Package org.springframework.security.web.authentication.www

Class BasicAuthenticationFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.web.filter.OncePerRequestFilter

org.springframework.security.web.authentication.www.BasicAuthenticationFilter

All Implemented Interfaces:

jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

public class BasicAuthenticationFilter
extends org.springframework.web.filter.OncePerRequestFilter

Processes a HTTP request's BASIC authorization headers, putting the result into the SecurityContextHolder.

For a detailed background on what this filter is designed to process, refer to RFC 1945, Section 11.1. Any realm name presented in the HTTP request is ignored.

In summary, this filter is responsible for processing any request that has a HTTP request header of Authorization with an authentication scheme of Basic and a Base64-encoded username:password token. For example, to authenticate user "Aladdin" with password "open sesame" the following header would be presented:

 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
 

This filter can be used to provide BASIC authentication services to both remoting protocol clients (such as Hessian and SOAP) as well as standard user agents (such as Internet Explorer and Netscape).

If authentication is successful, the resulting Authentication object will be placed into the SecurityContextHolder.

If authentication fails and ignoreFailure is false (the default), an AuthenticationEntryPoint implementation is called (unless the ignoreFailure property is set to true). Usually this should be BasicAuthenticationEntryPoint, which will prompt the user to authenticate again via BASIC authentication.

Basic authentication is an attractive protocol because it is simple and widely deployed. However, it still transmits a password in clear text and as such is undesirable in many situations. Digest authentication is also provided by Spring Security and should be used instead of Basic authentication wherever possible. See DigestAuthenticationFilter.

Note that if a RememberMeServices is set, this filter will automatically send back remember-me details to the client. Therefore, subsequent requests will not need to present a BASIC authentication header as they will be authenticated using the remember-me mechanism.

Field Summary

Fields inherited from class org.springframework.web.filter.OncePerRequestFilter

ALREADY_FILTERED_SUFFIX

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor	Description
BasicAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager)	Creates an instance which will authenticate against the supplied AuthenticationManager and which will ignore failed authentication attempts, allowing the request to proceed down the filter chain.
BasicAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint)	Creates an instance which will authenticate against the supplied AuthenticationManager and use the supplied AuthenticationEntryPoint to handle authentication failures.

Method Summary

Modifier and Type	Method	Description
void	afterPropertiesSet()
protected boolean	authenticationIsRequired(String username)
protected void	doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain)
protected AuthenticationEntryPoint	getAuthenticationEntryPoint()
protected org.springframework.security.authentication.AuthenticationManager	getAuthenticationManager()
protected String	getCredentialsCharset(jakarta.servlet.http.HttpServletRequest httpRequest)
protected boolean	isIgnoreFailure()
protected void	onSuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult)
protected void	onUnsuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed)
void	setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
void	setCredentialsCharset(String credentialsCharset)
void	setRememberMeServices(RememberMeServices rememberMeServices)
void	setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)	Sets the SecurityContextHolderStrategy to use.
void	setSecurityContextRepository(SecurityContextRepository securityContextRepository)	Sets the SecurityContextRepository to save the SecurityContext on authentication success.

Methods inherited from class org.springframework.web.filter.OncePerRequestFilter

doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

BasicAuthenticationFilter

public BasicAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager)

Creates an instance which will authenticate against the supplied AuthenticationManager and which will ignore failed authentication attempts, allowing the request to proceed down the filter chain.

Parameters:

authenticationManager - the bean to submit authentication requests to

BasicAuthenticationFilter

public BasicAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager,
 AuthenticationEntryPoint authenticationEntryPoint)

Creates an instance which will authenticate against the supplied AuthenticationManager and use the supplied AuthenticationEntryPoint to handle authentication failures.

Parameters:

authenticationManager - the bean to submit authentication requests to

authenticationEntryPoint - will be invoked when authentication fails. Typically an instance of BasicAuthenticationEntryPoint.

Method Details

setSecurityContextRepository

public void setSecurityContextRepository(SecurityContextRepository securityContextRepository)

Sets the SecurityContextRepository to save the SecurityContext on authentication success. The default action is not to save the SecurityContext.

Parameters:

securityContextRepository - the SecurityContextRepository to use. Cannot be null.

afterPropertiesSet

public void afterPropertiesSet()

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Overrides:

afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean

doFilterInternal

protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response,
 jakarta.servlet.FilterChain chain)
                         throws IOException,
jakarta.servlet.ServletException

Specified by:

doFilterInternal in class org.springframework.web.filter.OncePerRequestFilter

Throws:

IOException

jakarta.servlet.ServletException

authenticationIsRequired

protected boolean authenticationIsRequired(String username)

onSuccessfulAuthentication

protected void onSuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response,
 org.springframework.security.core.Authentication authResult)
                                   throws IOException

Throws:

IOException

onUnsuccessfulAuthentication

protected void onUnsuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response,
 org.springframework.security.core.AuthenticationException failed)
                                     throws IOException

Throws:

IOException

getAuthenticationEntryPoint

protected AuthenticationEntryPoint getAuthenticationEntryPoint()

getAuthenticationManager

protected org.springframework.security.authentication.AuthenticationManager getAuthenticationManager()

isIgnoreFailure

protected boolean isIgnoreFailure()

setSecurityContextHolderStrategy

public void setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)

Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.

Since:

5.8

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,?> authenticationDetailsSource)

setRememberMeServices

public void setRememberMeServices(RememberMeServices rememberMeServices)

setCredentialsCharset

public void setCredentialsCharset(String credentialsCharset)

getCredentialsCharset

protected String getCredentialsCharset(jakarta.servlet.http.HttpServletRequest httpRequest)