Handle Redirect in AbstractAuthenticationProcessingFilter

[yuanji]

I'm trying to refactor spring-social-security code, and find that in order to use AbstractAuthenticationProcessingFilter, I need to add code in its doFilter() method to handle redirect.

So I added an AuthenticationRedirectException class:

Code:

public class AuthenticationRedirectException extends AuthenticationException{
    private final String redirectUrl;

    public AuthenticationRedirectException(URL redirectUrl) {
        this(redirectUrl.toString());
    }

    public AuthenticationRedirectException(String redirectUrl) {
        super("");
        this.redirectUrl = redirectUrl;
    }

    public String getRedirectUrl() {
        return redirectUrl;
    }

}

And changed doFilter() to catch the exception:

Code:

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        if (!requiresAuthentication(request, response)) {
            chain.doFilter(request, response);

            return;
        }

        if (logger.isDebugEnabled()) {
            logger.debug("Request is to process authentication");
        }

        Authentication authResult;

        try {
            authResult = attemptAuthentication(request, response);
            if (authResult == null) {
                // return immediately as subclass has indicated that it hasn't completed authentication
                return;
            }
            sessionStrategy.onAuthentication(authResult, request, response);
        } catch (AuthenticationRedirectException e) {
            response.sendRedirect(e.getRedirectUrl()); 
            return;
        } catch(InternalAuthenticationServiceException failed) {
            logger.error("An internal error occurred while trying to authenticate the user.", failed);
            unsuccessfulAuthentication(request, response, failed);

            return;
        }
        catch (AuthenticationException failed) {
            // Authentication failed
            unsuccessfulAuthentication(request, response, failed);

            return;
        }

        // Authentication success
        if (continueChainBeforeSuccessfulAuthentication) {
            chain.doFilter(request, response);
        }

        successfulAuthentication(request, response, chain, authResult);
    }

Please let me know if above code changes are appropriate.

Thanks.

[objectamit]

I think its better to use a custom implementation of failureHandler to handle this. for details look here

[yuanji]

Thanks objectamit. Rob Winch also pointed that out at SEC2102.

I also feel maybe it is better to override unsuccessfulAuthentication() to pass redirect if AuthenticationException is for redirect. What do you think? Add a custom implementation of failureHandler or override unsuccessfulAuthentication()?