Package org.springframework.security.openid

Class OpenIDAuthenticationFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    @Deprecated
public class OpenIDAuthenticationFilter
extends org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    Deprecated.
    The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
    Filter which processes OpenID authentication requests.

    The OpenID authentication involves two stages.

    Submission of OpenID identity

    The user's OpenID identity is submitted via a login form, just as it would be for a normal form login. At this stage the filter will extract the identity from the submitted request (by default, the parameter is called openid_identifier, as recommended by the OpenID 2.0 Specification). It then passes the identity to the configured OpenIDConsumer, which returns the URL to which the request should be redirected for authentication. A "return_to" URL is also supplied, which matches the URL processed by this filter, to allow the filter to handle the request once the user has been successfully authenticated. The OpenID server will then authenticate the user and redirect back to the application.

    Processing the Redirect from the OpenID Server

    Once the user has been authenticated externally, the redirected request will be passed to the OpenIDConsumer again for validation. The returned OpenIDAuthentication will be passed to the AuthenticationManager where it should (normally) be processed by an OpenIDAuthenticationProvider in order to load the authorities for the user.
    Since:
    2.0
    See Also:
    OpenIDAuthenticationProvider

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String DEFAULT_CLAIMED_IDENTITY_FIELD
      Deprecated.
       

      • Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

        authenticationDetailsSource, eventPublisher, messages

      • Fields inherited from class org.springframework.web.filter.GenericFilterBean

        logger

    • Method Summary

      All Methods Instance Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      void afterPropertiesSet()
      Deprecated.
       
      org.springframework.security.core.Authentication attemptAuthentication​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Deprecated.
      Authentication has two phases.
      protected java.lang.String buildReturnToUrl​(javax.servlet.http.HttpServletRequest request)
      Deprecated.
      Builds the return_to URL that will be sent to the OpenID service provider.
      protected java.lang.String lookupRealm​(java.lang.String returnToUrl)
      Deprecated.
       
      protected java.lang.String obtainUsername​(javax.servlet.http.HttpServletRequest req)
      Deprecated.
      Reads the claimedIdentityFieldName from the submitted request.
      void setClaimedIdentityFieldName​(java.lang.String claimedIdentityFieldName)
      Deprecated.
      The name of the request parameter containing the OpenID identity, as submitted from the initial login form.
      void setConsumer​(OpenIDConsumer consumer)
      Deprecated.
       
      void setRealmMapping​(java.util.Map<java.lang.String,​java.lang.String> realmMapping)
      Deprecated.
      Maps the return_to url to a realm, for example:
      void setReturnToUrlParameters​(java.util.Set<java.lang.String> returnToUrlParameters)
      Deprecated.
      Specifies any extra parameters submitted along with the identity field which should be appended to the return_to URL which is assembled by buildReturnToUrl(javax.servlet.http.HttpServletRequest).

      • Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

        doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSecurityContextHolderStrategy, setSecurityContextRepository, setSessionAuthenticationStrategy, successfulAuthentication, unsuccessfulAuthentication

      • Methods inherited from class org.springframework.web.filter.GenericFilterBean

        addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • DEFAULT_CLAIMED_IDENTITY_FIELD

        public static final java.lang.String DEFAULT_CLAIMED_IDENTITY_FIELD
        Deprecated.
        See Also:
        Constant Field Values

    • Constructor Detail

      • OpenIDAuthenticationFilter

        public OpenIDAuthenticationFilter()
        Deprecated.

    • Method Detail

      • afterPropertiesSet

        public void afterPropertiesSet()
        Deprecated.
        Specified by:
        afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
        Overrides:
        afterPropertiesSet in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

      • attemptAuthentication

        public org.springframework.security.core.Authentication attemptAuthentication​(javax.servlet.http.HttpServletRequest request,
                                                                              javax.servlet.http.HttpServletResponse response)
                                                                       throws org.springframework.security.core.AuthenticationException,
                                                                              java.io.IOException
        Deprecated.
        Authentication has two phases.
        1. The initial submission of the claimed OpenID. A redirect to the URL returned from the consumer will be performed and null will be returned.
        2. The redirection from the OpenID server to the return_to URL, once it has authenticated the user
        Specified by:
        attemptAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
        Throws:
        org.springframework.security.core.AuthenticationException
        java.io.IOException

      • lookupRealm

        protected java.lang.String lookupRealm​(java.lang.String returnToUrl)
        Deprecated.

      • buildReturnToUrl

        protected java.lang.String buildReturnToUrl​(javax.servlet.http.HttpServletRequest request)
        Deprecated.
        Builds the return_to URL that will be sent to the OpenID service provider. By default returns the URL of the current request.
        Parameters:
        request - the current request which is being processed by this filter
        Returns:
        The return_to URL.

      • obtainUsername

        protected java.lang.String obtainUsername​(javax.servlet.http.HttpServletRequest req)
        Deprecated.
        Reads the claimedIdentityFieldName from the submitted request.

      • setRealmMapping

        public void setRealmMapping​(java.util.Map<java.lang.String,​java.lang.String> realmMapping)
        Deprecated.
        Maps the return_to url to a realm, for example: 
         https://www.example.com/login/openid -> https://www.example.com/realm
        If no mapping is provided then the returnToUrl will be parsed to extract the protocol, hostname and port followed by a trailing slash. This means that https://foo.example.com/login/openid will automatically become http://foo.example.com:80/
        Parameters:
        realmMapping - containing returnToUrl -> realm mappings

      • setClaimedIdentityFieldName

        public void setClaimedIdentityFieldName​(java.lang.String claimedIdentityFieldName)
        Deprecated.
        The name of the request parameter containing the OpenID identity, as submitted from the initial login form.
        Parameters:
        claimedIdentityFieldName - defaults to "openid_identifier"

      • setConsumer

        public void setConsumer​(OpenIDConsumer consumer)
        Deprecated.

      • setReturnToUrlParameters

        public void setReturnToUrlParameters​(java.util.Set<java.lang.String> returnToUrlParameters)
        Deprecated.
        Specifies any extra parameters submitted along with the identity field which should be appended to the return_to URL which is assembled by buildReturnToUrl(javax.servlet.http.HttpServletRequest).
        Parameters:
        returnToUrlParameters - the set of parameter names. If not set, it will default to the parameter name used by the RememberMeServices obtained from the parent class (if one is set).