SEC-1202: Removed SpringSecurityFilter and replaced with use of GenericFilterBean from spring-web

cas/src/test/java/org/springframework/security/cas/web/CasProcessingFilterTests.java

@@ -48,7 +48,6 @@ public class CasProcessingFilterTests extends TestCase {
 
         CasProcessingFilter filter = new CasProcessingFilter();
         filter.setAuthenticationManager(authMgr);
-        filter.init(null);
 
         Authentication result = filter.attemptAuthentication(request, new MockHttpServletResponse());
         assertTrue(result != null);
@@ -62,7 +61,6 @@ public class CasProcessingFilterTests extends TestCase {
 
         CasProcessingFilter filter = new CasProcessingFilter();
         filter.setAuthenticationManager(authMgr);
-        filter.init(null);
 
         try {
             filter.attemptAuthentication(request, new MockHttpServletResponse());

config/pom.xml

@@ -58,7 +58,6 @@
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-web</artifactId>
-            <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.apache.directory.server</groupId>

config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java

@@ -22,28 +22,28 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
 
-public class DefaultFilterChainValidator implements FilterChainProxy.FilterChainValidator{
+public class DefaultFilterChainValidator implements FilterChainProxy.FilterChainValidator {
     private Log logger = LogFactory.getLog(getClass());
 
-	public void validate(FilterChainProxy fcp) {
-		Map<String, List<Filter>> filterChainMap = fcp.getFilterChainMap();
-		for(String pattern : fcp.getFilterChainMap().keySet()) {
-			List<Filter> filters = filterChainMap.get(pattern);
-			checkFilterStack(filters);
-		}
+    public void validate(FilterChainProxy fcp) {
+        Map<String, List<Filter>> filterChainMap = fcp.getFilterChainMap();
+        for(String pattern : fcp.getFilterChainMap().keySet()) {
+            List<Filter> filters = filterChainMap.get(pattern);
+            checkFilterStack(filters);
+        }
 
-		checkLoginPageIsntProtected(fcp, filterChainMap.get(fcp.getMatcher().getUniversalMatchPattern()));
-	}
+        checkLoginPageIsntProtected(fcp, filterChainMap.get(fcp.getMatcher().getUniversalMatchPattern()));
+    }
 
     private Object getFilter(Class<?> type, List<Filter> filters) {
 
-    	for (Filter f : filters) {
-    		if (type.isAssignableFrom(f.getClass())) {
-    			return f;
-    		}
-    	}
+        for (Filter f : filters) {
+            if (type.isAssignableFrom(f.getClass())) {
+                return f;
+            }
+        }
 
-    	return null;
+        return null;
     }
 
     /**
@@ -78,7 +78,7 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
 
     /* Checks for the common error of having a login page URL protected by the security interceptor */
     private void checkLoginPageIsntProtected(FilterChainProxy fcp, List<Filter> defaultFilters) {
-    	ExceptionTranslationFilter etf = (ExceptionTranslationFilter)getFilter(ExceptionTranslationFilter.class, defaultFilters);
+        ExceptionTranslationFilter etf = (ExceptionTranslationFilter)getFilter(ExceptionTranslationFilter.class, defaultFilters);
 
         if (etf.getAuthenticationEntryPoint() instanceof LoginUrlAuthenticationEntryPoint) {
             String loginPage =
@@ -129,7 +129,4 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
             }
         }
     }
-
-
-
 }

config/src/test/java/org/springframework/security/config/FilterChainProxyConfigTests.java

@@ -17,13 +17,13 @@ package org.springframework.security.config;
 
 import static org.junit.Assert.*;
 import static org.mockito.Matchers.any;
-import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
 
 import java.util.List;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -136,8 +136,6 @@ public class FilterChainProxyConfigTests {
     }
 
     private void doNormalOperation(FilterChainProxy filterChainProxy) throws Exception {
-        filterChainProxy.init(mock(FilterConfig.class));
-
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setServletPath("/foo/secure/super/somefile.html");
 
@@ -151,7 +149,5 @@ public class FilterChainProxyConfigTests {
         chain = mock(FilterChain.class);
         filterChainProxy.doFilter(request, response, chain);
         verify(chain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
-
-        filterChainProxy.destroy();
     }
 }

ntlm/src/main/java/org/springframework/security/ui/ntlm/NtlmProcessingFilter.java

@@ -22,6 +22,8 @@ import java.util.Properties;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
@@ -40,7 +42,6 @@ import jcifs.util.Base64;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
@@ -51,10 +52,10 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
 
 /**
  * A clean-room implementation for Spring Security of an NTLM HTTP filter
@@ -81,7 +82,7 @@ import org.springframework.util.Assert;
  * @author Edward Smith
  * @version $Id$
  */
-public class NtlmProcessingFilter extends SpringSecurityFilter implements InitializingBean {
+public class NtlmProcessingFilter extends GenericFilterBean {
     //~ Static fields/initializers =====================================================================================
 
     private static Log    logger = LogFactory.getLog(NtlmProcessingFilter.class);
@@ -120,7 +121,8 @@ public class NtlmProcessingFilter extends SpringSecurityFilter implements Initia
      * Ensures an <code>AuthenticationManager</code> and authentication failure
      * URL have been provided in the bean configuration file.
      */
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.notNull(this.authenticationManager, "An AuthenticationManager is required");
 
