslationFilter

All Implemented Interfaces:

Filter, InitializingBean

public class ExceptionTranslationFilter
extends Object
implements Filter, InitializingBean

Handles any AccessDeniedException and AuthenticationException thrown within the filter chain.

This filter is necessary because it provides the bridge between Java exceptions and HTTP responses. It is solely concerned with maintaining the user interface. This filter does not do any actual security enforcement.

If an AuthenticationException is detected, the filter will launch the authenticationEntryPoint. This allows common handling of authentication failures originating from any subclass of AbstractSecurityInterceptor.

If an AccessDeniedException is detected, the filter will determine whether or not the user is an anonymous user. If they are an anonymous user, the authenticationEntryPoint will be launched. If they are not an anonymous user, the filter will delegate to the AccessDeniedHandler. By default the filter will use AccessDeniedHandlerImpl.

To use this filter, it is necessary to specify the following properties:

• authenticationEntryPoint indicates the handler that should commence the authentication process if an AuthenticationException is detected. Note that this may also switch the current protocol from http to https for an SSL login.
• portResolver is used to determine the "real" port that a request was received on.

Do not use this class directly. Instead configure web.xml to use the FilterToBeanProxy.

Version:

$Id: ExceptionTranslationFilter.java 1496 2006-05-23 13:38:33Z benalex $

Author:

Ben Alex, colin sampaleanu

Constructor Summary

ExceptionTranslationFilter()

Method Summary

void	afterPropertiesSet()
void	destroy()
void	doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
AuthenticationEntryPoint	getAuthenticationEntryPoint()
AuthenticationTrustResolver	getAuthenticationTrustResolver()
PortResolver	getPortResolver()
void	init(FilterConfig filterConfig)
boolean	isCreateSessionAllowed() If true, indicates that SecurityEnforcementFilter is permitted to store the target URL and exception information in the HttpSession (the default).
protected void	sendStartAuthentication(ServletRequest request, ServletResponse response, FilterChain chain, AuthenticationException reason)
void	setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
void	setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)
void	setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver)
void	setCreateSessionAllowed(boolean createSessionAllowed)
void	setPortResolver(PortResolver portResolver)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ExceptionTranslationFilter

public ExceptionTranslationFilter()

Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception

Specified by:

afterPropertiesSet in interface InitializingBean

Throws:

Exception

destroy

public void destroy()

Specified by:

destroy in interface Filter

doFilter

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
              throws IOException,
                     ServletException

Specified by:

doFilter in interface Filter

Throws:

IOException

ServletException

getAuthenticationEntryPoint

public AuthenticationEntryPoint getAuthenticationEntryPoint()

getAuthenticationTrustResolver

public AuthenticationTrustResolver getAuthenticationTrustResolver()

getPortResolver

public PortResolver getPortResolver()

init

public void init(FilterConfig filterConfig)
          throws ServletException

Specified by:

init in interface Filter

Throws:

ServletException

isCreateSessionAllowed

public boolean isCreateSessionAllowed()

If true, indicates that SecurityEnforcementFilter is permitted to store the target URL and exception information in the HttpSession (the default). In situations where you do not wish to unnecessarily create HttpSessions - because the user agent will know the failed URL, such as with BASIC or Digest authentication - you may wish to set this property to false. Remember to also set the HttpSessionContextIntegrationFilter.allowSessionCreation to false if you set this property to false.

Returns:

true if the HttpSession will be used to store information about the failed request, false if the HttpSession will not be used

sendStartAuthentication

protected void sendStartAuthentication(ServletRequest request,
                                       ServletResponse response,
                                       FilterChain chain,
                                       AuthenticationException reason)
                                throws ServletException,
                                       IOException

Throws:

ServletException

IOException

setAccessDeniedHandler

public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)

setAuthenticationEntryPoint

public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)

setAuthenticationTrustResolver

public void setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver)

setCreateSessionAllowed

public void setCreateSessionAllowed(boolean createSessionAllowed)

setPortResolver

public void setPortResolver(PortResolver portResolver)