Package org.springframework.security.web.access.channel

Class ChannelProcessingFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    public class ChannelProcessingFilter
extends org.springframework.web.filter.GenericFilterBean
    Ensures a web request is delivered over the required channel.

    Internally uses a FilterInvocation to represent the request, allowing a FilterInvocationSecurityMetadataSource to be used to lookup the attributes which apply.

    Delegates the actual channel security decisions and necessary actions to the configured ChannelDecisionManager. If a response is committed by the ChannelDecisionManager, the filter chain will not proceed.

    The most common usage is to ensure that a request takes place over HTTPS, where the ChannelDecisionManagerImpl is configured with a SecureChannelProcessor and an InsecureChannelProcessor. A typical configuration would be 

    
 <bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
   <property name="channelDecisionManager" ref="channelDecisionManager"/>
   <property name="securityMetadataSource">
     <security:filter-security-metadata-source request-matcher="regex">
       <security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
       <security:intercept-url pattern="\A/login.jsp.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
       <security:intercept-url pattern="\A/.*\Z" access="ANY_CHANNEL"/>
     </security:filter-security-metadata-source>
   </property>
 </bean>

 <bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
   <property name="channelProcessors">
     <list>
     <ref bean="secureChannelProcessor"/>
     <ref bean="insecureChannelProcessor"/>
     </list>
   </property>
 </bean>

 <bean id="secureChannelProcessor"
   class="org.springframework.security.web.access.channel.SecureChannelProcessor"/>
 <bean id="insecureChannelProcessor"
   class="org.springframework.security.web.access.channel.InsecureChannelProcessor"/>
    which would force the login form and any access to the /secure path to be made over HTTPS.

    • Constructor Detail

      • ChannelProcessingFilter

        public ChannelProcessingFilter()

    • Method Detail

      • afterPropertiesSet

        public void afterPropertiesSet()
        Specified by:
        afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
        Overrides:
        afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest req,
                     javax.servlet.ServletResponse res,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
        Throws:
        java.io.IOException
        javax.servlet.ServletException

      • setChannelDecisionManager

        public void setChannelDecisionManager​(ChannelDecisionManager channelDecisionManager)