Package com.broadleafcommerce.auth.user.session

Class OAuth2SessionAuthenticationFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
com.broadleafcommerce.auth.user.session.OAuth2SessionAuthenticationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class OAuth2SessionAuthenticationFilter extends org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
Processes an OAuth2 client session Cookie to establish an authentication user.

The way this filter selects the client session Cookie is by using StatelessUtil.getSessionCookieName(String) which will concatenate the session cookie prefix (BLSID) and the client ID. For example: BLSID-[client_id].

If the client session Cookie exists, this filter will extract the Cookie's value, which is expected to be a SignedJWT. The String token and the OAuth2ParameterNames.CLIENT_ID is then used to construct an OAuth2SessionAuthenticationToken.

The OAuth2SessionAuthenticationToken is then passed to AuthenticationManager.authenticate(Authentication), which usually is then handled by OAuth2SessionAuthenticationProvider, unless another provider is implemented to handle authenticating the token.

Upon a successful authentication, this filter will set the Authentication on the SecurityContext, refresh the client session Cookie, and proceed with the rest of the FilterChain.

Upon a failed authentication, this filter will clear the SecurityContext, and delegate to the AuthenticationEntryPoint to redirect the user to an appropriate location.

Author:
Nick Crum (ncrum)

  • Field Summary

    Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    authenticationDetailsSource, eventPublisher, messages

    Fields inherited from class org.springframework.web.filter.GenericFilterBean

    logger

  • Constructor Summary

    Constructors
    Constructor
    Description
    OAuth2SessionAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, StatelessUtil util, org.springframework.security.web.AuthenticationEntryPoint authenticationEntrypoint)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    org.springframework.security.core.Authentication
    attemptAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
     
    protected void
    refreshSessionCookie(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult)
    Helper method used to refresh the expiration on the current session cookie up to the max expiration time.
    protected void
    successfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain, org.springframework.security.core.Authentication authResult)
     
    protected void
    unsuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed)
     

    Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSecurityContextHolderStrategy, setSecurityContextRepository, setSessionAuthenticationStrategy

    Methods inherited from class org.springframework.web.filter.GenericFilterBean

    addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • OAuth2SessionAuthenticationFilter

      public OAuth2SessionAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, StatelessUtil util, org.springframework.security.web.AuthenticationEntryPoint authenticationEntrypoint)

  • Method Details

    • attemptAuthentication

      public org.springframework.security.core.Authentication attemptAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws org.springframework.security.core.AuthenticationException
      Specified by:
      attemptAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
      Throws:
      org.springframework.security.core.AuthenticationException

    • successfulAuthentication

      protected void successfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain, org.springframework.security.core.Authentication authResult) throws IOException, jakarta.servlet.ServletException
      Overrides:
      successfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
      Throws:
      IOException
      jakarta.servlet.ServletException

    • refreshSessionCookie

      protected void refreshSessionCookie(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult)
      Helper method used to refresh the expiration on the current session cookie up to the max expiration time. This ensures that subsequent requests keep the user's session alive.

    • unsuccessfulAuthentication

      protected void unsuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) throws IOException, jakarta.servlet.ServletException
      Overrides:
      unsuccessfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
      Throws:
      IOException
      jakarta.servlet.ServletException