com.broadleafcommerce.auth.user.session

Class OAuth2SessionAuthenticationFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

com.broadleafcommerce.auth.user.session.OAuth2SessionAuthenticationFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

public class OAuth2SessionAuthenticationFilter
extends org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

Processes an OAuth2 client session Cookie to establish an authentication user.

The way this filter selects the client session Cookie is by appending the OAuth2Utils.CLIENT_ID request parameter to the StatelessUtil#getSessionCookiePrefix(), yielding, for example: BLSID-[client_id].

If the client session Cookie exists, this filter will extract the Cookie's value, which is expected to be a SignedJWT. The String token and the OAuth2Utils.CLIENT_ID is then used to construct an OAuth2SessionAuthenticationToken.

The OAuth2SessionAuthenticationToken is then passed to AuthenticationManager.authenticate(Authentication), which usually is then handled by OAuth2SessionAuthenticationProvider, unless another provider is implemented to handle authenticating the token.

Upon a successful authentication, this filter will set the Authentication on the SecurityContext, refresh the client session Cookie, and proceed with the rest of the FilterChain.

Upon a failed authentication, this filter will clear the SecurityContext, and delegate to the AuthenticationEntryPoint to redirect the user to an appropriate location.

Author:

Nick Crum (ncrum)

Field Summary

Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

authenticationDetailsSource, eventPublisher, messages

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor and Description
OAuth2SessionAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, StatelessUtil util, org.springframework.security.web.AuthenticationEntryPoint authenticationEntrypoint)

Method Summary

Modifier and Type	Method and Description
org.springframework.security.core.Authentication	attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	refreshSessionCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult) Helper method used to refresh the expiration on the current session cookie up to the max expiration time.
protected void	successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain, org.springframework.security.core.Authentication authResult)
protected void	unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed)

Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

OAuth2SessionAuthenticationFilter

public OAuth2SessionAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager,
                                         StatelessUtil util,
                                         org.springframework.security.web.AuthenticationEntryPoint authenticationEntrypoint)

Method Detail

attemptAuthentication

public org.springframework.security.core.Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request,
                                                                              javax.servlet.http.HttpServletResponse response)
                                                                       throws org.springframework.security.core.AuthenticationException

Specified by:

attemptAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

Throws:

org.springframework.security.core.AuthenticationException

successfulAuthentication

protected void successfulAuthentication(javax.servlet.http.HttpServletRequest request,
                                        javax.servlet.http.HttpServletResponse response,
                                        javax.servlet.FilterChain chain,
                                        org.springframework.security.core.Authentication authResult)
                                 throws IOException,
                                        javax.servlet.ServletException

Overrides:

successfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

Throws:

IOException

javax.servlet.ServletException

refreshSessionCookie

protected void refreshSessionCookie(javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response,
                                    org.springframework.security.core.Authentication authResult)

Helper method used to refresh the expiration on the current session cookie up to the max expiration time. This ensures that subsequent requests keep the user's session alive.

unsuccessfulAuthentication

protected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
                                          javax.servlet.http.HttpServletResponse response,
                                          org.springframework.security.core.AuthenticationException failed)
                                   throws IOException,
                                          javax.servlet.ServletException

Overrides:

unsuccessfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

Throws:

IOException

javax.servlet.ServletException