Class AbstractCrowdSSOAuthenticationProcessingFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
com.atlassian.crowd.integration.springsecurity.AbstractCrowdSSOAuthenticationProcessingFilter
All Implemented Interfaces:
javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
Direct Known Subclasses:
AbstractLocalCrowdAuthenticationProcessingFilter, CrowdSSOAuthenticationProcessingFilter

public abstract class AbstractCrowdSSOAuthenticationProcessingFilter extends org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    protected final ClientProperties
     
    protected static final Consumer<org.springframework.security.core.AuthenticationException>
     
    protected final CrowdHttpTokenHelper
     

    Fields inherited from class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter

    SPRING_SECURITY_FORM_PASSWORD_KEY, SPRING_SECURITY_FORM_USERNAME_KEY

    Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    authenticationDetailsSource, eventPublisher, messages
  • Constructor Summary

    Constructors
    Modifier
    Constructor
    Description
    protected
     
  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
    appendSuppliers(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, com.google.common.collect.ImmutableList.Builder<org.apache.commons.lang3.tuple.Pair<Supplier<org.springframework.security.authentication.AbstractAuthenticationToken>,Consumer<org.springframework.security.core.AuthenticationException>>> builder)
     
    protected boolean
    canUseSavedRequestToAuthenticate(javax.servlet.http.HttpServletRequest request)
    If the request has been redirected from a page it was not authorised to see, we want to authenticate the login page using the application of the source page.
    protected void
    doSetDetails(javax.servlet.http.HttpServletRequest request, org.springframework.security.authentication.AbstractAuthenticationToken authRequest)
     
    protected org.springframework.security.core.Authentication
    getAuthenticatedToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
     
    getAuthenticationDetails(javax.servlet.http.HttpServletRequest request)
     
    protected abstract CookieConfiguration
     
    protected String
    getSavedPath(javax.servlet.http.HttpServletRequest request)
     
    protected abstract void
    onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    Remove any SSO tokens associated with the request, effectively logging the user out of Crowd.
    protected boolean
    requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    This filter will process all requests, however, if the filterProcessesUrl is part of the request URI, the filter will assume the request is a username/password authentication (login) request and will not check for Crowd SSO authentication.
    protected void
    setDetails(javax.servlet.http.HttpServletRequest request, org.springframework.security.authentication.UsernamePasswordAuthenticationToken authRequest)
    Provided so that subclasses may configure what is put into the authentication request's details property.
    void
    setLoginUrlAuthenticationEntryPoint(org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint filterEntryPoint)
    Optional dependency, only required if multiple Crowd applications are coexisting in the same web-application.
    void
    Optional dependency.
    protected void
    storeTokenIfCrowd(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult)
     
    protected void
    successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain, org.springframework.security.core.Authentication authResult)
    Attempts to write out the successful SSO token to a cookie, if an SSO token was generated and stored via the AuthenticationProvider.
    protected void
    unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed)
     

    Methods inherited from class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter

    attemptAuthentication, getPasswordParameter, getUsernameParameter, obtainPassword, obtainUsername, setPasswordParameter, setPostOnly, setUsernameParameter

    Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSecurityContextHolderStrategy, setSecurityContextRepository, setSessionAuthenticationStrategy

    Methods inherited from class org.springframework.web.filter.GenericFilterBean

    addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Field Details

    • SILENT_AUTHENTICATION_EXCEPTION_SWALLOWER

      protected static final Consumer<org.springframework.security.core.AuthenticationException> SILENT_AUTHENTICATION_EXCEPTION_SWALLOWER
    • clientProperties

      protected final ClientProperties clientProperties
    • tokenHelper

      protected final CrowdHttpTokenHelper tokenHelper
  • Constructor Details

  • Method Details

    • requiresAuthentication

      protected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      This filter will process all requests, however, if the filterProcessesUrl is part of the request URI, the filter will assume the request is a username/password authentication (login) request and will not check for Crowd SSO authentication. Authentication will proceed as defined in the AuthenticationProcessingFilter.

      Otherwise, an authentication request to Crowd will be made to verify any existing Crowd SSO token (via the ProviderManager).

