Package org.springframework.security.web.authentication

Class UsernamePasswordAuthenticationFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    public class UsernamePasswordAuthenticationFilter
extends AbstractAuthenticationProcessingFilter
    Processes an authentication form submission. Called AuthenticationProcessingFilter prior to Spring Security 3.0.

    Login forms must present two parameters to this filter: a username and password. The default parameter names to use are contained in the static fields SPRING_SECURITY_FORM_USERNAME_KEY and SPRING_SECURITY_FORM_PASSWORD_KEY. The parameter names can also be changed by setting the usernameParameter and passwordParameter properties.

    This filter by default responds to the URL /login.

    Since:
    3.0

    • Field Detail

      • SPRING_SECURITY_FORM_USERNAME_KEY

        public static final java.lang.String SPRING_SECURITY_FORM_USERNAME_KEY
        See Also:
        Constant Field Values

      • SPRING_SECURITY_FORM_PASSWORD_KEY

        public static final java.lang.String SPRING_SECURITY_FORM_PASSWORD_KEY
        See Also:
        Constant Field Values

    • Constructor Detail

      • UsernamePasswordAuthenticationFilter

        public UsernamePasswordAuthenticationFilter()

      • UsernamePasswordAuthenticationFilter

        public UsernamePasswordAuthenticationFilter​(org.springframework.security.authentication.AuthenticationManager authenticationManager)

    • Method Detail

      • attemptAuthentication

        public org.springframework.security.core.Authentication attemptAuthentication​(javax.servlet.http.HttpServletRequest request,
                                                                              javax.servlet.http.HttpServletResponse response)
                                                                       throws org.springframework.security.core.AuthenticationException
        Description copied from class: AbstractAuthenticationProcessingFilter
        Performs actual authentication.

        The implementation should do one of the following:

        1. Return a populated authentication token for the authenticated user, indicating successful authentication
        2. Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
        3. Throw an AuthenticationException if the authentication process fails
        Specified by:
        attemptAuthentication in class AbstractAuthenticationProcessingFilter
        Parameters:
        request - from which to extract parameters and perform the authentication
        response - the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OpenID).
        Returns:
        the authenticated user token, or null if authentication is incomplete.
        Throws:
        org.springframework.security.core.AuthenticationException - if authentication fails.

      • obtainPassword

        @Nullable
protected java.lang.String obtainPassword​(javax.servlet.http.HttpServletRequest request)
        Enables subclasses to override the composition of the password, such as by including additional values and a separator.

        This might be used for example if a postcode/zipcode was required in addition to the password. A delimiter such as a pipe (|) should be used to separate the password and extended value(s). The AuthenticationDao will need to generate the expected password in a corresponding manner.

        Parameters:
        request - so that request attributes can be retrieved
        Returns:
        the password that will be presented in the Authentication request token to the AuthenticationManager

      • obtainUsername

        @Nullable
protected java.lang.String obtainUsername​(javax.servlet.http.HttpServletRequest request)
        Enables subclasses to override the composition of the username, such as by including additional values and a separator.
        Parameters:
        request - so that request attributes can be retrieved
        Returns:
        the username that will be presented in the Authentication request token to the AuthenticationManager

      • setDetails

        protected void setDetails​(javax.servlet.http.HttpServletRequest request,
                          org.springframework.security.authentication.UsernamePasswordAuthenticationToken authRequest)
        Provided so that subclasses may configure what is put into the authentication request's details property.
        Parameters:
        request - that an authentication request is being created for
        authRequest - the authentication request object that should have its details set

      • setUsernameParameter

        public void setUsernameParameter​(java.lang.String usernameParameter)
        Sets the parameter name which will be used to obtain the username from the login request.
        Parameters:
        usernameParameter - the parameter name. Defaults to "username".

      • setPasswordParameter

        public void setPasswordParameter​(java.lang.String passwordParameter)
        Sets the parameter name which will be used to obtain the password from the login request..
        Parameters:
        passwordParameter - the parameter name. Defaults to "password".

      • setPostOnly

        public void setPostOnly​(boolean postOnly)
        Defines whether only HTTP POST requests will be allowed by this filter. If set to true, and an authentication request is received which is not a POST request, an exception will be raised immediately and authentication will not be attempted. The unsuccessfulAuthentication() method will be called as if handling a failed authentication.

        Defaults to true but may be overridden by subclasses.

      • getUsernameParameter

        public final java.lang.String getUsernameParameter()

      • getPasswordParameter

        public final java.lang.String getPasswordParameter()