Add Generic AuthenticationFilter #7025
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
|
@rwinch can you please have a look at this PR? |
There was a problem hiding this comment.
Thanks for the PR @sbespalov!
I have added comments inline. Please also
- add
@sinceto each new class, interface, method - add tests for the changes
cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
...c/main/java/org/springframework/security/web/authentication/www/AuthenticationConverter.java
Outdated
Show resolved
Hide resolved
...n/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java
Outdated
Show resolved
Hide resolved
...n/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java
Outdated
Show resolved
Hide resolved
...n/java/org/springframework/security/web/authentication/www/AuthenticationTokenConverter.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/web/authentication/www/GenericAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
rwinch
added
status: waiting-for-feedback
rwinch
added
in: web
rwinch
changed the title
|
@rwinch thanks for review requested changes done
done
done |
spring-projects-issues
added
status: feedback-provided
...in/java/org/springframework/security/web/authentication/www/GenericAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/web/authentication/www/GenericAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/web/authentication/www/GenericAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/web/authentication/www/GenericAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/web/authentication/www/GenericAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/web/authentication/www/GenericAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
|
@rwinch thanks for fast review, requested changes done |
.../main/java/org/springframework/security/web/authentication/AuthenticationSuccessHandler.java
Show resolved
Hide resolved
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.web.authentication.www; |
There was a problem hiding this comment.
Since this is generic, the package should not be in the www package. It should be moved up a package.
| * @author Sergey Bespalov | ||
| * @since 5.2.0 | ||
| */ | ||
| public class GenericAuthenticationFilter extends OncePerRequestFilter { |
There was a problem hiding this comment.
Please rename to AuthenticationFilter
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.web.authentication.www; |
There was a problem hiding this comment.
Since this is generic, the package should not be in the www package. It should be moved up a package
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.web.authentication.www; |
There was a problem hiding this comment.
Since this is generic, the package should not be in the www package. It should be moved up a package
| public class GenericAuthenticationFilter extends OncePerRequestFilter { | ||
|
|
||
| private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE; | ||
| private AuthenticationConverter authenticationConverter = new BasicAuthenticationConverter(); |
There was a problem hiding this comment.
Since this will be moved up a package, we cannot use BasicAuthenticationConverter in this class otherwise we will have package tangles.
A few solutions that we could use:
- Add a new converter named FormLoginAuthenticationConverter in org.springframework.security.web.authentication that is the default value. This is my preferred approach. If we do this, then UsernamePasswordAuthenticationFilter would use FormLoginAuthenticationConverter.
- Require AuthenticationConverter to be injected. While this solution is a smaller change, I don't like that the user is required to inject the converter when we could reasonably default it.
There was a problem hiding this comment.
done with option 2.
For not to make this PR grows too much I can create a follow-up issue to provide FormLoginAuthenticationConverter as default.
| private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE; | ||
| private AuthenticationConverter authenticationConverter = new BasicAuthenticationConverter(); | ||
| private AuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler(); | ||
| private AuthenticationFailureHandler failureHandler = new AuthenticationEntryPointFailureHandler( |
There was a problem hiding this comment.
Since this will be moved up a package, we cannot use BasicAuthenticationEntryPoint in this class otherwise we will have package tangles.
A few solutions that we could use:
- Use HttpStatusEntryPoint or LoginUrlAuthenticationEntryPoint. I think that the HttpStatusEntryPoint makes more sense since we don't know if there is anything in the app to handle the URL, but I am open to discussion on this.
- Require AuthenticationFailureHandler to be injected. While this solution is a smaller change, I don't like that the user is required to inject the converter when we could reasonably default it.
There was a problem hiding this comment.
done with HttpStatusEntryPoint as default.
sbespalov
force-pushed
the
issue/6506
branch
2 times, most recently
from
dd5f83f to
e32cc90
Compare
|
@rwinch packages fixed as you requested. |
rwinch
added
status: duplicate
|
Thanks @sbespalov! This is now merged into master |
This reverts to the old behavior from BasicAuthenticationFilter. Specifically, if a token has an empty password, it still parses a username and an empty String password. Issue gh-7025
This reverts to the old behavior from BasicAuthenticationFilter. Specifically, if a token has an empty password, it still parses a username and an empty String password. Issue spring-projectsgh-7025
|
Hi! When could we expect this to be released and in what version? |
|
@carlspring thanks for asking. You can see on the right-hand side of the description a section called "Milestones". This ticket was resolved for the 5.2.0.M4 milestone, so it's available there and later versions beyond that. The next GA version is 5.2.0, and you can follow the release date via the Milestones page. |
|
Thanks for confirming! |
Fixes #6506
This PR contains
AuthenticationWebFilterconcept implementation for regular Spring Security Filter Chain:AuthenticationConverterinterface (aligned toServerAuthenticationConverter)GenericAuthenticationFilterimplementation (aligned toAuthenticationWebFilter)BasicAuthenticationConverterimplementation (aligned toServerHttpBasicAuthenticationConverter)@rwinch the
AbstractAuthenticationProcessingFilter.requiresAuthentication()method modified here to throw exceptions because these exceptions declared forAbstractAuthenticationProcessingFilter.unsuccessfulAuthenticationmethod, which need to be called withinGenericAuthenticationFilter.requiresAuthenticationin case ofAuthenticationConverter.convertdecides to throw theAuthenticationException. So this seems necessary to have this change.