GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

BasicAuthenticationProcessingFilter no longer creates HttpSession via WebAuthenticationDetails call.

1.0.x
Ben Alex 21 years ago
parent
c64a3770de
commit
35ca25f085
3 changed files with 30 additions and 32 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 21
      core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java
  2. 40
      core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java
  3. 1
      doc/xdocs/changes.xml

21
core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java
Unescape View File

@ -12,7 +12,6 @@ @@ -12,7 +12,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.sf.acegisecurity.ui;
import java.io.Serializable;
@ -27,16 +26,12 @@ import javax.servlet.http.HttpServletRequest; @@ -27,16 +26,12 @@ import javax.servlet.http.HttpServletRequest;
* @version $Id$
*/
public class WebAuthenticationDetails implements Serializable {
//~ Instance fields ========================================================
private String remoteAddress;
private String sessionId;
//~ Constructors ===========================================================
/**
* Constructor.
*
*
* <p>
* NB: This constructor will cause a <code>HttpSession</code> to be created
* (this is considered reasonable as all Acegi Security authentication
@ -48,7 +43,14 @@ public class WebAuthenticationDetails implements Serializable { @@ -48,7 +43,14 @@ public class WebAuthenticationDetails implements Serializable {
*/
public WebAuthenticationDetails(HttpServletRequest request) {
this.remoteAddress = request.getRemoteAddr();
this.sessionId = request.getSession().getId();
this.sessionId = request.getSession(true).getId();
doPopulateAdditionalInformation(request);
}
public WebAuthenticationDetails(HttpServletRequest request,
boolean forceSessionCreation) {
this.remoteAddress = request.getRemoteAddr();
this.sessionId = request.getSession(forceSessionCreation).getId();
doPopulateAdditionalInformation(request);
}
@ -56,8 +58,6 @@ public class WebAuthenticationDetails implements Serializable { @@ -56,8 +58,6 @@ public class WebAuthenticationDetails implements Serializable {
throw new IllegalArgumentException("Cannot use default constructor");
}
//~ Methods ================================================================
/**
* Indicates the TCP/IP address the authentication request was received
* from.
@ -92,5 +92,6 @@ public class WebAuthenticationDetails implements Serializable { @@ -92,5 +92,6 @@ public class WebAuthenticationDetails implements Serializable {
*
* @param request that the authentication request was received from
*/
protected void doPopulateAdditionalInformation(HttpServletRequest request) {}
protected void doPopulateAdditionalInformation(HttpServletRequest request) {
}
}

40
core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java
Unescape View File

