issue/6506: AuthenticationConverter implementation

Author: sbespalov

web/src/main/java/org/springframework/security/web/authentication/AuthenticationConverter.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.authentication;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+
+/**
+ * A strategy used for converting from a {@link HttpServletRequest} to an
+ * {@link Authentication} of particular type. Used to authenticate with
+ * appropriate {@link AuthenticationManager}. If the result is null, then it
+ * signals that no authentication attempt should be made. It is also possible to
+ * throw {@link AuthenticationException} within the
+ * {@link #convert(HttpServletRequest)} if there was invalid Authentication
+ * scheme value.
+ *
+ * @author Sergey Bespalov
+ * @since 5.2.0
+ */
+public interface AuthenticationConverter {
+
+	Authentication convert(HttpServletRequest request);
+
+}

web/src/main/java/org/springframework/security/web/authentication/AuthenticationEntryPointFailureHandler.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.authentication;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.util.Assert;
+
+/**
+ * Adapts a {@link AuthenticationEntryPoint} into a {@link AuthenticationFailureHandler}
+ *
+ * @author sbespalov
+ * @since 5.2.0
+ */
+public class AuthenticationEntryPointFailureHandler implements AuthenticationFailureHandler {
+
+	private final AuthenticationEntryPoint authenticationEntryPoint;
+
+	public AuthenticationEntryPointFailureHandler(AuthenticationEntryPoint authenticationEntryPoint) {
+		Assert.notNull(authenticationEntryPoint, "authenticationEntryPoint cannot be null");
+		this.authenticationEntryPoint = authenticationEntryPoint;
+	}
+
+	@Override
+	public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
+			AuthenticationException exception) throws IOException, ServletException {
+		this.authenticationEntryPoint.commence(request, response, exception);
+	}
+}