         // Default to 5 minutes if not already specified
@@ -304,8 +306,10 @@ public class NtlmProcessingFilter extends SpringSecurityFilter implements Initia
         this.authenticationDetailsSource = authenticationDetailsSource;
     }
 
-    protected void doFilterHttp(final HttpServletRequest request,
-            final HttpServletResponse response, final FilterChain chain) throws IOException, ServletException {
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+            throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
         final HttpSession session = request.getSession();
         Integer ntlmState = (Integer) session.getAttribute(STATE_ATTR);
 

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationProcessingFilter.java

@@ -25,6 +25,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.openid4java.consumer.ConsumerException;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -81,10 +82,15 @@ public class OpenIDAuthenticationProcessingFilter extends AbstractAuthentication
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         super.afterPropertiesSet();
         if (consumer == null) {
-            consumer = new OpenID4JavaConsumer();
+            try {
+                consumer = new OpenID4JavaConsumer();
+            } catch (ConsumerException e) {
+                throw new IllegalArgumentException("Failed to initialize OpenID", e);
+            }
         }
     }
 

web/src/main/java/org/springframework/security/web/FilterChainProxy.java

@@ -33,12 +33,12 @@ import javax.servlet.ServletResponse;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
 import org.springframework.security.web.util.AntUrlPathMatcher;
 import org.springframework.security.web.util.UrlMatcher;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.DelegatingFilterProxy;
+import org.springframework.web.filter.GenericFilterBean;
 
 
 /**
@@ -104,7 +104,7 @@ import org.springframework.web.filter.DelegatingFilterProxy;
  *
  * @version $Id$
  */
-public class FilterChainProxy implements Filter, InitializingBean {
+public class FilterChainProxy extends GenericFilterBean {
     //~ Static fields/initializers =====================================================================================
 
     private static final Log logger = LogFactory.getLog(FilterChainProxy.class);
@@ -123,35 +123,12 @@ public class FilterChainProxy implements Filter, InitializingBean {
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.notNull(uncompiledFilterChainMap, "filterChainMap must be set");
         filterChainValidator.validate(this);
     }
 
-    public void init(FilterConfig filterConfig) throws ServletException {
-        for (Filter filter : obtainAllDefinedFilters()) {
-            if (filter != null) {
-                if (logger.isDebugEnabled()) {
-                    logger.debug("Initializing Filter defined in ApplicationContext: '" + filter + "'");
-                }
-
-                filter.init(filterConfig);
-            }
-        }
-    }
-
-    public void destroy() {
-        for (Filter filter : obtainAllDefinedFilters()) {
-            if (filter != null) {
-                if (logger.isDebugEnabled()) {
-                    logger.debug("Destroying Filter defined in ApplicationContext: '" + filter + "'");
-                }
-
-                filter.destroy();
-            }
-        }
-    }
-
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
             throws IOException, ServletException {
 
@@ -324,10 +301,10 @@ public class FilterChainProxy implements Filter, InitializingBean {
      * @param filterChainValidator
      */
     public void setFilterChainValidator(FilterChainValidator filterChainValidator) {
-		this.filterChainValidator = filterChainValidator;
-	}
+        this.filterChainValidator = filterChainValidator;
+    }
 
-	public String toString() {
+    public String toString() {
         StringBuffer sb = new StringBuffer();
         sb.append("FilterChainProxy[");
         sb.append(" UrlMatcher = ").append(matcher);
@@ -382,12 +359,12 @@ public class FilterChainProxy implements Filter, InitializingBean {
     }
 
     public interface FilterChainValidator {
-    	void validate(FilterChainProxy filterChainProxy);
+        void validate(FilterChainProxy filterChainProxy);
     }
 
     private class NullFilterChainValidator implements FilterChainValidator {
-		public void validate(FilterChainProxy filterChainProxy) {
-		}
+        public void validate(FilterChainProxy filterChainProxy) {
+        }
     }
 
 }

web/src/main/java/org/springframework/security/web/SpringSecurityFilter.java

@@ -1,61 +0,0 @@
-package org.springframework.security.web;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.core.Ordered;
-
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.ServletException;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletResponse;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletRequest;
-import javax.servlet.Filter;
-import java.io.IOException;
-
-/**
- * Implements Ordered interface as required by security namespace configuration and implements unused filter
- * lifecycle methods and performs casting of request and response to http versions in doFilter method.
- *
- * @author Luke Taylor
- * @version $Id$
- */
-public abstract class SpringSecurityFilter implements Filter, Ordered {
-    protected final Log logger = LogFactory.getLog(this.getClass());
-    private int order;
-
-    /**
-     * Does nothing. We use IoC container lifecycle services instead.
-     *
-     * @param filterConfig ignored
-     * @throws ServletException ignored
-     */
-    public final void init(FilterConfig filterConfig) throws ServletException {
-    }
-
-    /**
-     * Does nothing. We use IoC container lifecycle services instead.
-     */
-    public final void destroy() {
-    }
-
-    public final void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-        doFilterHttp((HttpServletRequest)request, (HttpServletResponse)response, chain);
-    }
-
-    protected abstract void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException;
-
-    public final int getOrder() {
-		return order;
-	}
-
-	public void setOrder(int order) {
-		this.order = order;
-	}
-
-	public String toString() {
-        return getClass().getName() + "[ order=" + getOrder() + "; ]";
-    }
-}

