Package org.dspace.app.rest.security

Class StatelessLoginFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
org.dspace.app.rest.security.StatelessLoginFilter
All Implemented Interfaces:
jakarta.servlet.Filter, Aware, BeanNameAware, DisposableBean, InitializingBean, ApplicationEventPublisherAware, EnvironmentAware, MessageSourceAware, EnvironmentCapable, ServletContextAware
Direct Known Subclasses:
OidcLoginFilter, OrcidLoginFilter, SamlLoginFilter, ShibbolethLoginFilter
public class StatelessLoginFilter extends AbstractAuthenticationProcessingFilter
This class will filter /api/authn/login requests to try and authenticate them. Keep in mind, this filter runs *after* StatelessAuthenticationFilter (which looks for authentication data in the request itself). So, in some scenarios (e.g. after a Shibboleth login) the StatelessAuthenticationFilter does the actual authentication, and this Filter just ensures the auth token (JWT) is sent back in an Authorization header.
Author:
Frederic Van Reet (frederic dot vanreet at atmire dot com), Tom Desair (tom dot desair at atmire dot com)

  • Field Details

  • Constructor Details

    • StatelessLoginFilter

      public StatelessLoginFilter(String url, String httpMethod, AuthenticationManager authenticationManager, RestAuthenticationService restAuthenticationService)
      Initialize a StatelessLoginFilter for the given URL and HTTP method. This login filter will ONLY attempt authentication for requests that match this URL and method. The URL & method are defined in the configuration in WebSecurityConfiguration.
      Parameters:
      url - URL path to attempt to authenticate (e.g. "/api/authn/login")
      httpMethod - HTTP method to attempt to authentication (e.g. "POST")
      authenticationManager - Spring Security AuthenticationManager to use for authentication
      restAuthenticationService - DSpace RestAuthenticationService to use for authentication
      See Also:

  • Method Details

    • afterPropertiesSet

      public void afterPropertiesSet()
      Specified by:
      afterPropertiesSet in interface InitializingBean
      Overrides:
      afterPropertiesSet in class AbstractAuthenticationProcessingFilter

    • attemptAuthentication

      public Authentication attemptAuthentication(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws AuthenticationException
      Attempt to authenticate the user by using Spring Security's AuthenticationManager. The AuthenticationManager will delegate this task to one or more AuthenticationProvider classes.

      For DSpace, our custom AuthenticationProvider is EPersonRestAuthenticationProvider, so that is the authenticate() method which is called below.

      Specified by:
      attemptAuthentication in class AbstractAuthenticationProcessingFilter
      Parameters:
      req - current request
      res - current response
      Returns:
      a valid Spring Security Authentication object if authentication succeeds
      Throws:
      AuthenticationException - if authentication fails
      See Also:

    • successfulAuthentication

      protected void successfulAuthentication(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res, jakarta.servlet.FilterChain chain, Authentication auth) throws IOException, jakarta.servlet.ServletException
      If the above attemptAuthentication() call was successful (no authentication error was thrown), then this method will take the returned DSpaceAuthentication class (which includes all the data from the authenticated user) and add the authentication data to the response.

      For DSpace, this is calling our JWTTokenRestAuthenticationServiceImpl in order to create a JWT based on the authentication data & send that JWT back in the response.

      Overrides:
      successfulAuthentication in class AbstractAuthenticationProcessingFilter
      Parameters:
      req - current request
      res - response
      chain - FilterChain
      auth - Authentication object containing info about user who had a successful authentication
      Throws:
      IOException
      jakarta.servlet.ServletException
      See Also:

    • unsuccessfulAuthentication

      protected void unsuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, AuthenticationException failed) throws IOException, jakarta.servlet.ServletException
      If the above attemptAuthentication() call was unsuccessful, then ensure that the response is a 401 Unauthorized AND it includes a WWW-Authentication header. We use this header in DSpace to return all the enabled authentication options available to the UI (along with the path to the login URL for each option)
      Overrides:
      unsuccessfulAuthentication in class AbstractAuthenticationProcessingFilter
      Parameters:
      request - current request
      response - current response
      failed - exception that was thrown by attemptAuthentication()
      Throws:
      IOException
      jakarta.servlet.ServletException