Package com.broadleafcommerce.auth.user.session

Class FormLoginAuthenticationFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    Direct Known Subclasses:
    EmbeddedLoginAuthenticationFilter
    public class FormLoginAuthenticationFilter
extends org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
    Processes an authentication form submission for an OAuth2 Authorization Server for Universal Login.

    Login forms must present three parameters to this filter: an OAuth2 clientId, username, and password. The default parameter names to use are contained in the static fields OAuth2Utils.CLIENT_ID, UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_USERNAME_KEY and UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_PASSWORD_KEY. The parameter names for username/password can also be changed by setting the usernameParameter and passwordParameter properties.

    This filter by default responds to the URL /login.

    Author:
    Nick Crum (ncrum)
    See Also:
    for embedded login.

    • Field Summary

      • Fields inherited from class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter

        SPRING_SECURITY_FORM_PASSWORD_KEY, SPRING_SECURITY_FORM_USERNAME_KEY

      • Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

        authenticationDetailsSource, eventPublisher, messages

      • Fields inherited from class org.springframework.web.filter.GenericFilterBean

        logger

    • Constructor Summary

      Constructors 
      Constructor Description
      FormLoginAuthenticationFilter​(org.springframework.security.authentication.AuthenticationManager authenticationManager, org.springframework.security.web.authentication.AuthenticationSuccessHandler successHandler, org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy, StatelessUtil util, UserLockoutService userLockoutService)  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      org.springframework.security.core.Authentication attemptAuthentication​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)  
      protected org.springframework.security.authentication.UsernamePasswordAuthenticationToken buildAuthToken​(String clientId, String username, String password)
      Creates a UsernamePasswordAuthenticationToken from the authentication request.
      protected UserLockoutService getUserLockoutService()  
      protected StatelessUtil getUtil()  
      protected String obtainClientId​(javax.servlet.http.HttpServletRequest request)
      Enables subclasses to override the composition of the clientId
      protected org.springframework.security.core.Authentication tryAuthenticate​(org.springframework.security.core.Authentication authRequest, String clientId, String username)  
      protected void unsuccessfulAuthentication​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed)  

      • Methods inherited from class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter

        getPasswordParameter, getUsernameParameter, obtainPassword, obtainUsername, setDetails, setPasswordParameter, setPostOnly, setUsernameParameter

      • Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

        afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy, successfulAuthentication

      • Methods inherited from class org.springframework.web.filter.GenericFilterBean

        addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    • Constructor Detail

      • FormLoginAuthenticationFilter

        public FormLoginAuthenticationFilter​(org.springframework.security.authentication.AuthenticationManager authenticationManager,
                                     org.springframework.security.web.authentication.AuthenticationSuccessHandler successHandler,
                                     org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler,
                                     org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy,
                                     StatelessUtil util,
                                     UserLockoutService userLockoutService)

    • Method Detail

      • attemptAuthentication

        public org.springframework.security.core.Authentication attemptAuthentication​(javax.servlet.http.HttpServletRequest request,
                                                                              javax.servlet.http.HttpServletResponse response)
                                                                       throws org.springframework.security.core.AuthenticationException
        Overrides:
        attemptAuthentication in class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
        Throws:
        org.springframework.security.core.AuthenticationException

      • unsuccessfulAuthentication

        protected void unsuccessfulAuthentication​(javax.servlet.http.HttpServletRequest request,
                                          javax.servlet.http.HttpServletResponse response,
                                          org.springframework.security.core.AuthenticationException failed)
                                   throws IOException,
                                          javax.servlet.ServletException
        Overrides:
        unsuccessfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
        Throws:
        IOException
        javax.servlet.ServletException

      • buildAuthToken

        protected org.springframework.security.authentication.UsernamePasswordAuthenticationToken buildAuthToken​(String clientId,
                                                                                                         String username,
                                                                                                         String password)
        Creates a UsernamePasswordAuthenticationToken from the authentication request.
        Parameters:
        clientId - ID of the client from which a user is trying to authenticate
        username - Provided username of the user trying to authenticate
        password - Provided password of the user trying ot authenticate
        Returns:
        A UsernamePasswordAuthenticationToken representing the authentication request data.

      • tryAuthenticate

        protected org.springframework.security.core.Authentication tryAuthenticate​(org.springframework.security.core.Authentication authRequest,
                                                                           String clientId,
                                                                           String username)

      • obtainClientId

        protected String obtainClientId​(javax.servlet.http.HttpServletRequest request)
        Enables subclasses to override the composition of the clientId
        Parameters:
        request - so that request attributes can be retrieved
        Returns:
        the clientId that will be presented in the Authentication request token to the AuthenticationManager