web/src/main/java/org/springframework/security/web/access/ExceptionTranslationFilter.java

@@ -19,10 +19,11 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
@@ -30,12 +31,12 @@ import org.springframework.security.authentication.InsufficientAuthenticationExc
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.util.ThrowableAnalyzer;
 import org.springframework.security.web.util.ThrowableCauseExtractor;
 import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
 
 /**
  * Handles any <code>AccessDeniedException</code> and <code>AuthenticationException</code> thrown within the
@@ -68,7 +69,7 @@ import org.springframework.util.Assert;
  * @author colin sampaleanu
  * @version $Id$
  */
-public class ExceptionTranslationFilter extends SpringSecurityFilter implements InitializingBean {
+public class ExceptionTranslationFilter extends GenericFilterBean {
 
     //~ Instance fields ================================================================================================
 
@@ -82,13 +83,16 @@ public class ExceptionTranslationFilter extends SpringSecurityFilter implements
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.notNull(authenticationEntryPoint, "authenticationEntryPoint must be specified");
 //        Assert.notNull(portResolver, "portResolver must be specified");
     }
 
-    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException,
-            ServletException {
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+            throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
 
         try {
             chain.doFilter(request, response);

web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java

@@ -23,15 +23,16 @@ import java.util.Set;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.web.FilterInvocation;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
 import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
 
 
 /**
@@ -45,7 +46,7 @@ import org.springframework.util.Assert;
  * @author Ben Alex
  * @version $Id$
  */
-public class ChannelProcessingFilter extends SpringSecurityFilter implements InitializingBean {
+public class ChannelProcessingFilter extends GenericFilterBean {
 
     //~ Instance fields ================================================================================================
 
@@ -54,7 +55,8 @@ public class ChannelProcessingFilter extends SpringSecurityFilter implements Ini
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.notNull(securityMetadataSource, "securityMetadataSource must be specified");
         Assert.notNull(channelDecisionManager, "channelDecisionManager must be specified");
 
@@ -86,8 +88,10 @@ public class ChannelProcessingFilter extends SpringSecurityFilter implements Ini
         }
     }
 
-    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
             throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
 
         FilterInvocation fi = new FilterInvocation(request, response, chain);
         List<ConfigAttribute> attr = this.securityMetadataSource.getAttributes(fi);

web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java

@@ -19,11 +19,12 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.ApplicationEventPublisherAware;
 import org.springframework.context.MessageSource;
@@ -36,11 +37,11 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.session.AuthenticatedSessionStrategy;
 import org.springframework.security.web.session.NullAuthenticatedSessionStrategy;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
 
 /**
  * Abstract processor of browser-based HTTP-based authentication requests.
@@ -102,7 +103,7 @@ import org.springframework.util.Assert;
  * @author Ben Alex
  * @version $Id$
  */
-public abstract class AbstractAuthenticationProcessingFilter extends SpringSecurityFilter implements InitializingBean,
+public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean implements
         ApplicationEventPublisherAware, MessageSourceAware {
     //~ Static fields/initializers =====================================================================================
 
@@ -147,7 +148,8 @@ public abstract class AbstractAuthenticationProcessingFilter extends SpringSecur
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.hasLength(filterProcessesUrl, "filterProcessesUrl must be specified");
         Assert.isTrue(UrlUtils.isValidRedirectUrl(filterProcessesUrl), filterProcessesUrl + " isn't a valid redirect URL");
         Assert.notNull(authenticationManager, "authenticationManager must be specified");
@@ -176,9 +178,12 @@ public abstract class AbstractAuthenticationProcessingFilter extends SpringSecur
      * by this method where the returned <tt>Authentication</tt> object is not null.
      * </ol>
      */
-    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
             throws IOException, ServletException {
 
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
+
         if (!requiresAuthentication(request, response)) {
             chain.doFilter(request, response);
 

web/src/main/java/org/springframework/security/web/authentication/AnonymousProcessingFilter.java

@@ -20,6 +20,8 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -29,8 +31,8 @@ import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.memory.UserAttribute;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
 
 
 /**
@@ -40,7 +42,7 @@ import org.springframework.util.Assert;
  * @author Ben Alex
  * @version $Id$
  */
-public class AnonymousProcessingFilter  extends SpringSecurityFilter  implements InitializingBean {
+public class AnonymousProcessingFilter extends GenericFilterBean  implements InitializingBean {
 
