org.springframework.security.ui.portlet
Class PortletProcessingInterceptor

java.lang.Object
  extended by org.springframework.security.ui.portlet.PortletProcessingInterceptor
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, org.springframework.web.portlet.HandlerInterceptor

public class PortletProcessingInterceptor
extends java.lang.Object
implements org.springframework.web.portlet.HandlerInterceptor, org.springframework.beans.factory.InitializingBean

This interceptor is responsible for processing portlet authentication requests. This is the portlet equivalent of the AuthenticationProcessingFilter used for traditional servlet-based web applications. It is applied to both ActionRequests and RenderRequests alike. If authentication is successful, the resulting Authentication object will be placed into the SecurityContext, which is guaranteed to have already been created by an earlier interceptor. If authentication fails, the AuthenticationException will be placed into the APPLICATION_SCOPE of the PortletSession with the attribute defined by AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY.

Some portals do not properly provide the identity of the current user via the getRemoteUser() or getUserPrincipal() methods of the PortletRequest. In these cases they sometimes make it available in the USER_INFO map provided as one of the attributes of the request. If this is the case in your portal, you can specify a list of USER_INFO attributes to check for the username via the userNameAttributes property of this bean. You can also completely override the getPrincipalFromRequest(PortletRequest) and getCredentialsFromRequest(PortletRequest) methods to suit the particular behavior of your portal.

This interceptor will put the PortletRequest object into the details property of the Authentication object that is sent as a request to the AuthenticationManager. This is done so that the request is available to classes like ContainerPortletAuthoritiesPopulator that need access to information from the portlet container. The PortletAuthenticationProvider will replace this with the USER_INFO map in the resulting Authentication object.

Since:
2.0
Version:
$Id$
Author:
John A. Lewis
See Also:
AbstractProcessingFilter, AuthenticationProcessingFilter

Constructor Summary
PortletProcessingInterceptor()
           
 
Method Summary
 void afterActionCompletion(javax.portlet.ActionRequest request, javax.portlet.ActionResponse response, java.lang.Object handler, java.lang.Exception ex)
           
 void afterEventCompletion(javax.portlet.EventRequest request, javax.portlet.EventResponse response, java.lang.Object handler, java.lang.Exception ex)
           
 void afterPropertiesSet()
           
 void afterRenderCompletion(javax.portlet.RenderRequest request, javax.portlet.RenderResponse response, java.lang.Object handler, java.lang.Exception ex)
           
 void afterResourceCompletion(javax.portlet.ResourceRequest request, javax.portlet.ResourceResponse response, java.lang.Object handler, java.lang.Exception ex)
           
protected  java.lang.Object getCredentialsFromRequest(javax.portlet.PortletRequest request)
          This method attempts to extract a credentials from the portlet request.
protected  java.lang.Object getPrincipalFromRequest(javax.portlet.PortletRequest request)
          This method attempts to extract a principal from the portlet request.
protected  void onPreAuthentication(javax.portlet.PortletRequest request, javax.portlet.PortletResponse response)
          Callback for custom processing prior to the authentication attempt.
protected  void onSuccessfulAuthentication(javax.portlet.PortletRequest request, javax.portlet.PortletResponse response, Authentication authResult)
          Callback for custom processing after a successful authentication attempt.
protected  void onUnsuccessfulAuthentication(javax.portlet.PortletRequest request, javax.portlet.PortletResponse response, AuthenticationException failed)
          Callback for custom processing after an unsuccessful authentication attempt.
 void postHandleRender(javax.portlet.RenderRequest request, javax.portlet.RenderResponse response, java.lang.Object handler, org.springframework.web.portlet.ModelAndView modelAndView)
           
 void postHandleResource(javax.portlet.ResourceRequest request, javax.portlet.ResourceResponse response, java.lang.Object handler, org.springframework.web.portlet.ModelAndView modelAndView)
           
 boolean preHandleAction(javax.portlet.ActionRequest request, javax.portlet.ActionResponse response, java.lang.Object handler)
           
