Package com.broadleafcommerce.auth.user.session

Class FormLoginAuthenticationFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
com.broadleafcommerce.auth.user.session.FormLoginAuthenticationFilter
All Implemented Interfaces:
javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
Direct Known Subclasses:
EmbeddedLoginAuthenticationFilter
public class FormLoginAuthenticationFilter extends org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
Processes an authentication form submission for an OAuth2 Authorization Server for Universal Login.

Login forms must present three parameters to this filter: an OAuth2 clientId, username, and password. The default parameter names to use are contained in the static fields OAuth2Utils.CLIENT_ID, UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_USERNAME_KEY and UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_PASSWORD_KEY. The parameter names for username/password can also be changed by setting the usernameParameter and passwordParameter properties.

This filter by default responds to the URL /login.

Author:
Nick Crum (ncrum)
See Also:

  • Field Summary

    Fields inherited from class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter

    SPRING_SECURITY_FORM_PASSWORD_KEY, SPRING_SECURITY_FORM_USERNAME_KEY

    Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    authenticationDetailsSource, eventPublisher, messages

    Fields inherited from class org.springframework.web.filter.GenericFilterBean

    logger

  • Constructor Summary

    Constructors
    Constructor
    Description
    FormLoginAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, org.springframework.security.web.authentication.AuthenticationSuccessHandler successHandler, org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy, StatelessUtil util, UserLockoutService userLockoutService)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    org.springframework.security.core.Authentication
    attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
     
    protected org.springframework.security.authentication.UsernamePasswordAuthenticationToken
    buildAuthToken(String clientId, String username, String password)
    Creates a UsernamePasswordAuthenticationToken from the authentication request.
    protected User
    checkIfUserPasswordIsExpired(User user)
    Checks if the user requires their password to be reset because it has expired.
    protected UserLockoutService
    getUserLockoutService()
     
    protected UserPasswordProperties
    getUserPasswordProperties()
     
    protected UserService<User>
    getUserService()
     
    protected StatelessUtil
    getUtil()
     
    protected String
    obtainClientId(javax.servlet.http.HttpServletRequest request)
    Enables subclasses to override the composition of the clientId
    void
    setUserPasswordProperties(UserPasswordProperties userPasswordProperties)
     
    void
    setUserService(UserService<User> userService)
     
    protected org.springframework.security.core.Authentication
    tryAuthenticate(org.springframework.security.core.Authentication authRequest, String clientId, String username)
    Attempts authentication.
    protected void
    unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed)
     

    Methods inherited from class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter

    getPasswordParameter, getUsernameParameter, obtainPassword, obtainUsername, setDetails, setPasswordParameter, setPostOnly, setUsernameParameter

    Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSecurityContextRepository, setSessionAuthenticationStrategy, successfulAuthentication

    Methods inherited from class org.springframework.web.filter.GenericFilterBean

    addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • FormLoginAuthenticationFilter

      public FormLoginAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, org.springframework.security.web.authentication.AuthenticationSuccessHandler successHandler, org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy, StatelessUtil util, UserLockoutService userLockoutService)

  • Method Details

    • attemptAuthentication

      public org.springframework.security.core.Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws org.springframework.security.core.AuthenticationException
      Overrides:
      attemptAuthentication in class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
      Throws:
      org.springframework.security.core.AuthenticationException

    • unsuccessfulAuthentication

      protected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) throws IOException, javax.servlet.ServletException
      Overrides:
      unsuccessfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
      Throws:
      IOException
      javax.servlet.ServletException

    • buildAuthToken

      protected org.springframework.security.authentication.UsernamePasswordAuthenticationToken buildAuthToken(String clientId, String username, String password)
      Creates a UsernamePasswordAuthenticationToken from the authentication request.
      Parameters:
      clientId - ID of the client from which a user is trying to authenticate
      username - Provided username of the user trying to authenticate
      password - Provided password of the user trying ot authenticate
      Returns:
      A UsernamePasswordAuthenticationToken representing the authentication request data.

    • tryAuthenticate

      protected org.springframework.security.core.Authentication tryAuthenticate(org.springframework.security.core.Authentication authRequest, String clientId, String username)
      Attempts authentication. This will check if the user may be unlocked and if their password has expired as well as attempt authentication.
      Parameters:
      authRequest - The request to authenticate.
      clientId - The AuthorizedClient the request originated from.
      username - The User.getUsername() of the User.
      Returns:
      The Authentication if successful.
      Throws:
      org.springframework.security.authentication.LockedException - when the user is locked and not allowed to be unlocked. See User.isLocked().
      org.springframework.security.authentication.BadCredentialsException - when the user's credentials are incorrect
      org.springframework.security.authentication.CredentialsExpiredException - when the user's password has passed the threshold specified by UserPasswordProperties.getPasswordMaxLifeDays() or is null and UserPasswordProperties.isForcePasswordResetIfLastUpdatedDateIsNull() is true.
      org.springframework.security.authentication.InternalAuthenticationServiceException - when the system could not properly process the request

    • obtainClientId

      protected String obtainClientId(javax.servlet.http.HttpServletRequest request)
      Enables subclasses to override the composition of the clientId
      Parameters:
      request - so that request attributes can be retrieved
      Returns:
      the clientId that will be presented in the Authentication request token to the AuthenticationManager

    • checkIfUserPasswordIsExpired

      protected User checkIfUserPasswordIsExpired(User user)
      Checks if the user requires their password to be reset because it has expired. The expiration period is determined by UserPasswordProperties.getPasswordMaxLifeDays().

      If their User.getPasswordLastUpdated() is null, then UserPasswordProperties.isForcePasswordResetIfLastUpdatedDateIsNull() is consulted to determine if login should be permitted or not. If login may proceed, then User.getPasswordLastUpdated() will be initialized to the current time.

      Parameters:
      user - The user trying to authenticate
      Returns:
      The updated user if User.isChangePasswordRequired() flag was modified.
      Throws:
      org.springframework.security.authentication.CredentialsExpiredException - when the user's password has passed the threshold specified by UserPasswordProperties.getPasswordMaxLifeDays() or is null and UserPasswordProperties.isForcePasswordResetIfLastUpdatedDateIsNull() is true.

    • getUtil

      protected StatelessUtil getUtil()

    • getUserLockoutService

      protected UserLockoutService getUserLockoutService()

    • getUserPasswordProperties

      protected UserPasswordProperties getUserPasswordProperties()

    • setUserPasswordProperties

      @Autowired public void setUserPasswordProperties(UserPasswordProperties userPasswordProperties)

    • getUserService

      protected UserService<User> getUserService()

    • setUserService

      @Autowired public void setUserService(UserService<User> userService)