Package org.dspace.app.rest.security

Class StatelessLoginFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    Direct Known Subclasses:
    OidcLoginFilter, ShibbolethLoginFilter
    public class StatelessLoginFilter
extends org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    This class will filter /api/authn/login requests to try and authenticate them. Keep in mind, this filter runs *after* StatelessAuthenticationFilter (which looks for authentication data in the request itself). So, in some scenarios (e.g. after a Shibboleth login) the StatelessAuthenticationFilter does the actual authentication, and this Filter just ensures the auth token (JWT) is sent back in an Authorization header.
    Author:
    Frederic Van Reet (frederic dot vanreet at atmire dot com), Tom Desair (tom dot desair at atmire dot com)

    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected org.springframework.security.authentication.AuthenticationManager authenticationManager  
      protected RestAuthenticationService restAuthenticationService  

      • Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

        authenticationDetailsSource, eventPublisher, messages

      • Fields inherited from class org.springframework.web.filter.GenericFilterBean

        logger

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void afterPropertiesSet()  
      org.springframework.security.core.Authentication attemptAuthentication​(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res)
      Attempt to authenticate the user by using Spring Security's AuthenticationManager.
      protected void successfulAuthentication​(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res, javax.servlet.FilterChain chain, org.springframework.security.core.Authentication auth)
      If the above attemptAuthentication() call was successful (no authentication error was thrown), then this method will take the returned DSpaceAuthentication class (which includes all the data from the authenticated user) and add the authentication data to the response.
      protected void unsuccessfulAuthentication​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed)
      If the above attemptAuthentication() call was unsuccessful, then ensure that the response is a 401 Unauthorized AND it includes a WWW-Authentication header.

      • Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

        doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy

      • Methods inherited from class org.springframework.web.filter.GenericFilterBean

        addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    • Field Detail

      • authenticationManager

        protected org.springframework.security.authentication.AuthenticationManager authenticationManager

    • Constructor Detail

      • StatelessLoginFilter

        public StatelessLoginFilter​(String url,
                            org.springframework.security.authentication.AuthenticationManager authenticationManager,
                            RestAuthenticationService restAuthenticationService)

    • Method Detail

      • afterPropertiesSet

        public void afterPropertiesSet()
        Specified by:
        afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
        Overrides:
        afterPropertiesSet in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

      • attemptAuthentication

        public org.springframework.security.core.Authentication attemptAuthentication​(javax.servlet.http.HttpServletRequest req,
                                                                              javax.servlet.http.HttpServletResponse res)
                                                                       throws org.springframework.security.core.AuthenticationException
        Attempt to authenticate the user by using Spring Security's AuthenticationManager. The AuthenticationManager will delegate this task to one or more AuthenticationProvider classes.

        For DSpace, our custom AuthenticationProvider is EPersonRestAuthenticationProvider, so that is the authenticate() method which is called below.

        Specified by:
        attemptAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
        Parameters:
        req - current request
        res - current response
        Returns:
        a valid Spring Security Authentication object if authentication succeeds
        Throws:
        org.springframework.security.core.AuthenticationException - if authentication fails
        See Also:
        EPersonRestAuthenticationProvider

      • successfulAuthentication

        protected void successfulAuthentication​(javax.servlet.http.HttpServletRequest req,
                                        javax.servlet.http.HttpServletResponse res,
                                        javax.servlet.FilterChain chain,
                                        org.springframework.security.core.Authentication auth)
                                 throws IOException,
                                        javax.servlet.ServletException
        If the above attemptAuthentication() call was successful (no authentication error was thrown), then this method will take the returned DSpaceAuthentication class (which includes all the data from the authenticated user) and add the authentication data to the response.

        For DSpace, this is calling our JWTTokenRestAuthenticationServiceImpl in order to create a JWT based on the authentication data & send that JWT back in the response.

        Overrides:
        successfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
        Parameters:
        req - current request
        res - response
        chain - FilterChain
        auth - Authentication object containing info about user who had a successful authentication
        Throws:
        IOException
        javax.servlet.ServletException
        See Also:
        JWTTokenRestAuthenticationServiceImpl

      • unsuccessfulAuthentication

        protected void unsuccessfulAuthentication​(javax.servlet.http.HttpServletRequest request,
                                          javax.servlet.http.HttpServletResponse response,
                                          org.springframework.security.core.AuthenticationException failed)
                                   throws IOException,
                                          javax.servlet.ServletException
        If the above attemptAuthentication() call was unsuccessful, then ensure that the response is a 401 Unauthorized AND it includes a WWW-Authentication header. We use this header in DSpace to return all the enabled authentication options available to the UI (along with the path to the login URL for each option)
        Overrides:
        unsuccessfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
        Parameters:
        request - current request
        response - current response
        failed - exception that was thrown by attemptAuthentication()
        Throws:
        IOException
        javax.servlet.ServletException