root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 13 Packages Projects Releases Wiki Activity

SEC-603: Removed requirement for an entry point on BasicProcessingFilter if ignoreFailures is true.

This commit is contained in:
Luke Taylor 2008-02-18 15:41:23 +00:00
parent 5af9653a8e
commit d7b3a1f734
1 changed files with 52 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java
View File

@ -43,30 +43,45 @@ import org.springframework.util.Assert;
/** /**
* Processes a HTTP request's BASIC authorization headers, putting the result into the * Processes a HTTP request's BASIC authorization headers, putting the result into the
* <code>SecurityContextHolder</code>.<p>For a detailed background on what this filter is designed to process, * <code>SecurityContextHolder</code>.
* refer to <A HREF="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section 11.1</A>. Any realm name presented in *
* the HTTP request is ignored.</p> * <p>
* <p>In summary, this filter is responsible for processing any request that has a HTTP request header of * For a detailed background on what this filter is designed to process, refer to
* <a href="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section 11.1</a>. Any realm name presented in
* the HTTP request is ignored.
*
* <p>
* In summary, this filter is responsible for processing any request that has a HTTP request header of
* <code>Authorization</code> with an authentication scheme of <code>Basic</code> and a Base64-encoded * <code>Authorization</code> with an authentication scheme of <code>Basic</code> and a Base64-encoded
* <code>username:password</code> token. For example, to authenticate user "Aladdin" with password "open sesame" the * <code>username:password</code> token. For example, to authenticate user "Aladdin" with password "open sesame" the
* following header would be presented:</p> * following header would be presented:
* <p><code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.</p> * <pre>
* <p>This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as *
* Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).</p> * Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
* <P>If authentication is successful, the resulting {@link Authentication} object will be placed into the * </pre>
* <code>SecurityContextHolder</code>.</p> *
* <p>If authentication fails and <code>ignoreFailure</code> is <code>false</code> (the default), an {@link * <p>
* AuthenticationEntryPoint} implementation is called. Usually this should be {@link BasicProcessingFilterEntryPoint}, * This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as
* which will prompt the user to authenticate again via BASIC authentication.</p> * Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).
* <p>Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still * <p>
* If authentication is successful, the resulting {@link Authentication} object will be placed into the
* <code>SecurityContextHolder</code>.
*
* <p>
* If authentication fails and <code>ignoreFailure</code> is <code>false</code> (the default), an {@link
* AuthenticationEntryPoint} implementation is called (unless the <tt>ignoreFailure</tt> property is set to
* <tt>true</tt>). Usually this should be {@link BasicProcessingFilterEntryPoint}, which will prompt the user to
* authenticate again via BASIC authentication.
*
* <p>
* Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still
* transmits a password in clear text and as such is undesirable in many situations. Digest authentication is also * transmits a password in clear text and as such is undesirable in many situations. Digest authentication is also
* provided by Spring Security and should be used instead of Basic authentication wherever possible. See {@link * provided by Spring Security and should be used instead of Basic authentication wherever possible. See {@link
* org.springframework.security.ui.digestauth.DigestProcessingFilter}.</p> * org.springframework.security.ui.digestauth.DigestProcessingFilter}.
* <p>Note that if a {@link #rememberMeServices} is set, this filter will automatically send back remember-me * <p>
* Note that if a {@link RememberMeServices} is set, this filter will automatically send back remember-me
* details to the client. Therefore, subsequent requests will not need to present a BASIC authentication header as * details to the client. Therefore, subsequent requests will not need to present a BASIC authentication header as
* they will be authenticated using the remember-me mechanism.</p> * they will be authenticated using the remember-me mechanism.
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
* org.springframework.security.util.FilterToBeanProxy}.</p>
* *
* @author Ben Alex * @author Ben Alex
* @version $Id$ * @version $Id$
@ -88,7 +103,10 @@ public class BasicProcessingFilter extends SpringSecurityFilter implements Initi
public void afterPropertiesSet() throws Exception { public void afterPropertiesSet() throws Exception {
Assert.notNull(this.authenticationManager, "An AuthenticationManager is required"); Assert.notNull(this.authenticationManager, "An AuthenticationManager is required");
Assert.notNull(this.authenticationEntryPoint, "An AuthenticationEntryPoint is required");
if(!isIgnoreFailure()) {
Assert.notNull(this.authenticationEntryPoint, "An AuthenticationEntryPoint is required");
}
} }
public void doFilterHttp(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain chain) public void doFilterHttp(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain chain)
@ -189,33 +207,33 @@ public class BasicProcessingFilter extends SpringSecurityFilter implements Initi
return false; return false;
} }
public AuthenticationEntryPoint getAuthenticationEntryPoint() { protected AuthenticationEntryPoint getAuthenticationEntryPoint() {
return authenticationEntryPoint; return authenticationEntryPoint;
} }
public AuthenticationManager getAuthenticationManager() {
return authenticationManager;
}
public boolean isIgnoreFailure() {
return ignoreFailure;
}
public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
this.authenticationDetailsSource = authenticationDetailsSource;
}
public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) { public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) {
this.authenticationEntryPoint = authenticationEntryPoint; this.authenticationEntryPoint = authenticationEntryPoint;
} }
protected AuthenticationManager getAuthenticationManager() {
return authenticationManager;
}
public void setAuthenticationManager(AuthenticationManager authenticationManager) { public void setAuthenticationManager(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager; this.authenticationManager = authenticationManager;
} }
protected boolean isIgnoreFailure() {
return ignoreFailure;
}
public void setIgnoreFailure(boolean ignoreFailure) { public void setIgnoreFailure(boolean ignoreFailure) {
this.ignoreFailure = ignoreFailure; this.ignoreFailure = ignoreFailure;
}
public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
this.authenticationDetailsSource = authenticationDetailsSource;
} }
public void setRememberMeServices(RememberMeServices rememberMeServices) { public void setRememberMeServices(RememberMeServices rememberMeServices) {