DuyHai's Java Blog

Spring Security part III : AuthenticationProcessingFilter & AnonymousFilter


In this post we’ll examine in depth the AuthenticationProcessingFilter & AnonymousFilter

V AuthenticationProcessingFilter

The AuthenticationProcessingFilter interface is quite complex. Indeed it acts like a router and delegates all sub-tasks of authentication to other actors. The AuthenticationProcessingFilter collaborates with the following interfaces:

Spring configuration:

<bean id="authenticationProcessingFilter" 
  	<property name="authenticationManager" ref="authenticationManager"/>
  	<property name="filterProcessesUrl" value="/j_myApplication_security_check"/>
  	<property name="authenticationSuccessHandler">
		<bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
			<property name="defaultTargetUrl" value="/pages/Home/home.html" />
	<property name="authenticationFailureHandler">
		<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
			<property name="defaultFailureUrl" value="/pages/Security/login.html?login_error=1" />

First we use the UsernamePasswordAuthenticationFilter as implementation of the AuthenticationProcessingFilter interface. If you are using a CAS server or JAAS, you should use a dedicated implementation or write your own.

Next, at line 3, an AuthenticationManager is injected. We’ll look into this AuthenticationManager very soon.

At line 4 we define the URL for the login process (/j_myApplication_security_check). This URL should be the form POST Url for the login page. The default value is j_spring_security_check but you could change it here.


1) AuthenticationSuccessHandler

At lines 6 & 7 we inject an AuthenticationSuccessHandler. Spring provides by default 2 implementations;

  1. SimpleUrlAuthenticationSuccessHandler: redirects automatically the user to the defaultTargetUrl set as parameter
  2. SavedRequestAwareAuthenticationSuccessHandler: redirects the user to the requested page. If the initial request does not target any specific page, redirect it to the defaultTargetUrl set as parameter

By default the defaultTargetUrl points to the home page.


2) AuthenticationFailureHandler

At lines 11 & 12 we inject the SimpleUrlAuthenticationFailureHandler for the AuthenticationProcessingFilter. This implementation simply redirects the user to an error page in case of unsuccessfull authentication. The error page URL set through the defaultFailureUrl parameter.


3) AuthenticationManager

Now we dig into the configuration of the AuthenticationManager

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
	<property name="providers">
			<ref bean="myAuthenticationProvider" />
			<ref bean="anonymousProvider" />
<bean id="anonymousProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
	<property name="key" value="unique_key_123" />
<bean id="myAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
	<property name="userDetailsService" ref="myUserDetailsService" />
<bean id="myUserDetailsService" class="com.myApplication.service.TechWebSecurityService" >
	<property name="userDao" ref="myUserDao" />

First, the implementation of the AuthenticationManager interface is the ProviderManager class which only delegates the job of authentication to a list of authentication providers.

Amoung the list of inject authentication provider is the AnonymousAuthenticationProvider. As expected this provider is usefull checking anonymous role. Please notice the unique key passed in at line 11.

Next is the user-define provider: myAuthenticationProvider. It is based on the DaoAuthenticationProvider implementation whic performs authentication against a datasource. If you are using JAAS for authentication please consider the JaasAuthenticationProvider class.

For the DaoAuthenticationProvider to work we must inject an UserDetailService whose task is to check user credentials against a datasource. It is up to you to implement the UserDetailService. In the example this service simply delegates request to a DAO class (line 19)


VI AnonymousFilter

Next in the security filter chain is the AnonymousFilter.

<bean id="anonymousFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter" >
	<property name="key" value="unique_key_123" />
	<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />

The AnonymousFilter job is to grant an anonymous role to the user. By default if there is no token in the security context, this filter will create one with anonymous attribute (defined via the userAttribute parameter) and the key value.

Later, when the AnonymousAuthenticationProvider check the security context, if it finds a token with ROLE_ANONYMOUS role and a matching key value then the anonymous authentication is successfull.