     //~ Instance fields ================================================================================================
 
@@ -51,7 +53,8 @@ public class AnonymousProcessingFilter  extends SpringSecurityFilter  implements
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.notNull(userAttribute);
         Assert.hasLength(key);
     }
@@ -79,7 +82,11 @@ public class AnonymousProcessingFilter  extends SpringSecurityFilter  implements
         return auth;
     }
 
-    protected void doFilterHttp(HttpServletRequest request,HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+            throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
+
         boolean addedToken = false;
 
         if (applyAnonymousForThisRequest(request)) {

web/src/main/java/org/springframework/security/web/authentication/concurrent/ConcurrentSessionFilter.java

@@ -19,20 +19,21 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.authentication.concurrent.SessionInformation;
 import org.springframework.security.authentication.concurrent.SessionRegistry;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
 
 
 /**
@@ -52,7 +53,7 @@ import org.springframework.util.Assert;
  * @author Ben Alex
  * @version $Id$
  */
-public class ConcurrentSessionFilter extends SpringSecurityFilter implements InitializingBean {
+public class ConcurrentSessionFilter extends GenericFilterBean {
     //~ Instance fields ================================================================================================
 
     private SessionRegistry sessionRegistry;
@@ -61,14 +62,17 @@ public class ConcurrentSessionFilter extends SpringSecurityFilter implements Ini
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.notNull(sessionRegistry, "SessionRegistry required");
         Assert.isTrue(expiredUrl == null || UrlUtils.isValidRedirectUrl(expiredUrl),
                 expiredUrl + " isn't a valid redirect URL");
     }
 
-    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
             throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
 
         HttpSession session = request.getSession(false);
 

web/src/main/java/org/springframework/security/web/authentication/logout/LogoutFilter.java

@@ -21,15 +21,17 @@ import java.util.List;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
+import org.springframework.web.filter.GenericFilterBean;
 
 /**
  * Logs a principal out.
@@ -44,7 +46,7 @@ import org.springframework.util.StringUtils;
  * @author Ben Alex
  * @version $Id$
  */
-public class LogoutFilter extends SpringSecurityFilter {
+public class LogoutFilter extends GenericFilterBean {
 
     //~ Instance fields ================================================================================================
 
@@ -79,8 +81,10 @@ public class LogoutFilter extends SpringSecurityFilter {
 
     //~ Methods ========================================================================================================
 
-    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException,
-            ServletException {
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+            throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
 
         if (requiresLogout(request, response)) {
             Authentication auth = SecurityContextHolder.getContext().getAuthentication();

web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java

@@ -4,39 +4,41 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.security.web.SpringSecurityFilter;
-import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
-import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.beans.factory.InitializingBean;
-import org.springframework.context.ApplicationEventPublisher;
-import org.springframework.context.ApplicationEventPublisherAware;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
 
 /**
  * Base class for processing filters that handle pre-authenticated authentication requests. Subclasses must implement
  * the getPreAuthenticatedPrincipal() and getPreAuthenticatedCredentials() methods.
  * <p>
- * By default, the filter chain will proceed when an authentication attempt fails in order to allow other 
+ * By default, the filter chain will proceed when an authentication attempt fails in order to allow other
  * authentication mechanisms to process the request. To reject the credentials immediately, set the
  * <tt>continueFilterChainOnUnsuccessfulAuthentication</tt> flag to false. The exception raised by the
  * <tt>AuthenticationManager</tt> will the be re-thrown. Note that this will not affect cases where the principal
  * returned by {@link #getPreAuthenticatedPrincipal} is null, when the chain will still proceed as normal.
- * 
+ *
  *
  * @author Luke Taylor
  * @author Ruud Senden
  * @since 2.0
  */
-public abstract class AbstractPreAuthenticatedProcessingFilter extends SpringSecurityFilter implements
+public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFilterBean implements
         InitializingBean, ApplicationEventPublisherAware {
 
     private ApplicationEventPublisher eventPublisher = null;
@@ -44,28 +46,31 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends SpringSec
     private AuthenticationDetailsSource authenticationDetailsSource = new WebAuthenticationDetailsSource();
 
     private AuthenticationManager authenticationManager = null;
-    
+
     private boolean continueFilterChainOnUnsuccessfulAuthentication = true;
 
     /**
      * Check whether all required properties have been set.
      */
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.notNull(authenticationManager, "An AuthenticationManager must be set");
     }
 
     /**
      * Try to authenticate a pre-authenticated user with Spring Security if the user has not yet been authenticated.
      */
-    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+
         if (logger.isDebugEnabled()) {
             logger.debug("Checking secure context token: " + SecurityContextHolder.getContext().getAuthentication());
         }
 
         if (SecurityContextHolder.getContext().getAuthentication() == null) {
-            doAuthenticate(request, response);
+            doAuthenticate((HttpServletRequest) request, (HttpServletResponse) response);
         }
-        filterChain.doFilter(request, response);
+        chain.doFilter(request, response);
     }
 
