Class OAuth2SessionAuthenticationFilter
- java.lang.Object
-
- org.springframework.web.filter.GenericFilterBean
-
- org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
-
- com.broadleafcommerce.auth.user.session.OAuth2SessionAuthenticationFilter
-
- All Implemented Interfaces:
javax.servlet.Filter,org.springframework.beans.factory.Aware,org.springframework.beans.factory.BeanNameAware,org.springframework.beans.factory.DisposableBean,org.springframework.beans.factory.InitializingBean,org.springframework.context.ApplicationEventPublisherAware,org.springframework.context.EnvironmentAware,org.springframework.context.MessageSourceAware,org.springframework.core.env.EnvironmentCapable,org.springframework.web.context.ServletContextAware
public class OAuth2SessionAuthenticationFilter extends org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilterProcesses an OAuth2 client sessionCookieto establish an authentication user.The way this filter selects the client session
Cookieis by appending theOAuth2Utils.CLIENT_IDrequest parameter to theStatelessUtil#getSessionCookiePrefix(), yielding, for example: BLSID-[client_id].If the client session
Cookieexists, this filter will extract theCookie'svalue, which is expected to be aSignedJWT. TheStringtoken and theOAuth2Utils.CLIENT_IDis then used to construct anOAuth2SessionAuthenticationToken.The
OAuth2SessionAuthenticationTokenis then passed toAuthenticationManager.authenticate(Authentication), which usually is then handled byOAuth2SessionAuthenticationProvider, unless another provider is implemented to handle authenticating the token.Upon a successful authentication, this filter will set the
Authenticationon theSecurityContext, refresh the client sessionCookie, and proceed with the rest of theFilterChain.Upon a failed authentication, this filter will clear the
SecurityContext, and delegate to theAuthenticationEntryPointto redirect the user to an appropriate location.- Author:
- Nick Crum (ncrum)
-
-
Constructor Summary
Constructors Constructor Description OAuth2SessionAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, StatelessUtil util, org.springframework.security.web.AuthenticationEntryPoint authenticationEntrypoint)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description org.springframework.security.core.AuthenticationattemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)protected voidrefreshSessionCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult)Helper method used to refresh the expiration on the current session cookie up to the max expiration time.protected voidsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain, org.springframework.security.core.Authentication authResult)protected voidunsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed)-
Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy
-
-
-
-
Constructor Detail
-
OAuth2SessionAuthenticationFilter
public OAuth2SessionAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, StatelessUtil util, org.springframework.security.web.AuthenticationEntryPoint authenticationEntrypoint)
-
-
Method Detail
-
attemptAuthentication
public org.springframework.security.core.Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws org.springframework.security.core.AuthenticationException- Specified by:
attemptAuthenticationin classorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter- Throws:
org.springframework.security.core.AuthenticationException
-
successfulAuthentication
protected void successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain, org.springframework.security.core.Authentication authResult) throws IOException, javax.servlet.ServletException- Overrides:
successfulAuthenticationin classorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter- Throws:
IOExceptionjavax.servlet.ServletException
-
refreshSessionCookie
protected void refreshSessionCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult)Helper method used to refresh the expiration on the current session cookie up to the max expiration time. This ensures that subsequent requests keep the user's session alive.
-
unsuccessfulAuthentication
protected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) throws IOException, javax.servlet.ServletException- Overrides:
unsuccessfulAuthenticationin classorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter- Throws:
IOExceptionjavax.servlet.ServletException
-
-