Examples of org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

• org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
  Abstract processor of browser-based HTTP-based authentication requests.

  Authentication Process

  The filter requires that you set the authenticationManager property. An AuthenticationManager is required to process the authentication request tokens created by implementing classes.

  This filter will intercept a request and attempt to perform authentication from that request if the request matches the {@link #setRequiresAuthenticationRequestMatcher(RequestMatcher)}.

  Authentication is performed by the {@link #attemptAuthentication(HttpServletRequest,HttpServletResponse) attemptAuthentication} method, which must be implemented by subclasses.

  Authentication Success

  If authentication is successful, the resulting {@link Authentication} object will be placed into theSecurityContext for the current thread, which is guaranteed to have already been created by an earlier filter.

  The configured {@link #setAuthenticationSuccessHandler(AuthenticationSuccessHandler) AuthenticationSuccessHandler} willthen be called to take the redirect to the appropriate destination after a successful login. The default behaviour is implemented in a {@link SavedRequestAwareAuthenticationSuccessHandler} which will make use of anyDefaultSavedRequest set by the ExceptionTranslationFilter and redirect the user to the URL contained therein. Otherwise it will redirect to the webapp root "/". You can customize this behaviour by injecting a differently configured instance of this class, or by using a different implementation.

  See the {@link #successfulAuthentication(HttpServletRequest,HttpServletResponse,Authentication) successfulAuthentication} method for more information.

  Authentication Failure

  If authentication fails, it will delegate to the configured {@link AuthenticationFailureHandler} to allow thefailure information to be conveyed to the client. The default implementation is {@link SimpleUrlAuthenticationFailureHandler}, which sends a 401 error code to the client. It may also be configured with a failure URL as an alternative. Again you can inject whatever behaviour you require here.

  Event Publication

  If authentication is successful, an {@link InteractiveAuthenticationSuccessEvent} will be published via theapplication context. No events will be published if authentication was unsuccessful, because this would generally be recorded via an {@code AuthenticationManager}-specific application event.

  Session Authentication

  The class has an optional {@link SessionAuthenticationStrategy} which will be invoked immediately after asuccessful call to {@code attemptAuthentication()}. Different implementations {@link #setSessionAuthenticationStrategy(SessionAuthenticationStrategy) can be injected} to enable things likesession-fixation attack prevention or to control the number of simultaneous sessions a principal may have. @author Ben Alex @author Luke Taylor

        // Not a @Bean because we explicitly do not want it added automatically by
        // Bootstrap to all requests
        protected Filter authenticationFilter() {

            AbstractAuthenticationProcessingFilter filter =
                    new SecurityContextAuthenticationFilter(SIGNIN_SUCCESS_PATH);
            SavedRequestAwareAuthenticationSuccessHandler successHandler =
                    new SavedRequestAwareAuthenticationSuccessHandler();
            successHandler.setDefaultTargetUrl("/admin");
            filter.setAuthenticationSuccessHandler(successHandler);
            return filter;
        }