Package org.pentaho.platform.web.http.security

Class PentahoBasicProcessingFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    public class PentahoBasicProcessingFilter
extends org.springframework.security.web.authentication.www.BasicAuthenticationFilter
implements org.springframework.context.ApplicationEventPublisherAware
    This class's sole purpose is to defeat the persistence of Basic-Auth credentials in the browser. The mechanism used to accomplish this is to detect an expired (invalid) HttpSession from the client.

    If the first request after a session becomes invalid is a Basic-Auth request, we automatically deny, forcing re-authentication.

    The second path is if the first request after session invalidation is not a basic-auth (user manually logged out and was presented with the login page), we drop a cookie in the response noting the event. The next request with Basic-Auth and a valid HttpSession checks for this cookie and if present, forces reauthentication.

    User: nbaker Date: 8/15/13

    • Field Summary

      • Fields inherited from class org.springframework.web.filter.OncePerRequestFilter

        ALREADY_FILTERED_SUFFIX

      • Fields inherited from class org.springframework.web.filter.GenericFilterBean

        logger

    • Constructor Summary

      Constructors 
      Constructor Description
      PentahoBasicProcessingFilter​(org.springframework.security.authentication.AuthenticationManager authenticationManager)  
      PentahoBasicProcessingFilter​(org.springframework.security.authentication.AuthenticationManager authenticationManager, org.springframework.security.web.AuthenticationEntryPoint authenticationEntryPoint)  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void doFilterInternal​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)  
      protected void onSuccessfulAuthentication​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult)  
      void setApplicationEventPublisher​(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)  

      • Methods inherited from class org.springframework.security.web.authentication.www.BasicAuthenticationFilter

        afterPropertiesSet, getAuthenticationEntryPoint, getAuthenticationManager, getCredentialsCharset, isIgnoreFailure, onUnsuccessfulAuthentication, setAuthenticationDetailsSource, setCredentialsCharset, setRememberMeServices

      • Methods inherited from class org.springframework.web.filter.OncePerRequestFilter

        doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch

      • Methods inherited from class org.springframework.web.filter.GenericFilterBean

        addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    • Constructor Detail

      • PentahoBasicProcessingFilter

        public PentahoBasicProcessingFilter​(org.springframework.security.authentication.AuthenticationManager authenticationManager)

      • PentahoBasicProcessingFilter

        public PentahoBasicProcessingFilter​(org.springframework.security.authentication.AuthenticationManager authenticationManager,
                                    org.springframework.security.web.AuthenticationEntryPoint authenticationEntryPoint)

    • Method Detail

      • setApplicationEventPublisher

        public void setApplicationEventPublisher​(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
        Specified by:
        setApplicationEventPublisher in interface org.springframework.context.ApplicationEventPublisherAware

      • doFilterInternal

        public void doFilterInternal​(javax.servlet.http.HttpServletRequest request,
                             javax.servlet.http.HttpServletResponse response,
                             javax.servlet.FilterChain chain)
                      throws IOException,
                             javax.servlet.ServletException
        Overrides:
        doFilterInternal in class org.springframework.security.web.authentication.www.BasicAuthenticationFilter
        Throws:
        IOException
        javax.servlet.ServletException

      • onSuccessfulAuthentication

        protected void onSuccessfulAuthentication​(javax.servlet.http.HttpServletRequest request,
                                          javax.servlet.http.HttpServletResponse response,
                                          org.springframework.security.core.Authentication authResult)
                                   throws IOException
        Overrides:
        onSuccessfulAuthentication in class org.springframework.security.web.authentication.www.BasicAuthenticationFilter
        Throws:
        IOException