      Overrides:
      requiresAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
      Parameters:
      request - servlet request containing either username/password paramaters or the Crowd token as a cookie.
      response - servlet response to write out cookie.
      Returns:
      true only if the filterProcessesUrl is in the request URI.
    • getAuthenticatedToken

      protected org.springframework.security.core.Authentication getAuthenticatedToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    • appendSuppliers

      protected void appendSuppliers(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, com.google.common.collect.ImmutableList.Builder<org.apache.commons.lang3.tuple.Pair<Supplier<org.springframework.security.authentication.AbstractAuthenticationToken>,Consumer<org.springframework.security.core.AuthenticationException>>> builder)
    • setDetails

      protected void setDetails(javax.servlet.http.HttpServletRequest request, org.springframework.security.authentication.UsernamePasswordAuthenticationToken authRequest)
      Provided so that subclasses may configure what is put into the authentication request's details property.

      Sets the validation factors from the HttpServletRequest on the authentication request. Also sets the application name to the name of application responsible for authorising a particular request. For single-crowd-application-per-spring-security-context web apps, this will just return the application name specified in the ClientProperties. For multi-crowd-applications-per-spring-security-context web apps, the requestToApplicationMapper will be used to determine the application name.

      Overrides:
      setDetails in class org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
      Parameters:
      request - that an authentication request is being created for
      authRequest - the authentication request object that should have its details set
    • canUseSavedRequestToAuthenticate

      protected boolean canUseSavedRequestToAuthenticate(javax.servlet.http.HttpServletRequest request)

      If the request has been redirected from a page it was not authorised to see, we want to authenticate the login page using the application of the source page. The only pages that should receive that special treatment are the login page itself and 'j_spring_security_check', the submission target of the login page.

      This method contains that definition, and will only return true for those pages.

      Returns:
      is it safe to authenticate this resource as if it were the resource saved in the session?
    • doSetDetails

      protected void doSetDetails(javax.servlet.http.HttpServletRequest request, org.springframework.security.authentication.AbstractAuthenticationToken authRequest)
    • getAuthenticationDetails

      protected CrowdSSOAuthenticationDetails getAuthenticationDetails(javax.servlet.http.HttpServletRequest request)
    • getSavedPath

      protected String getSavedPath(javax.servlet.http.HttpServletRequest request)
    • successfulAuthentication

      protected void successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain, org.springframework.security.core.Authentication authResult) throws IOException, javax.servlet.ServletException
      Attempts to write out the successful SSO token to a cookie, if an SSO token was generated and stored via the AuthenticationProvider.

      This effectively establishes SSO when using the CrowdAuthenticationProvider in conjunction with this filter.

      Overrides:
      successfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
      Parameters:
      request - servlet request.
      response - servlet response.
      authResult - result of a successful authentication. If it is a CrowdSSOAuthenticationToken then the SSO token will be set to the "credentials" property.
      Throws:
      IOException - not thrown.
      javax.servlet.ServletException
    • storeTokenIfCrowd

      protected void storeTokenIfCrowd(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult)
    • unsuccessfulAuthentication

      protected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) throws IOException, javax.servlet.ServletException
      Overrides:
      unsuccessfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
      Throws:
      IOException
      javax.servlet.ServletException
    • onUnsuccessfulAuthentication

      protected abstract void onUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Remove any SSO tokens associated with the request, effectively logging the user out of Crowd.
      Parameters:
      request - servlet request.
      response - servlet response.
    • getCookieConfiguration

      protected abstract CookieConfiguration getCookieConfiguration() throws Exception
      Throws:
      Exception
    • setRequestToApplicationMapper

      public void setRequestToApplicationMapper(RequestToApplicationMapper requestToApplicationMapper)
      Optional dependency.
      Parameters:
      requestToApplicationMapper - only required if multiple Crowd "applications" need to be accessed via the same Spring Security context, eg. when one web-application corresponds to multiple Crowd "applications".
    • setLoginUrlAuthenticationEntryPoint

      public void setLoginUrlAuthenticationEntryPoint(org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint filterEntryPoint)
      Optional dependency, only required if multiple Crowd applications are coexisting in the same web-application. Used to discover the login page, through and treat it specially.