     /**
@@ -82,7 +87,7 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends SpringSec
                 logger.debug("No pre-authenticated principal found in request");
             }
 
-            return;            
+            return;
         }
 
         if (logger.isDebugEnabled()) {
@@ -96,7 +101,7 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends SpringSec
             successfulAuthentication(request, response, authResult);
         } catch (AuthenticationException failed) {
             unsuccessfulAuthentication(request, response, failed);
-            
+
             if (!continueFilterChainOnUnsuccessfulAuthentication) {
                 throw failed;
             }
@@ -155,19 +160,19 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends SpringSec
     public void setAuthenticationManager(AuthenticationManager authenticationManager) {
         this.authenticationManager = authenticationManager;
     }
-    
+
     public void setContinueFilterChainOnUnsuccessfulAuthentication(boolean shouldContinue) {
         continueFilterChainOnUnsuccessfulAuthentication = shouldContinue;
     }
 
     /**
-     * Override to extract the principal information from the current request 
+     * Override to extract the principal information from the current request
      */
     protected abstract Object getPreAuthenticatedPrincipal(HttpServletRequest request);
 
     /**
      * Override to extract the credentials (if applicable) from the current request. Some implementations
      * may return a dummy value.
-     */    
+     */
     protected abstract Object getPreAuthenticatedCredentials(HttpServletRequest request);
 }

web/src/main/java/org/springframework/security/web/authentication/rememberme/RememberMeProcessingFilter.java

@@ -19,10 +19,11 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.ApplicationEventPublisherAware;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -30,9 +31,9 @@ import org.springframework.security.authentication.event.InteractiveAuthenticati
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.authentication.RememberMeServices;
 import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
 
 
 /**
@@ -52,8 +53,7 @@ import org.springframework.util.Assert;
  * @author Ben Alex
  * @version $Id$
  */
-public class RememberMeProcessingFilter extends SpringSecurityFilter implements InitializingBean,
-        ApplicationEventPublisherAware {
+public class RememberMeProcessingFilter extends GenericFilterBean implements ApplicationEventPublisherAware {
 
     //~ Instance fields ================================================================================================
 
@@ -63,13 +63,16 @@ public class RememberMeProcessingFilter extends SpringSecurityFilter implements
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.notNull(authenticationManager, "authenticationManager must be specified");
         Assert.notNull(rememberMeServices, "rememberMeServices must be specified");
     }
 
-    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
-        throws IOException, ServletException {
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+            throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
 
         if (SecurityContextHolder.getContext().getAuthentication() == null) {
             Authentication rememberMeAuth = rememberMeServices.autoLogin(request, response);

web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserProcessingFilter.java

@@ -21,11 +21,12 @@ import java.util.List;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.beans.BeansException;
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.ApplicationEventPublisherAware;
 import org.springframework.context.MessageSource;
@@ -48,7 +49,6 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsChecker;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
@@ -57,6 +57,7 @@ import org.springframework.security.web.authentication.WebAuthenticationDetailsS
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
+import org.springframework.web.filter.GenericFilterBean;
 
 
 /**
@@ -97,8 +98,8 @@ import org.springframework.util.StringUtils;
  *
  * @see org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority
  */
-public class SwitchUserProcessingFilter extends SpringSecurityFilter implements InitializingBean,
-        ApplicationEventPublisherAware, MessageSourceAware {
+public class SwitchUserProcessingFilter extends GenericFilterBean implements ApplicationEventPublisherAware,
+        MessageSourceAware {
     //~ Static fields/initializers =====================================================================================
 
     public static final String SPRING_SECURITY_SWITCH_USERNAME_KEY = "j_username";
@@ -121,7 +122,8 @@ public class SwitchUserProcessingFilter extends SpringSecurityFilter implements
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.notNull(userDetailsService, "userDetailsService must be specified");
         Assert.isTrue(successHandler != null || targetUrl != null, "You must set either a successHandler or the targetUrl");
         if (targetUrl != null) {
@@ -137,8 +139,10 @@ public class SwitchUserProcessingFilter extends SpringSecurityFilter implements
         }
     }
 
-    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
             throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
 
         // check for switch or exit request
         if (requiresSwitchUser(request)) {

web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java

@@ -4,16 +4,18 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import org.springframework.beans.BeanWrapperImpl;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
+import org.springframework.web.filter.GenericFilterBean;
 
 /**
  * For internal use with namespace configuration in the case where a user doesn't configure a login page.
@@ -25,7 +27,7 @@ import org.springframework.security.web.authentication.rememberme.AbstractRememb
  * @version $Id$
  * @since 2.0
  */
-public class DefaultLoginPageGeneratingFilter extends SpringSecurityFilter {
+public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
     public static final String DEFAULT_LOGIN_PAGE_URL = "/spring_security_login";
     public static final String ERROR_PARAMETER_NAME = "login_error";
     boolean formLoginEnabled;
@@ -73,7 +75,11 @@ public class DefaultLoginPageGeneratingFilter extends SpringSecurityFilter {
         }
     }
 