@ -12,7 +12,6 @@ @@ -12,7 +12,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.sf.acegisecurity.ui.basicauth;
import net.sf.acegisecurity.Authentication;
@ -46,13 +45,13 @@ import javax.servlet.http.HttpServletResponse; @@ -46,13 +45,13 @@ import javax.servlet.http.HttpServletResponse;
/**
* Processes a HTTP request's BASIC authorization headers, putting the result
* into the <code>ContextHolder</code>.
*
*
* <P>
* For a detailed background on what this filter is designed to process, refer
* to <A HREF="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section
* 11.1</A>. Any realm name presented in the HTTP request is ignored.
* </p>
*
*
* <p>
* In summary, this filter is responsible for processing any request that has a
* HTTP request header of <code>Authorization</code> with an authentication
@ -61,28 +60,28 @@ import javax.servlet.http.HttpServletResponse; @@ -61,28 +60,28 @@ import javax.servlet.http.HttpServletResponse;
* "Aladdin" with password "open sesame" the following header would be
* presented:
* </p>
*
*
* <p>
* <code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.
* </p>
*
*
* <p>
* This filter can be used to provide BASIC authentication services to both
* remoting protocol clients (such as Hessian and SOAP) as well as standard
* user agents (such as Internet Explorer and Netscape).
* </p>
*
*
* <P>
* If authentication is successful, the resulting {@link Authentication} object
* will be placed into the <code>ContextHolder</code>.
* </p>
*
*
* <p>
* If authentication fails, an {@link AuthenticationEntryPoint} implementation
* is called. Usually this should be {@link BasicProcessingFilterEntryPoint},
* which will prompt the user to authenticate again via BASIC authentication.
* </p>
*
*
* <P>
* Basic authentication is an attractive protocol because it is simple and
* widely deployed. However, it still transmits a password in clear text and
@ -91,7 +90,7 @@ import javax.servlet.http.HttpServletResponse; @@ -91,7 +90,7 @@ import javax.servlet.http.HttpServletResponse;
* authentication wherever possible. See {@link
* net.sf.acegisecurity.ui.digestauth.DigestProcessingFilter}.
* </p>
*
*
* <P>
* <B>Do not use this class directly.</B> Instead configure
* <code>web.xml</code> to use the {@link
@ -102,17 +101,10 @@ import javax.servlet.http.HttpServletResponse; @@ -102,17 +101,10 @@ import javax.servlet.http.HttpServletResponse;
* @version $Id$
*/
public class BasicProcessingFilter implements Filter, InitializingBean {
//~ Static fields/initializers =============================================
private static final Log logger = LogFactory.getLog(BasicProcessingFilter.class);
//~ Instance fields ========================================================
private AuthenticationEntryPoint authenticationEntryPoint;
private AuthenticationManager authenticationManager;
//~ Methods ================================================================
public void setAuthenticationEntryPoint(
AuthenticationEntryPoint authenticationEntryPoint) {
this.authenticationEntryPoint = authenticationEntryPoint;
@ -138,7 +130,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean { @@ -138,7 +130,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
"An AuthenticationEntryPoint is required");
}
public void destroy() {}
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
@ -174,7 +167,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean { @@ -174,7 +167,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
password);
authRequest.setDetails(new WebAuthenticationDetails(httpRequest));
authRequest.setDetails(new WebAuthenticationDetails(httpRequest,
false));
Authentication authResult;
@ -183,8 +177,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean { @@ -183,8 +177,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
} catch (AuthenticationException failed) {
// Authentication failed
if (logger.isDebugEnabled()) {
logger.debug("Authentication request for user: " + username
+ " failed: " + failed.toString());
logger.debug("Authentication request for user: " +
username + " failed: " + failed.toString());
}
SecurityContextHolder.getContext().setAuthentication(null);
@ -195,7 +189,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean { @@ -195,7 +189,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
// Authentication success
if (logger.isDebugEnabled()) {
logger.debug("Authentication success: " + authResult.toString());
logger.debug("Authentication success: " +
authResult.toString());
}
SecurityContextHolder.getContext().setAuthentication(authResult);
@ -204,5 +199,6 @@ public class BasicProcessingFilter implements Filter, InitializingBean { @@ -204,5 +199,6 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
chain.doFilter(request, response);
}
public void init(FilterConfig arg0) throws ServletException {}
public void init(FilterConfig arg0) throws ServletException {
}
}

1
doc/xdocs/changes.xml
Unescape View File

@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
<release version="0.9.0" date="In CVS">
<action dev="markstg" type="add">SwitchUserProcessingFilter to provide user security context switching</action>
<action dev="markstg" type="add">Java 1.5 annotation support</action>
<action dev="benalex" type="update">BasicAuthenticationProcessingFilter no longer creates HttpSession via WebAuthenticationDetails call</action>
<action dev="benalex" type="update">JdbcDaoImpl modified to support synthetic primary keys</action>
<action dev="benalex" type="update">Greatly improve BasicAclEntryAfterInvocationCollectionFilteringProvider performance with large collections (if the principal has access to relatively few collection elements)</action>
<action dev="benalex" type="update">Reorder DaoAuthenticationProvider exception logic as per developer list discussion</action>

Write Preview
Loading…
Cancel
Save