org.springframework.security.ui.portlet

Class PortletProcessingInterceptor

java.lang.Object

org.springframework.security.ui.portlet.PortletProcessingInterceptor

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean, org.springframework.web.portlet.HandlerInterceptor

public class PortletProcessingInterceptor
extends java.lang.Object
implements org.springframework.web.portlet.HandlerInterceptor, org.springframework.beans.factory.InitializingBean

This interceptor is responsible for processing portlet authentication requests. This is the portlet equivalent of the AuthenticationProcessingFilter used for traditional servlet-based web applications. It is applied to both ActionRequests and RenderRequests alike. If authentication is successful, the resulting Authentication object will be placed into the SecurityContext, which is guaranteed to have already been created by an earlier interceptor. If authentication fails, the AuthenticationException will be placed into the APPLICATION_SCOPE of the PortletSession with the attribute defined by AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY.

Some portals do not properly provide the identity of the current user via the getRemoteUser() or getUserPrincipal() methods of the PortletRequest. In these cases they sometimes make it available in the USER_INFO map provided as one of the attributes of the request. If this is the case in your portal, you can specify a list of USER_INFO attributes to check for the username via the userNameAttributes property of this bean. You can also completely override the getPrincipalFromRequest(PortletRequest) and getCredentialsFromRequest(PortletRequest) methods to suit the particular behavior of your portal.

This interceptor will put the PortletRequest object into the details property of the Authentication object that is sent as a request to the AuthenticationManager. This is done so that the request is available to classes like ContainerPortletAuthoritiesPopulator that need access to information from the portlet container. The PortletAuthenticationProvider will replace this with the USER_INFO map in the resulting Authentication object.

Since:

2.0

Version:

$Id$

Author:

John A. Lewis

See Also:

AbstractProcessingFilter, AuthenticationProcessingFilter

Constructor Summary

Constructors

Constructor and Description
PortletProcessingInterceptor()

Method Summary

Methods

Modifier and Type	Method and Description
void	afterActionCompletion(javax.portlet.ActionRequest request, javax.portlet.ActionResponse response, java.lang.Object handler, java.lang.Exception ex)
void	afterEventCompletion(javax.portlet.EventRequest request, javax.portlet.EventResponse response, java.lang.Object handler, java.lang.Exception ex)
void	afterPropertiesSet()
void	afterRenderCompletion(javax.portlet.RenderRequest request, javax.portlet.RenderResponse response, java.lang.Object handler, java.lang.Exception ex)
void	afterResourceCompletion(javax.portlet.ResourceRequest request, javax.portlet.ResourceResponse response, java.lang.Object handler, java.lang.Exception ex)
protected java.lang.Object	getCredentialsFromRequest(javax.portlet.PortletRequest request) This method attempts to extract a credentials from the portlet request.
protected java.lang.Object	getPrincipalFromRequest(javax.portlet.PortletRequest request) This method attempts to extract a principal from the portlet request.
protected void	onPreAuthentication(javax.portlet.PortletRequest request, javax.portlet.PortletResponse response) Callback for custom processing prior to the authentication attempt.
protected void	onSuccessfulAuthentication(javax.portlet.PortletRequest request, javax.portlet.PortletResponse response, Authentication authResult) Callback for custom processing after a successful authentication attempt.
protected void	onUnsuccessfulAuthentication(javax.portlet.PortletRequest request, javax.portlet.PortletResponse response, AuthenticationException failed) Callback for custom processing after an unsuccessful authentication attempt.
void	postHandleRender(javax.portlet.RenderRequest request, javax.portlet.RenderResponse response, java.lang.Object handler, org.springframework.web.portlet.ModelAndView modelAndView)
void	postHandleResource(javax.portlet.ResourceRequest request, javax.portlet.ResourceResponse response, java.lang.Object handler, org.springframework.web.portlet.ModelAndView modelAndView)
boolean	preHandleAction(javax.portlet.ActionRequest request, javax.portlet.ActionResponse response, java.lang.Object handler)
boolean	preHandleEvent(javax.portlet.EventRequest request, javax.portlet.EventResponse response, java.lang.Object handler)
boolean	preHandleRender(javax.portlet.RenderRequest request, javax.portlet.RenderResponse response, java.lang.Object handler)
boolean	preHandleResource(javax.portlet.ResourceRequest request, javax.portlet.ResourceResponse response, java.lang.Object handler)
void	setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
void	setAuthenticationManager(AuthenticationManager authenticationManager)
void	setUseAuthTypeAsCredentials(boolean useAuthTypeAsCredentials) It true, the "authType" proerty of the PortletRequest will be used as the credentials.
void	setUserNameAttributes(java.util.List userNameAttributes)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PortletProcessingInterceptor

