public class BasicHttpAuthenticationFilter extends AuthenticatingFilter
authenticated
for the
request to continue, and if they're not, requires the user to login via the HTTP Basic protocol-specific challenge.
Upon successful login, they're allowed to continue on to the requested resource/url.
This implementation is a 'clean room' Java implementation of Basic HTTP Authentication specification per
RFC 2617.
Basic authentication functions as follows:
WWW-Authenticate
header, and the contents of a
page informing the user that the incoming resource requires authentication.WWW-Authenticate
challenge from the server, the client then takes a
username and a password and puts them in the following format:
username:password
Authorization: Basic Base64_encoded_username_and_password
onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
method will
only be called if the subject making the request is not
authenticated
Modifier and Type | Field and Description |
---|---|
protected static String |
AUTHENTICATE_HEADER
HTTP Authentication header, equal to
WWW-Authenticate |
protected static String |
AUTHORIZATION_HEADER
HTTP Authorization header, equal to
Authorization |
PERMISSIVE
DEFAULT_SUCCESS_URL
DEFAULT_LOGIN_URL, GET_METHOD, POST_METHOD
appliedPaths, pathMatcher
ALREADY_FILTERED_SUFFIX
filterConfig
Constructor and Description |
---|
BasicHttpAuthenticationFilter() |
Modifier and Type | Method and Description |
---|---|
protected AuthenticationToken |
createToken(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response)
Creates an AuthenticationToken for use during login attempt with the provided credentials in the http header.
|
String |
getApplicationName()
Returns the name to use in the ServletResponse's
WWW-Authenticate header. |
String |
getAuthcScheme()
Returns the HTTP
WWW-Authenticate header scheme that this filter will use when sending
the HTTP Basic challenge response. |
protected String |
getAuthzHeader(javax.servlet.ServletRequest request)
Returns the
AUTHORIZATION_HEADER from the specified ServletRequest. |
String |
getAuthzScheme()
Returns the HTTP
Authorization header value that this filter will respond to as indicating
a login request. |
protected String[] |
getPrincipalsAndCredentials(String authorizationHeader,
javax.servlet.ServletRequest request)
Returns the username obtained from the
authorizationHeader . |
protected String[] |
getPrincipalsAndCredentials(String scheme,
String encoded)
Returns the username and password pair based on the specified
encoded String obtained from
the request's authorization header. |
protected boolean |
isAccessAllowed(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
Object mappedValue)
The Basic authentication filter can be configured with a list of HTTP methods to which it should apply.
|
protected boolean |
isLoginAttempt(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response)
Determines whether the incoming request is an attempt to log in.
|
protected boolean |
isLoginAttempt(String authzHeader)
Default implementation that returns
true if the specified authzHeader
starts with the same (case-insensitive) characters specified by the
authzScheme , false otherwise. |
protected boolean |
isLoginRequest(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response)
Delegates to
isLoginAttempt . |
protected boolean |
onAccessDenied(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response)
Processes unauthenticated requests.
|
protected boolean |
sendChallenge(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response)
Builds the challenge for authorization by setting a HTTP
401 (Unauthorized) status as well as the
response's AUTHENTICATE_HEADER . |
void |
setApplicationName(String applicationName)
Sets the name to use in the ServletResponse's
WWW-Authenticate header. |
void |
setAuthcScheme(String authcScheme)
Sets the HTTP
WWW-Authenticate header scheme that this filter will use when sending the
HTTP Basic challenge response. |
void |
setAuthzScheme(String authzScheme)
Sets the HTTP
Authorization header value that this filter will respond to as indicating a
login request. |
cleanup, createToken, createToken, executeLogin, getHost, isPermissive, isRememberMe, onLoginFailure, onLoginSuccess
getSuccessUrl, issueSuccessRedirect, setSuccessUrl
getLoginUrl, getSubject, onAccessDenied, onPreHandle, redirectToLogin, saveRequest, saveRequestAndRedirectToLogin, setLoginUrl
getPathWithinApplication, isEnabled, pathsMatch, pathsMatch, preHandle, processPathConfig
afterCompletion, doFilterInternal, executeChain, postHandle
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
getName, setName, toStringBuilder
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
protected static final String AUTHORIZATION_HEADER
Authorization
protected static final String AUTHENTICATE_HEADER
WWW-Authenticate
public BasicHttpAuthenticationFilter()
public String getApplicationName()
WWW-Authenticate
header.
Per RFC 2617, this name name is displayed to the end user when they are asked to authenticate. Unless overridden
by the setApplicationName(String)
method, the default value is 'application'.
Please see setApplicationName(String)
for an example of how this functions.public void setApplicationName(String applicationName)
WWW-Authenticate
header.