 boolean preHandleEvent(javax.portlet.EventRequest request, javax.portlet.EventResponse response, java.lang.Object handler)
           
 boolean preHandleRender(javax.portlet.RenderRequest request, javax.portlet.RenderResponse response, java.lang.Object handler)
           
 boolean preHandleResource(javax.portlet.ResourceRequest request, javax.portlet.ResourceResponse response, java.lang.Object handler)
           
 void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
           
 void setAuthenticationManager(AuthenticationManager authenticationManager)
           
 void setUseAuthTypeAsCredentials(boolean useAuthTypeAsCredentials)
          It true, the "authType" proerty of the PortletRequest will be used as the credentials.
 void setUserNameAttributes(java.util.List userNameAttributes)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

PortletProcessingInterceptor

public PortletProcessingInterceptor()
Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws java.lang.Exception
Specified by:
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
Throws:
java.lang.Exception

preHandleAction

public boolean preHandleAction(javax.portlet.ActionRequest request,
                               javax.portlet.ActionResponse response,
                               java.lang.Object handler)
                        throws java.lang.Exception
Specified by:
preHandleAction in interface org.springframework.web.portlet.HandlerInterceptor
Throws:
java.lang.Exception

preHandleRender

public boolean preHandleRender(javax.portlet.RenderRequest request,
                               javax.portlet.RenderResponse response,
                               java.lang.Object handler)
                        throws java.lang.Exception
Specified by:
preHandleRender in interface org.springframework.web.portlet.HandlerInterceptor
Throws:
java.lang.Exception

postHandleRender

public void postHandleRender(javax.portlet.RenderRequest request,
                             javax.portlet.RenderResponse response,
                             java.lang.Object handler,
                             org.springframework.web.portlet.ModelAndView modelAndView)
                      throws java.lang.Exception
Specified by:
postHandleRender in interface org.springframework.web.portlet.HandlerInterceptor
Throws:
java.lang.Exception

afterActionCompletion

public void afterActionCompletion(javax.portlet.ActionRequest request,
                                  javax.portlet.ActionResponse response,
                                  java.lang.Object handler,
                                  java.lang.Exception ex)
                           throws java.lang.Exception
Specified by:
afterActionCompletion in interface org.springframework.web.portlet.HandlerInterceptor
Throws:
java.lang.Exception

afterRenderCompletion

public void afterRenderCompletion(javax.portlet.RenderRequest request,
                                  javax.portlet.RenderResponse response,
                                  java.lang.Object handler,
                                  java.lang.Exception ex)
                           throws java.lang.Exception
Specified by:
afterRenderCompletion in interface org.springframework.web.portlet.HandlerInterceptor
Throws:
java.lang.Exception

getPrincipalFromRequest

protected java.lang.Object getPrincipalFromRequest(javax.portlet.PortletRequest request)
This method attempts to extract a principal from the portlet request. According to the JSR 168 spec, the PortletRequest should return the name of the user in the getRemoteUser() method. It should also provide a java.security.Principal object from the getUserPrincipal() method. We will first try these to come up with a valid username.

Unfortunately, some portals do not properly return these values for authenticated users. So, if neither of those succeeds and if the userNameAttributes property has been populated, then we will search through the USER_INFO map from the request to see if we can find a valid username.

This method can be overridden by subclasses to provide special handling for portals with weak support for the JSR 168 spec.

Parameters:
request - the portlet request object
Returns:
the determined principal object, or null if none found

getCredentialsFromRequest

protected java.lang.Object getCredentialsFromRequest(javax.portlet.PortletRequest request)
This method attempts to extract a credentials from the portlet request. We are trusting the portal framework to authenticate the user, so all we are really doing is trying to put something intelligent in here to indicate the user is authenticated. According to the JSR 168 spec, PortletRequest.getAuthType() should return a non-null value if the user is authenticated and should be null if not authenticated. So we will use this as the credentials and the token will be trusted as authenticated if the credentials are not null.