public PortletProcessingInterceptor()

Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws java.lang.Exception

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Throws:

java.lang.Exception

preHandleAction

public boolean preHandleAction(javax.portlet.ActionRequest request,
                      javax.portlet.ActionResponse response,
                      java.lang.Object handler)
                        throws java.lang.Exception

Specified by:

preHandleAction in interface org.springframework.web.portlet.HandlerInterceptor

Throws:

java.lang.Exception

preHandleRender

public boolean preHandleRender(javax.portlet.RenderRequest request,
                      javax.portlet.RenderResponse response,
                      java.lang.Object handler)
                        throws java.lang.Exception

Specified by:

preHandleRender in interface org.springframework.web.portlet.HandlerInterceptor

Throws:

java.lang.Exception

postHandleRender

public void postHandleRender(javax.portlet.RenderRequest request,
                    javax.portlet.RenderResponse response,
                    java.lang.Object handler,
                    org.springframework.web.portlet.ModelAndView modelAndView)
                      throws java.lang.Exception

Specified by:

postHandleRender in interface org.springframework.web.portlet.HandlerInterceptor

Throws:

java.lang.Exception

afterActionCompletion

public void afterActionCompletion(javax.portlet.ActionRequest request,
                         javax.portlet.ActionResponse response,
                         java.lang.Object handler,
                         java.lang.Exception ex)
                           throws java.lang.Exception

Specified by:

afterActionCompletion in interface org.springframework.web.portlet.HandlerInterceptor

Throws:

java.lang.Exception

afterRenderCompletion

public void afterRenderCompletion(javax.portlet.RenderRequest request,
                         javax.portlet.RenderResponse response,
                         java.lang.Object handler,
                         java.lang.Exception ex)
                           throws java.lang.Exception

Specified by:

afterRenderCompletion in interface org.springframework.web.portlet.HandlerInterceptor

Throws:

java.lang.Exception

getPrincipalFromRequest

protected java.lang.Object getPrincipalFromRequest(javax.portlet.PortletRequest request)

This method attempts to extract a principal from the portlet request. According to the JSR 168 spec, the PortletRequest should return the name of the user in the getRemoteUser() method. It should also provide a java.security.Principal object from the getUserPrincipal() method. We will first try these to come up with a valid username.

Unfortunately, some portals do not properly return these values for authenticated users. So, if neither of those succeeds and if the userNameAttributes property has been populated, then we will search through the USER_INFO map from the request to see if we can find a valid username.

This method can be overridden by subclasses to provide special handling for portals with weak support for the JSR 168 spec.

Parameters:

request - the portlet request object

Returns:

the determined principal object, or null if none found

getCredentialsFromRequest

protected java.lang.Object getCredentialsFromRequest(javax.portlet.PortletRequest request)

This method attempts to extract a credentials from the portlet request. We are trusting the portal framework to authenticate the user, so all we are really doing is trying to put something intelligent in here to indicate the user is authenticated. According to the JSR 168 spec, PortletRequest.getAuthType() should return a non-null value if the user is authenticated and should be null if not authenticated. So we will use this as the credentials and the token will be trusted as authenticated if the credentials are not null.

