org.acegisecurity.ui.webapp

Class SiteminderAuthenticationProcessingFilter

java.lang.Object

org.acegisecurity.ui.AbstractProcessingFilter

org.acegisecurity.ui.webapp.AuthenticationProcessingFilter

org.acegisecurity.ui.webapp.SiteminderAuthenticationProcessingFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.MessageSourceAware

public class SiteminderAuthenticationProcessingFilter
extends AuthenticationProcessingFilter

Extends Acegi's AuthenticationProcessingFilter to pick up CA/Netegrity Siteminder headers.

Also provides a backup form-based authentication and the ability set source key names.

Siteminder must present two headers to this filter, a username and password. You must set the header keys before this filter is used for authentication, otherwise Siteminder checks will be skipped. If the Siteminder check is unsuccessful (i.e. if the headers are not found), then the form parameters will be checked (see next paragraph). This allows applications to optionally function even when their Siteminder infrastructure is unavailable, as is often the case during development.

Login forms must present two parameters to this filter: a username and password. If not specified, the parameter names to use are contained in the static fields AuthenticationProcessingFilter.ACEGI_SECURITY_FORM_USERNAME_KEY and AuthenticationProcessingFilter.ACEGI_SECURITY_FORM_PASSWORD_KEY.

Do not use this class directly. Instead, configure web.xml to use the FilterToBeanProxy.

Field Summary

Fields inherited from class org.acegisecurity.ui.webapp.AuthenticationProcessingFilter

ACEGI_SECURITY_FORM_PASSWORD_KEY, ACEGI_SECURITY_FORM_USERNAME_KEY, ACEGI_SECURITY_LAST_USERNAME_KEY

Fields inherited from class org.acegisecurity.ui.AbstractProcessingFilter

ACEGI_SAVED_REQUEST_KEY, ACEGI_SECURITY_LAST_EXCEPTION_KEY, authenticationDetailsSource, eventPublisher, messages

Constructor Summary

Constructors

Constructor and Description
SiteminderAuthenticationProcessingFilter() Basic constructor.

Method Summary

Modifier and Type	Method and Description
Authentication	attemptAuthentication(javax.servlet.http.HttpServletRequest request) Performs actual authentication.
String	getFormPasswordParameterKey() Returns the form password parameter key.
String	getFormUsernameParameterKey() Returns the form username parameter key.
String	getSiteminderPasswordHeaderKey() Returns the Siteminder password header key.
String	getSiteminderUsernameHeaderKey() Returns the Siteminder username header key.
protected String	obtainPassword(javax.servlet.http.HttpServletRequest request) Overridden method to obtain different value depending on whether Siteminder or form validation is being performed.
protected boolean	requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Overridden to perform authentication not only on j_security_check, but also on requests for the default target URL when the user isn't already authenticated.
void	setFormPasswordParameterKey(String key) Sets the form password parameter key.
void	setFormUsernameParameterKey(String key) Sets the form username parameter key.
void	setSiteminderPasswordHeaderKey(String key) Sets the Siteminder password header key.
void	setSiteminderUsernameHeaderKey(String key) Sets the Siteminder username header key.

Methods inherited from class org.acegisecurity.ui.webapp.AuthenticationProcessingFilter

getDefaultFilterProcessesUrl, init, obtainUsername, setDetails

Methods inherited from class org.acegisecurity.ui.AbstractProcessingFilter

afterPropertiesSet, destroy, determineFailureUrl, determineTargetUrl, doFilter, getAuthenticationDetailsSource, getAuthenticationFailureUrl, getAuthenticationManager, getDefaultTargetUrl, getExceptionMappings, getFilterProcessesUrl, getRememberMeServices, isAlwaysUseDefaultTargetUrl, isContinueChainBeforeSuccessfulAuthentication, obtainFullRequestUrl, onPreAuthentication, onSuccessfulAuthentication, onUnsuccessfulAuthentication, sendRedirect, setAlwaysUseDefaultTargetUrl, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureUrl, setAuthenticationManager, setBufferSize, setContinueChainBeforeSuccessfulAuthentication, setDefaultTargetUrl, setExceptionMappings, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setUseRelativeContext, successfulAuthentication, unsuccessfulAuthentication

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SiteminderAuthenticationProcessingFilter

public SiteminderAuthenticationProcessingFilter()

Basic constructor.

Method Detail

attemptAuthentication

public Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request)
                                     throws AuthenticationException

Description copied from class: AbstractProcessingFilter

Performs actual authentication.

Overrides:

attemptAuthentication in class AuthenticationProcessingFilter

Parameters:

request - from which to extract parameters and perform the authentication

Returns:

the authenticated user

Throws:

AuthenticationException - if authentication fails

See Also:

AbstractProcessingFilter.attemptAuthentication(javax.servlet.http.HttpServletRequest)

getFormPasswordParameterKey

public String getFormPasswordParameterKey()

Returns the form password parameter key.

Returns:

The form password parameter key.

getFormUsernameParameterKey

public String getFormUsernameParameterKey()

Returns the form username parameter key.

Returns:

The form username parameter key.

getSiteminderPasswordHeaderKey

public String getSiteminderPasswordHeaderKey()

Returns the Siteminder password header key.

Returns:

The Siteminder password header key.

getSiteminderUsernameHeaderKey

public String getSiteminderUsernameHeaderKey()

Returns the Siteminder username header key.

Returns:

The Siteminder username header key.

obtainPassword

protected String obtainPassword(javax.servlet.http.HttpServletRequest request)

Overridden method to obtain different value depending on whether Siteminder or form validation is being performed.

Overrides:

obtainPassword in class AuthenticationProcessingFilter

Parameters:

request - so that request attributes can be retrieved

Returns:

the password that will be presented in the Authentication request token to the AuthenticationManager

requiresAuthentication

protected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request,
                                         javax.servlet.http.HttpServletResponse response)

Overridden to perform authentication not only on j_security_check, but also on requests for the default target URL when the user isn't already authenticated.

Thank you Paul Garvey for providing a straightforward solution (and code) for this!

Overrides:

requiresAuthentication in class AbstractProcessingFilter

Parameters:

request - as received from the filter chain

response - as received from the filter chain

Returns:

true if the filter should attempt authentication, false otherwise

See Also:

AbstractProcessingFilter.requiresAuthentication(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)

setFormPasswordParameterKey

public void setFormPasswordParameterKey(String key)

Sets the form password parameter key.

Parameters:

key - The form password parameter key.

setFormUsernameParameterKey

public void setFormUsernameParameterKey(String key)

Sets the form username parameter key.

Parameters:

key - The form username parameter key.

setSiteminderPasswordHeaderKey

public void setSiteminderPasswordHeaderKey(String key)

Sets the Siteminder password header key.

Parameters:

key - The Siteminder password header key.

setSiteminderUsernameHeaderKey

public void setSiteminderUsernameHeaderKey(String key)

Sets the Siteminder username header key.

Parameters:

key - The Siteminder username header key.