Per RFC 2617, this name name is displayed to the end user when they are asked to authenticate. Unless overridden
by this method, the default value is "application"
For example, setting this property to the value Awesome Webapp
will result in the
following header:
WWW-Authenticate: Basic realm="Awesome Webapp"
Side note: As you can see from the header text, the HTTP Basic specification calls
this the authentication 'realm', but we call this the 'applicationName' instead to avoid confusion with
Shiro's Realm constructs.applicationName
- the name to use in the ServletResponse's 'WWW-Authenticate' header.public String getAuthzScheme()
Authorization
header value that this filter will respond to as indicating
a login request.
Unless overridden by the setAuthzScheme(String)
method, the
default value is BASIC
.public void setAuthzScheme(String authzScheme)
Authorization
header value that this filter will respond to as indicating a
login request.
Unless overridden by this method, the default value is BASIC
authzScheme
- the HTTP Authorization
header value that this filter will respond to as
indicating a login request.public String getAuthcScheme()
WWW-Authenticate
header scheme that this filter will use when sending
the HTTP Basic challenge response. The default value is BASIC
.WWW-Authenticate
header scheme that this filter will use when sending the HTTP
Basic challenge response.sendChallenge(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
public void setAuthcScheme(String authcScheme)
WWW-Authenticate
header scheme that this filter will use when sending the
HTTP Basic challenge response. The default value is BASIC
.authcScheme
- the HTTP WWW-Authenticate
header scheme that this filter will use when
sending the Http Basic challenge response.sendChallenge(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
protected boolean isAccessAllowed(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, Object mappedValue)
[urls] /basic/** = authcBasic[POST,PUT,DELETE]then a GET request would not required authentication but a POST would.
isAccessAllowed
in class AuthenticatingFilter
request
- The current HTTP servlet request.response
- The current HTTP servlet response.mappedValue
- The array of configured HTTP methods as strings. This is empty if no methods are configured.true
if request should be allowed accessprotected boolean onAccessDenied(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response) throws Exception
onAccessDenied
in class AccessControlFilter
request
- incoming ServletRequestresponse
- outgoing ServletResponseException
- if there is an error processing the request.protected boolean isLoginAttempt(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
AUTHORIZATION_HEADER
, and if it is not null
, delegates
to isLoginAttempt(authzHeaderValue)
. If the header is null
,
false
is returned.request
- incoming ServletRequestresponse
- outgoing ServletResponseprotected final boolean isLoginRequest(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
isLoginAttempt
.isLoginRequest
in class AccessControlFilter
request
- the incoming ServletRequest
response
- the outgoing ServletResponse
true
if the incoming request is a login request, false
otherwise.protected String getAuthzHeader(javax.servlet.ServletRequest request)
AUTHORIZATION_HEADER
from the specified ServletRequest.
This implementation merely casts the request to an HttpServletRequest
and returns the header:
HttpServletRequest httpRequest = toHttp(reaquest)
;
return httpRequest.getHeader(AUTHORIZATION_HEADER
);
request
- the incoming ServletRequest
Authorization
header's value.protected boolean isLoginAttempt(String authzHeader)
true
if the specified authzHeader
starts with the same (case-insensitive) characters specified by the
authzScheme
, false
otherwise.
That is:
String authzScheme = getAuthzScheme().toLowerCase();
return authzHeader.toLowerCase().startsWith(authzScheme);
authzHeader
- the 'Authorization' header value (guaranteed to be non-null if the
isLoginAttempt(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
method is not overriden).true
if the authzHeader value matches that configured as defined by
the authzScheme
.protected boolean sendChallenge(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
401
(Unauthorized) status as well as the
response's AUTHENTICATE_HEADER
.
The header value constructed is equal to:
getAuthcScheme()
+ " realm=\"" + getApplicationName()
+ "\"";
request
- incoming ServletRequest, ignored by this implementationresponse
- outgoing ServletResponseprotected AuthenticationToken createToken(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
authorization header
via the
getPrincipalsAndCredentials
methodAuthenticationToken
via the
createToken
methodAuthenticationToken
is returned.createToken
in class AuthenticatingFilter
request
- incoming ServletRequestresponse
- outgoing ServletResponseprotected String[] getPrincipalsAndCredentials(String authorizationHeader, javax.servlet.ServletRequest request)
authorizationHeader
.
Once the authzHeader
is split per the RFC (based on the space character ' '), the resulting split tokens
are translated into the username/password pair by the
getPrincipalsAndCredentials(scheme,encoded)
method.authorizationHeader
- the authorization header obtained from the request.request
- the incoming ServletRequestgetAuthzHeader(javax.servlet.ServletRequest)
protected String[] getPrincipalsAndCredentials(String scheme, String encoded)
encoded
String obtained from
the request's authorization header.
Per RFC 2617, the default implementation first Base64 decodes the string and then splits the resulting decoded
string into two based on the ":" character. That is:
String decoded = Base64.decodeToString(encoded);
return decoded.split(":");
scheme
- the authcScheme
found in the request
authzHeader
. It is ignored by this implementation,
but available to overriding implementations should they find it useful.encoded
- the Base64-encoded username:password value found after the scheme in the headerCopyright © 2004–2019 The Apache Software Foundation. All rights reserved.