web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java

@@ -0,0 +1,186 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.authentication;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationManagerResolver;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.util.matcher.AnyRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.Assert;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+/**
+ * A {@link Filter} that performs authentication of a particular request. An
+ * outline of the logic:
+ *
+ * <ul>
+ * <li>A request comes in and if it does not match
+ * {@link #setRequestMatcher(RequestMatcher)}, then this filter does nothing and
+ * the {@link FilterChain} is continued. If it does match then...</li>
+ * <li>An attempt to convert the {@link HttpServletRequest} into an
+ * {@link Authentication} is made. If the result is empty, then the filter does
+ * nothing more and the {@link FilterChain} is continued. If it does create an
+ * {@link Authentication}...</li>
+ * <li>The {@link AuthenticationManager} specified in
+ * {@link #GenericAuthenticationFilter(AuthenticationManager)} is used to
+ * perform authentication.</li>
+ * <li>The {@link AuthenticationManagerResolver} specified in
+ * {@link #GenericAuthenticationFilter(AuthenticationManagerResolver)} is used
+ * to resolve the appropriate authentication manager from context to perform
+ * authentication.</li>
+ * <li>If authentication is successful, {@link AuthenticationSuccessHandler} is
+ * invoked and the authentication is set on {@link SecurityContextHolder}, else
+ * {@link AuthenticationFailureHandler} is invoked</li>
+ * </ul>
+ *
+ * @author Sergey Bespalov
+ * @since 5.2.0
+ */
+public class AuthenticationFilter extends OncePerRequestFilter {
+
+	private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE;
+	private AuthenticationConverter authenticationConverter;
+	private AuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
+	private AuthenticationFailureHandler failureHandler = new AuthenticationEntryPointFailureHandler(
+			new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
+	private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver;
+
+	public AuthenticationFilter(AuthenticationManager authenticationManager,
+			AuthenticationConverter authenticationConverter) {
+		this((AuthenticationManagerResolver<HttpServletRequest>) r -> authenticationManager, authenticationConverter);
+	}
+
+	public AuthenticationFilter(AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver,
+			AuthenticationConverter authenticationConverter) {
+		Assert.notNull(authenticationManagerResolver, "authenticationResolverManager cannot be null");
+		Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
+
+		this.authenticationManagerResolver = authenticationManagerResolver;
+		this.authenticationConverter = authenticationConverter;
+	}
+
+	public RequestMatcher getRequestMatcher() {
+		return requestMatcher;
+	}
+
+	public void setRequestMatcher(RequestMatcher requestMatcher) {
+		Assert.notNull(requestMatcher, "requestMatcher cannot be null");
+		this.requestMatcher = requestMatcher;
+	}
+
+	public AuthenticationConverter getAuthenticationConverter() {
+		return authenticationConverter;
+	}
+
+	public void setAuthenticationConverter(AuthenticationConverter authenticationConverter) {
+		Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
+		this.authenticationConverter = authenticationConverter;
+	}
+
+	public AuthenticationSuccessHandler getSuccessHandler() {
+		return successHandler;
+	}
+
+	public void setSuccessHandler(AuthenticationSuccessHandler successHandler) {
+		Assert.notNull(successHandler, "successHandler cannot be null");
+		this.successHandler = successHandler;
+	}
+
+	public AuthenticationFailureHandler getFailureHandler() {
+		return failureHandler;
+	}
+
+	public void setFailureHandler(AuthenticationFailureHandler failureHandler) {
+		Assert.notNull(failureHandler, "failureHandler cannot be null");
+		this.failureHandler = failureHandler;
+	}
+
+	public AuthenticationManagerResolver<HttpServletRequest> getAuthenticationManagerResolver() {
+		return authenticationManagerResolver;
+	}
+
+	public void setAuthenticationManagerResolver(
+			AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver) {
+		Assert.notNull(authenticationManagerResolver, "authenticationManagerResolver cannot be null");
+		this.authenticationManagerResolver = authenticationManagerResolver;
+	}
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException {
+		if (!requestMatcher.matches(request)) {
+			filterChain.doFilter(request, response);
+			return;
+		}
+
+		try {
+			Authentication authenticationResult = attemptAuthentication(request, response);
+			if (authenticationResult == null) {
+				filterChain.doFilter(request, response);
+				return;
+			}
+
+			successfulAuthentication(request, response, filterChain, authenticationResult);
+		} catch (AuthenticationException e) {
+			unsuccessfulAuthentication(request, response, e);
+		}
+	}
+
+	private void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
+			AuthenticationException failed) throws IOException, ServletException {
+		SecurityContextHolder.clearContext();
+		failureHandler.onAuthenticationFailure(request, response, failed);
+	}
+
+	protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
+			Authentication authentication) throws IOException, ServletException {
+		SecurityContext context = SecurityContextHolder.createEmptyContext();
+		context.setAuthentication(authentication);
+		SecurityContextHolder.setContext(context);
+
+		successHandler.onAuthenticationSuccess(request, response, chain, authentication);
+	}
+
+	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
+			throws AuthenticationException, IOException, ServletException {
+		Authentication authentication = authenticationConverter.convert(request);
+		if (authentication == null) {
+			return null;
+		}
+
+		AuthenticationManager authenticationManager = authenticationManagerResolver.resolve(request);
+		Authentication authenticationResult = authenticationManager.authenticate(authentication);
+		if (authenticationResult == null) {
+			throw new ServletException("AuthenticationManager should not return null Authentication object.");
+		}
+
+		return authenticationResult;
+	}
+
+}

web/src/main/java/org/springframework/security/web/authentication/AuthenticationSuccessHandler.java

@@ -17,6 +17,7 @@
 
 import java.io.IOException;
 
+import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -38,6 +39,23 @@
  */
 public interface AuthenticationSuccessHandler {
 
+	/**
+	 * Called when a user has been successfully authenticated.
+	 *
+	 * @param request the request which caused the successful authentication
+	 * @param response the response
+	 * @param chain the {@link FilterChain} which can be used to proceed other filters in the chain
+	 * @param authentication the <tt>Authentication</tt> object which was created during
+	 * the authentication process.
+	 * @since 5.2.0
+	 */
+	default void onAuthenticationSuccess(HttpServletRequest request,
+			HttpServletResponse response, FilterChain chain, Authentication authentication)
+			throws IOException, ServletException{
+		onAuthenticationSuccess(request, response, authentication);
+		chain.doFilter(request, response);
+	}
+
 	/**
 	 * Called when a user has been successfully authenticated.
 	 *