From f5d36aef653c4a9f722c9945d101bdef7ecd2585 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Tue, 5 Jan 2010 16:01:55 +0000 Subject: [PATCH] SEC-1350: Improved Javadoc for AbstractPreAuthenticatedProcessingFilter Added clarification that the credentials returned by the subclass should not be null or they will typically be rejected by the provider. Also added some general overview. --- ...tractPreAuthenticatedProcessingFilter.java | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java index 7dfc5f8722..41eff37d9c 100755 --- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java @@ -25,8 +25,19 @@ import org.springframework.util.Assert; import org.springframework.web.filter.GenericFilterBean; /** - * Base class for processing filters that handle pre-authenticated authentication requests. Subclasses must implement - * the {@code getPreAuthenticatedPrincipal()} and {@code getPreAuthenticatedCredentials()} methods. + * Base class for processing filters that handle pre-authenticated authentication requests, where it is assumed + * that the principal has already been authenticated by an external system. + *

+ * The purpose is then only to extract the necessary information on the principal from the incoming request, rather + * than to authenticate them. External authentication systems may provide this information via request data such as + * headers or cookies which the pre-authentication system can extract. It is assumed that the external system is + * responsible for the accuracy of the data and preventing the submission of forged values. + * + * Subclasses must implement the {@code getPreAuthenticatedPrincipal()} and {@code getPreAuthenticatedCredentials()} + * methods. Subclasses of this filter are typically used in combination with a + * {@code PreAuthenticatedAuthenticationProvider}, which is used to load additional data for the user. + * This provider will reject null credentials, so the {@link #getPreAuthenticatedCredentials} method should not return + * null for a valid principal. *

* If the security context already contains an {@code Authentication} object (either from a invocation of the * filter or because of some other authentication mechanism), the filter will do nothing by default. You can force @@ -47,15 +58,10 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi InitializingBean, ApplicationEventPublisherAware { private ApplicationEventPublisher eventPublisher = null; - private AuthenticationDetailsSource authenticationDetailsSource = new WebAuthenticationDetailsSource(); - private AuthenticationManager authenticationManager = null; - private boolean continueFilterChainOnUnsuccessfulAuthentication = true; - private boolean checkForPrincipalChanges; - private boolean invalidateSessionOnPrincipalChange = true; /** @@ -229,8 +235,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi protected abstract Object getPreAuthenticatedPrincipal(HttpServletRequest request); /** - * Override to extract the credentials (if applicable) from the current request. Some implementations - * may return a dummy value. + * Override to extract the credentials (if applicable) from the current request. Should not return null for a valid + * principal, though some implementations may return a dummy value. */ protected abstract Object getPreAuthenticatedCredentials(HttpServletRequest request); }