Abstract processor of browser-based HTTP-based authentication requests.
Authentication Process
The filter requires that you set the
authenticationManager property. An
AuthenticationManager is required to process the authentication request tokens created by implementing classes.
This filter will intercept a request and attempt to perform authentication from that request if the request matches the {@link #setRequiresAuthenticationRequestMatcher(RequestMatcher)}.
Authentication is performed by the {@link #attemptAuthentication(HttpServletRequest,HttpServletResponse) attemptAuthentication} method, which must be implemented by subclasses.
Authentication Success
If authentication is successful, the resulting {@link Authentication} object will be placed into the
SecurityContext
for the current thread, which is guaranteed to have already been created by an earlier filter.
The configured {@link #setAuthenticationSuccessHandler(AuthenticationSuccessHandler) AuthenticationSuccessHandler} willthen be called to take the redirect to the appropriate destination after a successful login. The default behaviour is implemented in a {@link SavedRequestAwareAuthenticationSuccessHandler} which will make use of anyDefaultSavedRequest set by the ExceptionTranslationFilter and redirect the user to the URL contained therein. Otherwise it will redirect to the webapp root "/". You can customize this behaviour by injecting a differently configured instance of this class, or by using a different implementation.
See the {@link #successfulAuthentication(HttpServletRequest,HttpServletResponse,Authentication) successfulAuthentication} method for more information.
Authentication Failure
If authentication fails, it will delegate to the configured {@link AuthenticationFailureHandler} to allow thefailure information to be conveyed to the client. The default implementation is {@link SimpleUrlAuthenticationFailureHandler}, which sends a 401 error code to the client. It may also be configured with a failure URL as an alternative. Again you can inject whatever behaviour you require here.
Event Publication
If authentication is successful, an {@link InteractiveAuthenticationSuccessEvent} will be published via theapplication context. No events will be published if authentication was unsuccessful, because this would generally be recorded via an {@code AuthenticationManager}-specific application event.
Session Authentication
The class has an optional {@link SessionAuthenticationStrategy} which will be invoked immediately after asuccessful call to {@code attemptAuthentication()}. Different implementations {@link #setSessionAuthenticationStrategy(SessionAuthenticationStrategy) can be injected} to enable things likesession-fixation attack prevention or to control the number of simultaneous sessions a principal may have.
@author Ben Alex
@author Luke Taylor