Class OAuth2SessionAuthenticationFilter
- All Implemented Interfaces:
jakarta.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.ApplicationEventPublisherAware
,org.springframework.context.EnvironmentAware
,org.springframework.context.MessageSourceAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
Cookie
to establish an authentication user.
The way this filter selects the client session Cookie
is by using
StatelessUtil.getSessionCookieName(String)
which will concatenate the session cookie
prefix (BLSID) and the client ID. For example: BLSID-[client_id].
If the client session Cookie
exists, this filter will extract the Cookie's
value
, which is expected to be a SignedJWT
. The String
token and
the OAuth2ParameterNames.CLIENT_ID
is then used to construct an
OAuth2SessionAuthenticationToken
.
The OAuth2SessionAuthenticationToken
is then passed to
AuthenticationManager.authenticate(Authentication)
, which usually is then handled by
OAuth2SessionAuthenticationProvider
, unless another provider is implemented to handle
authenticating the token.
Upon a successful authentication, this filter will set the Authentication
on the
SecurityContext
, refresh the client session Cookie
, and proceed with the rest of
the FilterChain
.
Upon a failed authentication, this filter will clear the SecurityContext
, and delegate to
the AuthenticationEntryPoint
to redirect the user to an appropriate location.
- Author:
- Nick Crum (ncrum)
-
Field Summary
Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
authenticationDetailsSource, eventPublisher, messages
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
-
Constructor Summary
ConstructorDescriptionOAuth2SessionAuthenticationFilter
(org.springframework.security.authentication.AuthenticationManager authenticationManager, StatelessUtil util, org.springframework.security.web.AuthenticationEntryPoint authenticationEntrypoint) -
Method Summary
Modifier and TypeMethodDescriptionorg.springframework.security.core.Authentication
attemptAuthentication
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) protected void
refreshSessionCookie
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult) Helper method used to refresh the expiration on the current session cookie up to the max expiration time.protected void
successfulAuthentication
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain, org.springframework.security.core.Authentication authResult) protected void
unsuccessfulAuthentication
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSecurityContextHolderStrategy, setSecurityContextRepository, setSessionAuthenticationStrategy
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
OAuth2SessionAuthenticationFilter
public OAuth2SessionAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, StatelessUtil util, org.springframework.security.web.AuthenticationEntryPoint authenticationEntrypoint)
-
-
Method Details
-
attemptAuthentication
public org.springframework.security.core.Authentication attemptAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws org.springframework.security.core.AuthenticationException - Specified by:
attemptAuthentication
in classorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
- Throws:
org.springframework.security.core.AuthenticationException
-
successfulAuthentication
protected void successfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain, org.springframework.security.core.Authentication authResult) throws IOException, jakarta.servlet.ServletException - Overrides:
successfulAuthentication
in classorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
- Throws:
IOException
jakarta.servlet.ServletException
-
refreshSessionCookie
protected void refreshSessionCookie(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult) Helper method used to refresh the expiration on the current session cookie up to the max expiration time. This ensures that subsequent requests keep the user's session alive. -
unsuccessfulAuthentication
protected void unsuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) throws IOException, jakarta.servlet.ServletException - Overrides:
unsuccessfulAuthentication
in classorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
- Throws:
IOException
jakarta.servlet.ServletException
-