Package org.dspace.app.rest.security
Class StatelessLoginFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
org.dspace.app.rest.security.StatelessLoginFilter
- All Implemented Interfaces:
javax.servlet.Filter,org.springframework.beans.factory.Aware,org.springframework.beans.factory.BeanNameAware,org.springframework.beans.factory.DisposableBean,org.springframework.beans.factory.InitializingBean,org.springframework.context.ApplicationEventPublisherAware,org.springframework.context.EnvironmentAware,org.springframework.context.MessageSourceAware,org.springframework.core.env.EnvironmentCapable,org.springframework.web.context.ServletContextAware
- Direct Known Subclasses:
OidcLoginFilter,OrcidLoginFilter,ShibbolethLoginFilter
public class StatelessLoginFilter
extends org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
This class will filter /api/authn/login requests to try and authenticate them. Keep in mind, this filter runs *after*
StatelessAuthenticationFilter (which looks for authentication data in the request itself). So, in some scenarios
(e.g. after a Shibboleth login) the StatelessAuthenticationFilter does the actual authentication, and this Filter
just ensures the auth token (JWT) is sent back in an Authorization header.
- Author:
- Frederic Van Reet (frederic dot vanreet at atmire dot com), Tom Desair (tom dot desair at atmire dot com)
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected org.springframework.security.authentication.AuthenticationManagerprotected RestAuthenticationServiceFields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
authenticationDetailsSource, eventPublisher, messagesFields inherited from class org.springframework.web.filter.GenericFilterBean
logger -
Constructor Summary
ConstructorsConstructorDescriptionStatelessLoginFilter(String url, org.springframework.security.authentication.AuthenticationManager authenticationManager, RestAuthenticationService restAuthenticationService) -
Method Summary
Modifier and TypeMethodDescriptionvoidorg.springframework.security.core.AuthenticationattemptAuthentication(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res) Attempt to authenticate the user by using Spring Security's AuthenticationManager.protected voidsuccessfulAuthentication(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res, javax.servlet.FilterChain chain, org.springframework.security.core.Authentication auth) If the above attemptAuthentication() call was successful (no authentication error was thrown), then this method will take the returnedDSpaceAuthenticationclass (which includes all the data from the authenticated user) and add the authentication data to the response.protected voidunsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) If the above attemptAuthentication() call was unsuccessful, then ensure that the response is a 401 Unauthorized AND it includes a WWW-Authentication header.Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSecurityContextRepository, setSessionAuthenticationStrategyMethods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Field Details
-
authenticationManager
protected org.springframework.security.authentication.AuthenticationManager authenticationManager -
restAuthenticationService
-
-
Constructor Details
-
StatelessLoginFilter
public StatelessLoginFilter(String url, org.springframework.security.authentication.AuthenticationManager authenticationManager, RestAuthenticationService restAuthenticationService)
-
-
Method Details
-
afterPropertiesSet
public void afterPropertiesSet()- Specified by:
afterPropertiesSetin interfaceorg.springframework.beans.factory.InitializingBean- Overrides:
afterPropertiesSetin classorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
-
attemptAuthentication
public org.springframework.security.core.Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res) throws org.springframework.security.core.AuthenticationException Attempt to authenticate the user by using Spring Security's AuthenticationManager. The AuthenticationManager will delegate this task to one or more AuthenticationProvider classes.For DSpace, our custom AuthenticationProvider is
EPersonRestAuthenticationProvider, so that is the authenticate() method which is called below.- Specified by:
attemptAuthenticationin classorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter- Parameters:
req- current requestres- current response- Returns:
- a valid Spring Security Authentication object if authentication succeeds
- Throws:
org.springframework.security.core.AuthenticationException- if authentication fails- See Also:
-
successfulAuthentication
protected void successfulAuthentication(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res, javax.servlet.FilterChain chain, org.springframework.security.core.Authentication auth) throws IOException, javax.servlet.ServletException If the above attemptAuthentication() call was successful (no authentication error was thrown), then this method will take the returnedDSpaceAuthenticationclass (which includes all the data from the authenticated user) and add the authentication data to the response.For DSpace, this is calling our
JWTTokenRestAuthenticationServiceImplin order to create a JWT based on the authentication data & send that JWT back in the response.- Overrides:
successfulAuthenticationin classorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter- Parameters:
req- current requestres- responsechain- FilterChainauth- Authentication object containing info about user who had a successful authentication- Throws:
IOExceptionjavax.servlet.ServletException- See Also:
-
unsuccessfulAuthentication
protected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) throws IOException, javax.servlet.ServletException If the above attemptAuthentication() call was unsuccessful, then ensure that the response is a 401 Unauthorized AND it includes a WWW-Authentication header. We use this header in DSpace to return all the enabled authentication options available to the UI (along with the path to the login URL for each option)- Overrides:
unsuccessfulAuthenticationin classorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter- Parameters:
request- current requestresponse- current responsefailed- exception that was thrown by attemptAuthentication()- Throws:
IOExceptionjavax.servlet.ServletException
-