This method can be overridden by subclasses to provide special handling for portals with weak support for the JSR 168 spec. If that is done, be sure the value is non-null for authenticated users and null for non-authenticated users.

Parameters:

request - the portlet request object

Returns:

the determined credentials object, or null if none found

onPreAuthentication

protected void onPreAuthentication(javax.portlet.PortletRequest request,
                       javax.portlet.PortletResponse response)
                            throws AuthenticationException,
                                   java.io.IOException

Callback for custom processing prior to the authentication attempt.

Parameters:

request - the portlet request to be authenticated

response - the portlet response to be authenticated

Throws:

AuthenticationException - to indicate that authentication attempt is not valid and should be terminated

java.io.IOException

onSuccessfulAuthentication

protected void onSuccessfulAuthentication(javax.portlet.PortletRequest request,
                              javax.portlet.PortletResponse response,
                              Authentication authResult)
                                   throws java.io.IOException

Callback for custom processing after a successful authentication attempt.

Parameters:

request - the portlet request that was authenticated

response - the portlet response that was authenticated

authResult - the resulting Authentication object

Throws:

java.io.IOException

onUnsuccessfulAuthentication

protected void onUnsuccessfulAuthentication(javax.portlet.PortletRequest request,
                                javax.portlet.PortletResponse response,
                                AuthenticationException failed)
                                     throws java.io.IOException

Callback for custom processing after an unsuccessful authentication attempt.

Parameters:

request - the portlet request that failed authentication

response - the portlet response that failed authentication

failed - the AuthenticationException that occurred

Throws:

java.io.IOException

setAuthenticationManager

public void setAuthenticationManager(AuthenticationManager authenticationManager)

setUserNameAttributes

public void setUserNameAttributes(java.util.List userNameAttributes)

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)

setUseAuthTypeAsCredentials

public void setUseAuthTypeAsCredentials(boolean useAuthTypeAsCredentials)

It true, the "authType" proerty of the PortletRequest will be used as the credentials. Defaults to false.

Parameters:

useAuthTypeAsCredentials -

afterEventCompletion

public void afterEventCompletion(javax.portlet.EventRequest request,
                        javax.portlet.EventResponse response,
                        java.lang.Object handler,
                        java.lang.Exception ex)
                          throws java.lang.Exception

Specified by:

afterEventCompletion in interface org.springframework.web.portlet.HandlerInterceptor

Throws:

java.lang.Exception

preHandleEvent

public boolean preHandleEvent(javax.portlet.EventRequest request,
                     javax.portlet.EventResponse response,
                     java.lang.Object handler)
                       throws java.lang.Exception

Specified by:

preHandleEvent in interface org.springframework.web.portlet.HandlerInterceptor

Throws:

java.lang.Exception

afterResourceCompletion

public void afterResourceCompletion(javax.portlet.ResourceRequest request,
                           javax.portlet.ResourceResponse response,
                           java.lang.Object handler,
                           java.lang.Exception ex)
                             throws java.lang.Exception

Specified by:

afterResourceCompletion in interface org.springframework.web.portlet.HandlerInterceptor

Throws:

java.lang.Exception

postHandleResource

public void postHandleResource(javax.portlet.ResourceRequest request,
                      javax.portlet.ResourceResponse response,
                      java.lang.Object handler,
                      org.springframework.web.portlet.ModelAndView modelAndView)
                        throws java.lang.Exception

Specified by:

postHandleResource in interface org.springframework.web.portlet.HandlerInterceptor

Throws:

java.lang.Exception

preHandleResource

public boolean preHandleResource(javax.portlet.ResourceRequest request,
                        javax.portlet.ResourceResponse response,
                        java.lang.Object handler)
                          throws java.lang.Exception

Specified by:

preHandleResource in interface org.springframework.web.portlet.HandlerInterceptor

Throws:

java.lang.Exception