-    protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+            throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
+
         if (isLoginUrlRequest(request)) {
             String loginPageHtml = generateLoginPageHtml(request);
             response.setContentType("text/html;charset=UTF-8");

web/src/main/java/org/springframework/security/web/authentication/www/BasicProcessingFilter.java

@@ -19,11 +19,12 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.codec.binary.Base64;
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -32,11 +33,11 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.authentication.NullRememberMeServices;
 import org.springframework.security.web.authentication.RememberMeServices;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
 
 
 /**
@@ -84,7 +85,7 @@ import org.springframework.util.Assert;
  * @author Ben Alex
  * @version $Id$
  */
-public class BasicProcessingFilter extends SpringSecurityFilter implements InitializingBean {
+public class BasicProcessingFilter extends GenericFilterBean {
 
     //~ Instance fields ================================================================================================
 
@@ -97,7 +98,8 @@ public class BasicProcessingFilter extends SpringSecurityFilter implements Initi
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.notNull(this.authenticationManager, "An AuthenticationManager is required");
 
         if(!isIgnoreFailure()) {
@@ -105,8 +107,10 @@ public class BasicProcessingFilter extends SpringSecurityFilter implements Initi
         }
     }
 
-    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
             throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
 
         String header = request.getHeader("Authorization");
 

web/src/main/java/org/springframework/security/web/authentication/www/DigestProcessingFilter.java

@@ -18,9 +18,10 @@ package org.springframework.security.web.authentication.www;
 import java.io.IOException;
 import java.util.Map;
 
-import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -28,7 +29,6 @@ import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.MessageSource;
 import org.springframework.context.MessageSourceAware;
 import org.springframework.context.support.MessageSourceAccessor;
@@ -44,10 +44,10 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.core.userdetails.cache.NullUserCache;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
+import org.springframework.web.filter.GenericFilterBean;
 
 
 /**
@@ -76,7 +76,7 @@ import org.springframework.util.StringUtils;
  * than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest
  * authentication over Basic authentication, including commentary on the limitations that it still imposes.
  */
-public class DigestProcessingFilter extends SpringSecurityFilter implements Filter, InitializingBean, MessageSourceAware {
+public class DigestProcessingFilter extends GenericFilterBean implements MessageSourceAware {
     //~ Static fields/initializers =====================================================================================
 
 
@@ -93,13 +93,17 @@ public class DigestProcessingFilter extends SpringSecurityFilter implements Filt
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    @Override
+    public void afterPropertiesSet() {
         Assert.notNull(userDetailsService, "A UserDetailsService is required");
         Assert.notNull(authenticationEntryPoint, "A DigestProcessingFilterEntryPoint is required");
     }
 
-    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
             throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
+
         String header = request.getHeader("Authorization");
 
         if (logger.isDebugEnabled()) {

web/src/main/java/org/springframework/security/web/context/HttpSessionContextIntegrationFilter.java

@@ -186,7 +186,7 @@ public class HttpSessionContextIntegrationFilter extends SecurityContextPersiste
 
     //~ Methods ========================================================================================================
 
-    public void afterPropertiesSet() throws Exception {
+    public void afterPropertiesSet() {
         if (forceEagerSessionCreation && !allowSessionCreation) {
             throw new IllegalArgumentException(
                     "If using forceEagerSessionCreation, you must set allowSessionCreation to also be true");

web/src/main/java/org/springframework/security/web/context/SecurityContextPersistenceFilter.java

@@ -4,13 +4,15 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.SpringSecurityFilter;
+import org.springframework.web.filter.GenericFilterBean;
 
 /**
  * Populates the {@link SecurityContextHolder} with information obtained from
@@ -37,7 +39,7 @@ import org.springframework.security.web.SpringSecurityFilter;
  * @version $Id$
  * @since 3.0
  */
-public class SecurityContextPersistenceFilter extends SpringSecurityFilter {
+public class SecurityContextPersistenceFilter extends GenericFilterBean {
 
     static final String FILTER_APPLIED = "__spring_security_scpf_applied";
 
@@ -45,9 +47,11 @@ public class SecurityContextPersistenceFilter extends SpringSecurityFilter {
 
     private boolean forceEagerSessionCreation = false;
 
-    @Override
-    protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
             throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
 
         if (request.getAttribute(FILTER_APPLIED) != null) {
             // ensure that filter is only applied once per request

web/src/main/java/org/springframework/security/web/savedrequest/RequestCacheAwareFilter.java

@@ -4,10 +4,12 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.security.web.SpringSecurityFilter;
+import org.springframework.web.filter.GenericFilterBean;
 
 /**
  * Responsible for reconstituting the saved request if one is cached and it matches the current request.
@@ -21,15 +23,15 @@ import org.springframework.security.web.SpringSecurityFilter;
  * @version $Id$
  * @since 3.0
  */
-public class RequestCacheAwareFilter extends SpringSecurityFilter {
+public class RequestCacheAwareFilter extends GenericFilterBean {
 
     private RequestCache requestCache = new HttpSessionRequestCache();
 