This method can be overridden by subclasses to provide special handling for portals with weak support for the JSR 168 spec. If that is done, be sure the value is non-null for authenticated users and null for non-authenticated users.

Parameters:
request - the portlet request object
Returns:
the determined credentials object, or null if none found

onPreAuthentication

protected void onPreAuthentication(javax.portlet.PortletRequest request,
                                   javax.portlet.PortletResponse response)
                            throws AuthenticationException,
                                   java.io.IOException
Callback for custom processing prior to the authentication attempt.

Parameters:
request - the portlet request to be authenticated
response - the portlet response to be authenticated
Throws:
AuthenticationException - to indicate that authentication attempt is not valid and should be terminated
java.io.IOException

onSuccessfulAuthentication

protected void onSuccessfulAuthentication(javax.portlet.PortletRequest request,
                                          javax.portlet.PortletResponse response,
                                          Authentication authResult)
                                   throws java.io.IOException
Callback for custom processing after a successful authentication attempt.

Parameters:
request - the portlet request that was authenticated
response - the portlet response that was authenticated
authResult - the resulting Authentication object
Throws:
java.io.IOException

onUnsuccessfulAuthentication

protected void onUnsuccessfulAuthentication(javax.portlet.PortletRequest request,
                                            javax.portlet.PortletResponse response,
                                            AuthenticationException failed)
                                     throws java.io.IOException
Callback for custom processing after an unsuccessful authentication attempt.

Parameters:
request - the portlet request that failed authentication
response - the portlet response that failed authentication
failed - the AuthenticationException that occurred
Throws:
java.io.IOException

setAuthenticationManager

public void setAuthenticationManager(AuthenticationManager authenticationManager)

setUserNameAttributes

public void setUserNameAttributes(java.util.List userNameAttributes)

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)

setUseAuthTypeAsCredentials

public void setUseAuthTypeAsCredentials(boolean useAuthTypeAsCredentials)
It true, the "authType" proerty of the PortletRequest will be used as the credentials. Defaults to false.

Parameters:
useAuthTypeAsCredentials -

afterEventCompletion

public void afterEventCompletion(javax.portlet.EventRequest request,
                                 javax.portlet.EventResponse response,
                                 java.lang.Object handler,
                                 java.lang.Exception ex)
                          throws java.lang.Exception
Specified by:
afterEventCompletion in interface org.springframework.web.portlet.HandlerInterceptor
Throws:
java.lang.Exception

preHandleEvent

public boolean preHandleEvent(javax.portlet.EventRequest request,
                              javax.portlet.EventResponse response,
                              java.lang.Object handler)
                       throws java.lang.Exception
Specified by:
preHandleEvent in interface org.springframework.web.portlet.HandlerInterceptor
Throws:
java.lang.Exception

afterResourceCompletion

public void afterResourceCompletion(javax.portlet.ResourceRequest request,
                                    javax.portlet.ResourceResponse response,
                                    java.lang.Object handler,
                                    java.lang.Exception ex)
                             throws java.lang.Exception
Specified by:
afterResourceCompletion in interface org.springframework.web.portlet.HandlerInterceptor
Throws:
java.lang.Exception

postHandleResource

public void postHandleResource(javax.portlet.ResourceRequest request,
                               javax.portlet.ResourceResponse response,
                               java.lang.Object handler,
                               org.springframework.web.portlet.ModelAndView modelAndView)
                        throws java.lang.Exception
Specified by:
postHandleResource in interface org.springframework.web.portlet.HandlerInterceptor
Throws:
java.lang.Exception

preHandleResource

public boolean preHandleResource(javax.portlet.ResourceRequest request,
                                 javax.portlet.ResourceResponse response,
                                 java.lang.Object handler)
                          throws java.lang.Exception
Specified by:
preHandleResource in interface org.springframework.web.portlet.HandlerInterceptor
Throws:
java.lang.Exception