GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Extracted a method to evaluate the conditions for whether basic authentication is required.

1.0.x
Luke Taylor 19 years ago
parent
a1886bd1e0
commit
bd2d4b013a
1 changed files with 24 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 34
      core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java

34
core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java
Unescape View File

@ -95,7 +95,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean { @@ -95,7 +95,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
public void destroy() {}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
throws IOException, ServletException {
if (!(request instanceof HttpServletRequest)) {
throw new ServletException("Can only process HttpServletRequest");
}
@ -126,15 +127,9 @@ public class BasicProcessingFilter implements Filter, InitializingBean { @@ -126,15 +127,9 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
password = token.substring(delim + 1);
}
// Only reauthenticate if username doesn't match SecurityContextHolder and user isn't authenticated (see SEC-53)
Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
// Limit username comparison to providers which user usernames (ie UsernamePasswordAuthenticationToken) (see SEC-348)
if ((existingAuth == null)
|| (existingAuth instanceof UsernamePasswordAuthenticationToken && !existingAuth.getName().equals(username))
|| !existingAuth.isAuthenticated()) {
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
password);
if (authenticationIsRequired(username)) {
UsernamePasswordAuthenticationToken authRequest =
new UsernamePasswordAuthenticationToken(username, password);
authRequest.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
Authentication authResult;
@ -178,6 +173,25 @@ public class BasicProcessingFilter implements Filter, InitializingBean { @@ -178,6 +173,25 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
chain.doFilter(request, response);
}
private boolean authenticationIsRequired(String username) {
// Only reauthenticate if username doesn't match SecurityContextHolder and user isn't authenticated
// (see SEC-53)
Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
if(existingAuth == null || !existingAuth.isAuthenticated()) {
return true;
}
// Limit username comparison to providers which use usernames (ie UsernamePasswordAuthenticationToken)
// (see SEC-348)
if (existingAuth instanceof UsernamePasswordAuthenticationToken && !existingAuth.getName().equals(username)) {
return true;
}
return false;
}
public AuthenticationEntryPoint getAuthenticationEntryPoint() {
return authenticationEntryPoint;
}

Write Preview
Loading…
Cancel
Save