org.springframework.security.web.jaasapi.JaasApiIntegrationFilter Maven / Gradle / Ivy
/*
* Copyright 2010-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.jaasapi;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.springframework.core.log.LogMessage;
import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;
/**
*
* A Filter
which attempts to obtain a JAAS Subject
and continue
* the FilterChain
running as that Subject
.
*
*
* By using this Filter
in conjunction with Spring's
* JaasAuthenticationProvider
both Spring's SecurityContext
and
* a JAAS Subject
can be populated simultaneously. This is useful when
* integrating with code that requires a JAAS Subject
to be populated.
*
*
* @author Rob Winch
* @see #doFilter(ServletRequest, ServletResponse, FilterChain)
* @see #obtainSubject(ServletRequest)
*/
public class JaasApiIntegrationFilter extends GenericFilterBean {
private boolean createEmptySubject;
/**
*
* Attempts to obtain and run as a JAAS Subject
using
* {@link #obtainSubject(ServletRequest)}.
*
*
*
* If the Subject
is null
and createEmptySubject is
* true
, an empty, writeable Subject
is used. This allows
* for the Subject
to be populated at the time of login. If the
* Subject
is null
, the FilterChain
continues
* with no additional processing. If the Subject
is not null
* , the FilterChain
is ran with
* {@link Subject#doAs(Subject, PrivilegedExceptionAction)} in conjunction with the
* Subject
obtained.
*
*/
@Override
public final void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws ServletException, IOException {
Subject subject = obtainSubject(request);
if (subject == null && this.createEmptySubject) {
this.logger.debug("Subject returned was null and createEmtpySubject is true; "
+ "creating new empty subject to run as.");
subject = new Subject();
}
if (subject == null) {
this.logger.debug("Subject is null continue running with no Subject.");
chain.doFilter(request, response);
return;
}
this.logger.debug(LogMessage.format("Running as Subject %s", subject));
try {
Subject.doAs(subject, (PrivilegedExceptionAction