Class FormLoginAuthenticationFilter
- All Implemented Interfaces:
javax.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.ApplicationEventPublisherAware
,org.springframework.context.EnvironmentAware
,org.springframework.context.MessageSourceAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
- Direct Known Subclasses:
EmbeddedLoginAuthenticationFilter
Login forms must present three parameters to this filter: an OAuth2 clientId, username, and
password. The default parameter names to use are contained in the static fields
OAuth2Utils.CLIENT_ID
,
UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_USERNAME_KEY
and UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_PASSWORD_KEY
. The
parameter names for username/password can also be changed by setting the
usernameParameter
and passwordParameter
properties.
This filter by default responds to the URL /login
.
- Author:
- Nick Crum (ncrum)
- See Also:
-
Field Summary
Fields inherited from class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
SPRING_SECURITY_FORM_PASSWORD_KEY, SPRING_SECURITY_FORM_USERNAME_KEY
Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
authenticationDetailsSource, eventPublisher, messages
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
-
Constructor Summary
ConstructorDescriptionFormLoginAuthenticationFilter
(org.springframework.security.authentication.AuthenticationManager authenticationManager, org.springframework.security.web.authentication.AuthenticationSuccessHandler successHandler, org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy, StatelessUtil util, UserLockoutService userLockoutService) -
Method Summary
Modifier and TypeMethodDescriptionorg.springframework.security.core.Authentication
attemptAuthentication
(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) protected org.springframework.security.authentication.UsernamePasswordAuthenticationToken
buildAuthToken
(String clientId, String username, String password) Creates aUsernamePasswordAuthenticationToken
from the authentication request.protected User
Checks if the user requires their password to be reset because it has expired.protected UserLockoutService
protected UserPasswordProperties
protected UserService<User>
protected StatelessUtil
getUtil()
protected String
obtainClientId
(javax.servlet.http.HttpServletRequest request) Enables subclasses to override the composition of the clientIdvoid
setUserPasswordProperties
(UserPasswordProperties userPasswordProperties) void
setUserService
(UserService<User> userService) protected org.springframework.security.core.Authentication
tryAuthenticate
(org.springframework.security.core.Authentication authRequest, String clientId, String username) Attempts authentication.protected void
unsuccessfulAuthentication
(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) Methods inherited from class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
getPasswordParameter, getUsernameParameter, obtainPassword, obtainUsername, setDetails, setPasswordParameter, setPostOnly, setUsernameParameter
Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSecurityContextRepository, setSessionAuthenticationStrategy, successfulAuthentication
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
FormLoginAuthenticationFilter
public FormLoginAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, org.springframework.security.web.authentication.AuthenticationSuccessHandler successHandler, org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy, StatelessUtil util, UserLockoutService userLockoutService)
-
-
Method Details
-
attemptAuthentication
public org.springframework.security.core.Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws org.springframework.security.core.AuthenticationException - Overrides:
attemptAuthentication
in classorg.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
- Throws:
org.springframework.security.core.AuthenticationException
-
unsuccessfulAuthentication
protected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) throws IOException, javax.servlet.ServletException - Overrides:
unsuccessfulAuthentication
in classorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
- Throws:
IOException
javax.servlet.ServletException
-
buildAuthToken
protected org.springframework.security.authentication.UsernamePasswordAuthenticationToken buildAuthToken(String clientId, String username, String password) Creates aUsernamePasswordAuthenticationToken
from the authentication request.- Parameters:
clientId
- ID of the client from which a user is trying to authenticateusername
- Provided username of the user trying to authenticatepassword
- Provided password of the user trying ot authenticate- Returns:
- A
UsernamePasswordAuthenticationToken
representing the authentication request data.
-
tryAuthenticate
protected org.springframework.security.core.Authentication tryAuthenticate(org.springframework.security.core.Authentication authRequest, String clientId, String username) Attempts authentication. This will check if the user may be unlocked and if their password has expired as well as attempt authentication.- Parameters:
authRequest
- The request to authenticate.clientId
- TheAuthorizedClient
the request originated from.username
- TheUser.getUsername()
of the User.- Returns:
- The
Authentication
if successful. - Throws:
org.springframework.security.authentication.LockedException
- when the user is locked and not allowed to be unlocked. SeeUser.isLocked()
.org.springframework.security.authentication.BadCredentialsException
- when the user's credentials are incorrectorg.springframework.security.authentication.CredentialsExpiredException
- when the user's password has passed the threshold specified byUserPasswordProperties.getPasswordMaxLifeDays()
or isnull
andUserPasswordProperties.isForcePasswordResetIfLastUpdatedDateIsNull()
istrue
.org.springframework.security.authentication.InternalAuthenticationServiceException
- when the system could not properly process the request
-
obtainClientId
Enables subclasses to override the composition of the clientId- Parameters:
request
- so that request attributes can be retrieved- Returns:
- the clientId that will be presented in the
Authentication
request token to theAuthenticationManager
-
checkIfUserPasswordIsExpired
Checks if the user requires their password to be reset because it has expired. The expiration period is determined byUserPasswordProperties.getPasswordMaxLifeDays()
.If their
User.getPasswordLastUpdated()
is null, thenUserPasswordProperties.isForcePasswordResetIfLastUpdatedDateIsNull()
is consulted to determine if login should be permitted or not. If login may proceed, thenUser.getPasswordLastUpdated()
will be initialized to the current time.- Parameters:
user
- The user trying to authenticate- Returns:
- The updated user if
User.isChangePasswordRequired()
flag was modified. - Throws:
org.springframework.security.authentication.CredentialsExpiredException
- when the user's password has passed the threshold specified byUserPasswordProperties.getPasswordMaxLifeDays()
or isnull
andUserPasswordProperties.isForcePasswordResetIfLastUpdatedDateIsNull()
istrue
.
-
getUtil
-
getUserLockoutService
-
getUserPasswordProperties
-
setUserPasswordProperties
-
getUserService
-
setUserService
-