From 185d63f23cd7ae5173ba3c8aa4b9ab0a38e2589a Mon Sep 17 00:00:00 2001
From: Ben Alex <ben.alex@springsource.com>
Date: Wed, 26 Apr 2006 03:40:24 +0000
Subject: [PATCH] SEC-221: AbstractProcessingFilter.onPreAuthentication()
 should have exceptions caught.

---
 .../ui/AbstractProcessingFilter.java          | 62 +++++++++++--------
 1 file changed, 35 insertions(+), 27 deletions(-)

diff --git a/core/src/main/java/org/acegisecurity/ui/AbstractProcessingFilter.java b/core/src/main/java/org/acegisecurity/ui/AbstractProcessingFilter.java
index ac8f0ffa60..a367e5f73c 100644
--- a/core/src/main/java/org/acegisecurity/ui/AbstractProcessingFilter.java
+++ b/core/src/main/java/org/acegisecurity/ui/AbstractProcessingFilter.java
@@ -1,4 +1,4 @@
-/* Copyright 2004, 2005 Acegi Technology Pty Limited
+/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,7 +15,33 @@
 
 package org.acegisecurity.ui;
 
+import org.acegisecurity.AcegiMessageSource;
+import org.acegisecurity.Authentication;
+import org.acegisecurity.AuthenticationException;
+import org.acegisecurity.AuthenticationManager;
+
+import org.acegisecurity.context.SecurityContextHolder;
+
+import org.acegisecurity.event.authentication.InteractiveAuthenticationSuccessEvent;
+
+import org.acegisecurity.ui.rememberme.NullRememberMeServices;
+import org.acegisecurity.ui.rememberme.RememberMeServices;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.beans.factory.InitializingBean;
+
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
+import org.springframework.context.MessageSource;
+import org.springframework.context.MessageSourceAware;
+import org.springframework.context.support.MessageSourceAccessor;
+
+import org.springframework.util.Assert;
+
 import java.io.IOException;
+
 import java.util.Properties;
 
 import javax.servlet.Filter;
@@ -27,24 +53,6 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.acegisecurity.AcegiMessageSource;
-import org.acegisecurity.Authentication;
-import org.acegisecurity.AuthenticationException;
-import org.acegisecurity.AuthenticationManager;
-import org.acegisecurity.context.SecurityContextHolder;
-import org.acegisecurity.event.authentication.InteractiveAuthenticationSuccessEvent;
-import org.acegisecurity.ui.rememberme.NullRememberMeServices;
-import org.acegisecurity.ui.rememberme.RememberMeServices;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.beans.factory.InitializingBean;
-import org.springframework.context.ApplicationEventPublisher;
-import org.springframework.context.ApplicationEventPublisherAware;
-import org.springframework.context.MessageSource;
-import org.springframework.context.MessageSourceAware;
-import org.springframework.context.support.MessageSourceAccessor;
-import org.springframework.util.Assert;
-
 
 /**
  * Abstract processor of browser-based HTTP-based authentication requests.
@@ -100,11 +108,11 @@ import org.springframework.util.Assert;
  * fully-qualified exception class name to a redirection url target.<br>
  * For example:<br>
  * <code> &lt;property name="exceptionMappings"&gt;<br>
- * &nbsp;&nbsp;&lt;props&gt;<br>
- * &nbsp;&nbsp;&nbsp;&nbsp;&lt;prop&gt; key="org.acegisecurity.BadCredentialsException"&gt;/bad_credentials.jsp&lt;/prop&gt;<br>
- * &nbsp;&nbsp;&lt;/props&gt;<br>
- * &lt;/property&gt;<br>
- * </code><br>
+ * *  &nbsp;&nbsp;&lt;props&gt;<br>
+ * *  &nbsp;&nbsp;&nbsp;&nbsp;&lt;prop&gt; key="org.acegisecurity.BadCredentialsException"&gt;/bad_credentials.jsp&lt;/prop&gt;<br>
+ * *  &nbsp;&nbsp;&lt;/props&gt;<br>
+ * *  &lt;/property&gt;<br>
+ * * </code><br>
  * The example above would redirect all {@link
  * org.acegisecurity.BadCredentialsException}s thrown, to a page in the
  * web-application called /bad_credentials.jsp.
@@ -220,11 +228,10 @@ public abstract class AbstractProcessingFilter implements Filter,
                 logger.debug("Request is to process authentication");
             }
 
-            onPreAuthentication(httpRequest, httpResponse);
-
             Authentication authResult;
 
             try {
+                onPreAuthentication(httpRequest, httpResponse);
                 authResult = attemptAuthentication(httpRequest);
             } catch (AuthenticationException failed) {
                 // Authentication failed
@@ -296,7 +303,8 @@ public abstract class AbstractProcessingFilter implements Filter,
     }
 
     protected void onPreAuthentication(HttpServletRequest request,
-        HttpServletResponse response) throws IOException {}
+        HttpServletResponse response)
+        throws AuthenticationException, IOException {}
 
     protected void onSuccessfulAuthentication(HttpServletRequest request,
         HttpServletResponse response, Authentication authResult)