-    @Override
-    protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
             throws IOException, ServletException {
 
-        HttpServletRequest wrappedSavedRequest = requestCache.getMatchingRequest(request, response);
+        HttpServletRequest wrappedSavedRequest =
+            requestCache.getMatchingRequest((HttpServletRequest)request, (HttpServletResponse)response);
 
         chain.doFilter(wrappedSavedRequest == null ? request : wrappedSavedRequest, response);
     }

web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java

@@ -4,6 +4,8 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -11,9 +13,9 @@ import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
 
 /**
  * Detects that a user has been authenticated since the start of the request and, if they have, calls the
@@ -27,7 +29,7 @@ import org.springframework.util.Assert;
  * @version $Id$
  * @since 2.0
  */
-public class SessionManagementFilter extends SpringSecurityFilter {
+public class SessionManagementFilter extends GenericFilterBean {
     //~ Static fields/initializers =====================================================================================
 
     static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied";
@@ -46,8 +48,10 @@ public class SessionManagementFilter extends SpringSecurityFilter {
         this.securityContextRepository = securityContextRepository;
     }
 
-    protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
             throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
 
         if (request.getAttribute(FILTER_APPLIED) != null) {
             chain.doFilter(request, response);

web/src/main/java/org/springframework/security/web/wrapper/SecurityContextHolderAwareRequestFilter.java

@@ -19,11 +19,12 @@ import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
 
 
 /**
@@ -37,7 +38,7 @@ import org.springframework.util.Assert;
  * @author Luke Taylor
  * @version $Id$
  */
-public class SecurityContextHolderAwareRequestFilter extends SpringSecurityFilter {
+public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
     //~ Instance fields ================================================================================================
 
     private String rolePrefix;
@@ -49,8 +50,8 @@ public class SecurityContextHolderAwareRequestFilter extends SpringSecurityFilte
         this.rolePrefix = rolePrefix.trim();
     }
 
-    protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
             throws IOException, ServletException {
-        chain.doFilter(new SecurityContextHolderAwareRequestWrapper(request, rolePrefix), response);
+        chain.doFilter(new SecurityContextHolderAwareRequestWrapper((HttpServletRequest) req, rolePrefix), res);
     }
 }

web/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java

@@ -149,9 +149,7 @@ public class ChannelProcessingFilterTests {
         filter.setSecurityMetadataSource(fids);
         assertSame(fids, filter.getSecurityMetadataSource());
 
-        filter.init(null);
         filter.afterPropertiesSet();
-        filter.destroy();
     }
 
     //~ Inner Classes ==================================================================================================

web/src/test/java/org/springframework/security/web/authentication/AnonymousProcessingFilterTests.java

@@ -58,11 +58,10 @@ public class AnonymousProcessingFilterTests extends TestCase {
     //~ Methods ========================================================================================================
 
     private void executeFilterInContainerSimulator(FilterConfig filterConfig, Filter filter, ServletRequest request,
-        ServletResponse response, FilterChain filterChain)
-        throws ServletException, IOException {
-        filter.init(filterConfig);
+        ServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+//        filter.init(filterConfig);
         filter.doFilter(request, response, filterChain);
-        filter.destroy();
+//        filter.destroy();
     }
 
     protected void setUp() throws Exception {

web/src/test/java/org/springframework/security/web/authentication/AuthenticationProcessingFilterTests.java

@@ -52,7 +52,7 @@ public class AuthenticationProcessingFilterTests extends TestCase {
         UsernamePasswordAuthenticationProcessingFilter filter = new UsernamePasswordAuthenticationProcessingFilter();
         assertEquals("/j_spring_security_check", filter.getFilterProcessesUrl());
         filter.setAuthenticationManager(createAuthenticationManager());
-        filter.init(null);
+//        filter.init(null);
 
         Authentication result = filter.attemptAuthentication(request, new MockHttpServletResponse());
         assertTrue(result != null);

web/src/test/java/org/springframework/security/web/authentication/preauth/header/RequestHeaderPreAuthenticatedProcessingFilterTests.java

@@ -37,7 +37,6 @@ public class RequestHeaderPreAuthenticatedProcessingFilterTests {
         MockHttpServletResponse response = new MockHttpServletResponse();
         MockFilterChain chain = new MockFilterChain();
         RequestHeaderPreAuthenticatedProcessingFilter filter = new RequestHeaderPreAuthenticatedProcessingFilter();
-        filter.getOrder();
 
         filter.doFilter(request, response, chain);
     }

web/src/test/java/org/springframework/security/web/authentication/rememberme/RememberMeProcessingFilterTests.java

@@ -56,11 +56,10 @@ public class RememberMeProcessingFilterTests extends TestCase {
     //~ Methods ========================================================================================================
 
     private void executeFilterInContainerSimulator(FilterConfig filterConfig, Filter filter, ServletRequest request,
-        ServletResponse response, FilterChain filterChain)
-        throws ServletException, IOException {
-        filter.init(filterConfig);
+        ServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+//        filter.init(filterConfig);
         filter.doFilter(request, response, filterChain);
-        filter.destroy();
+//        filter.destroy();
     }
 
     protected void setUp() throws Exception {

web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserProcessingFilterTests.java

