Package org.springframework.security.web.jaasapi

Class JaasApiIntegrationFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.security.web.jaasapi.JaasApiIntegrationFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

public class JaasApiIntegrationFilter
extends org.springframework.web.filter.GenericFilterBean

A Filter which attempts to obtain a JAAS Subject and continue the FilterChain running as that Subject.

By using this Filter in conjunction with Spring's JaasAuthenticationProvider both Spring's SecurityContext and a JAAS Subject can be populated simultaneously. This is useful when integrating with code that requires a JAAS Subject to be populated.

See Also:

doFilter(ServletRequest, ServletResponse, FilterChain), obtainSubject(ServletRequest)

Field Summary

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor	Description
JaasApiIntegrationFilter()

Method Summary

Modifier and Type	Method	Description
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)	Attempts to obtain and run as a JAAS Subject using obtainSubject(ServletRequest).
protected javax.security.auth.Subject	obtainSubject(javax.servlet.ServletRequest request)	Obtains the Subject to run as or null if no Subject is available.
void	setCreateEmptySubject(boolean createEmptySubject)	Sets createEmptySubject.

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JaasApiIntegrationFilter

public JaasApiIntegrationFilter()

Method Detail

doFilter

public final void doFilter(javax.servlet.ServletRequest request,
                           javax.servlet.ServletResponse response,
                           javax.servlet.FilterChain chain)
                    throws javax.servlet.ServletException,
                           java.io.IOException

Attempts to obtain and run as a JAAS Subject using obtainSubject(ServletRequest).

If the Subject is null and createEmptySubject is true, an empty, writeable Subject is used. This allows for the Subject to be populated at the time of login. If the Subject is null, the FilterChain continues with no additional processing. If the Subject is not null , the FilterChain is ran with Subject.doAs(Subject, PrivilegedExceptionAction) in conjunction with the Subject obtained.

Throws:

javax.servlet.ServletException

java.io.IOException

obtainSubject

protected javax.security.auth.Subject obtainSubject(javax.servlet.ServletRequest request)

Obtains the Subject to run as or null if no Subject is available.

The default implementation attempts to obtain the Subject from the SecurityContext's Authentication. If it is of type JaasAuthenticationToken and is authenticated, the Subject is returned from it. Otherwise, null is returned.

Parameters:

request - the current ServletRequest

Returns:

the Subject to run as or null if no Subject is available.

setCreateEmptySubject

public final void setCreateEmptySubject(boolean createEmptySubject)

Sets createEmptySubject. If the value is true, and obtainSubject(ServletRequest) returns null, an empty, writeable Subject is created instead. Otherwise no Subject is used. The default is false.

Parameters:

createEmptySubject - the new value