AbstractAuthenticationProcessingFilter vs. AbstractPreAuthenticatedProcessingFilter

[marceloverdijk]

What is the difference between these 2?

My scenario is that I want to integrate RPX sign in (openid, twitter, ...) next to standard form login.
My entry point in my mvc page is that I get a response from RPX with a request param token.
With this token I can make an HTTP request to see if user is authenticated and if so I get back an identifier.

I'm wondering if I should use AbstractAuthenticationProcessingFilter or AbstractPreAuthenticatedProcessingFilter?


Some additional info:
I will be storing the identifiers in my own system together with additional data not in RPX.
My system will also contain "native" username/password users as I like to give users the option to sign in using a "native"/my application specific username or using an existing identief they use dailly (Google account, openid, twitter, Yahoo)

[Luke Taylor]

AbstractAuthenticationProcessingFilter is more complicated and is the basis for systems which involve some kind of interactive login, involving redirection to an external authentication system from the AuthenticationEntryPoint (form login, CAS, OpenID). It often involves redirection after authentication to an original request URL.

AbstractPreAuthenticatedProcessingFilter expects the user to already be authenticated and to be able to extract the authentication information from the current request (allowing the request to proceed afterwards).

The best way to get a feel is to check out the code. You'll see that the pre-auth filter is much simpler.

[marceloverdijk]

Thanks Luke,

I will go forward using the AbstractPreAuthenticatedProcessingFilter.

Cheers,
Marcel