@@ -161,7 +161,7 @@ public class SwitchUserProcessingFilterTests {
 
         // Check it with no url set (should get a text response)
         FilterChain chain = mock(FilterChain.class);
-        filter.doFilterHttp(request, response, chain);
+        filter.doFilter(request, response, chain);
         verify(chain, never()).doFilter(request, response);
 
         assertEquals("Authentication Failed: User is disabled", response.getErrorMessage());
@@ -177,7 +177,7 @@ public class SwitchUserProcessingFilterTests {
         response = new MockHttpServletResponse();
 
         chain = mock(FilterChain.class);
-        filter.doFilterHttp(request, response, chain);
+        filter.doFilter(request, response, chain);
         verify(chain, never()).doFilter(request, response);
 
         assertEquals("/mywebapp/switchfailed", response.getRedirectedUrl());

web/src/test/java/org/springframework/security/web/authentication/www/BasicProcessingFilterTests.java

@@ -24,7 +24,6 @@ import java.io.IOException;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
@@ -63,13 +62,13 @@ public class BasicProcessingFilterTests {
 
     private MockHttpServletResponse executeFilterInContainerSimulator(Filter filter, final ServletRequest request,
                     final boolean expectChainToProceed) throws ServletException, IOException {
-        filter.init(mock(FilterConfig.class));
+//        filter.init(mock(FilterConfig.class));
 
         final MockHttpServletResponse response = new MockHttpServletResponse();
 
         FilterChain chain = mock(FilterChain.class);
         filter.doFilter(request, response, chain);
-        filter.destroy();
+//        filter.destroy();
 
         verify(chain, expectChainToProceed ? times(1) : never()).doFilter(any(ServletRequest.class), any(ServletResponse.class));
         return response;

web/src/test/java/org/springframework/security/web/authentication/www/DigestProcessingFilterTests.java

@@ -87,8 +87,6 @@ public class DigestProcessingFilterTests {
 
     private MockHttpServletResponse executeFilterInContainerSimulator(Filter filter, final ServletRequest request,
                                                                       final boolean expectChainToProceed) throws ServletException, IOException {
-        filter.init(mock(FilterConfig.class));
-
         final MockHttpServletResponse response = new MockHttpServletResponse();
 
         Mockery jmockContext = new JUnit4Mockery();
@@ -99,7 +97,7 @@ public class DigestProcessingFilterTests {
         }});
 
         filter.doFilter(request, response, chain);
-        filter.destroy();
+
         jmockContext.assertIsSatisfied();
         return response;
     }

web/src/test/java/org/springframework/security/web/context/HttpSessionContextIntegrationFilterTests.java

@@ -59,9 +59,9 @@ public class HttpSessionContextIntegrationFilterTests extends TestCase {
             FilterConfig filterConfig, Filter filter, ServletRequest request,
             ServletResponse response, FilterChain filterChain)
             throws ServletException, IOException {
-        filter.init(filterConfig);
+//        filter.init(filterConfig);
         filter.doFilter(request, response, filterChain);
-        filter.destroy();
+//        filter.destroy();
     }
 
     public void testDetectsIncompatibleSessionProperties() throws Exception {

web/src/test/java/org/springframework/security/web/wrapper/SecurityContextHolderAwareRequestFilterTests.java

@@ -42,7 +42,7 @@ public class SecurityContextHolderAwareRequestFilterTests {
     public void expectedRequestWrapperClassIsUsed() throws Exception {
         SecurityContextHolderAwareRequestFilter filter = new SecurityContextHolderAwareRequestFilter();
         filter.setRolePrefix("ROLE_");
-        filter.init(jmock.mock(FilterConfig.class));
+//        filter.init(jmock.mock(FilterConfig.class));
         final FilterChain filterChain = jmock.mock(FilterChain.class);
 
         jmock.checking(new Expectations() {{

web/template.mf

@@ -3,18 +3,18 @@ Bundle-Name: Spring Security Web
 Bundle-Vendor: SpringSource
 Bundle-Version: ${version}
 Bundle-ManifestVersion: 2
-Excluded-Exports: 
+Excluded-Exports:
  org.springframework.security.web.authentication.preauth.websphere
-Excluded-Imports: 
+Excluded-Imports:
  javax.naming.*,
  javax.rmi.*,
  javax.sql.*,
  javax.security.auth.*,
  org.aopalliance.*
-Ignored-Existing-Headers: 
+Ignored-Existing-Headers:
  Import-Package,
  Export-Package
-Import-Template: 
+Import-Template:
  org.apache.commons.logging.*;version="[1.0.4, 2.0.0)",
  org.apache.commons.codec.*;version="[1.3, 2.0)";resolution:=optional,
  org.springframework.security.core.*;version="[${version}, 3.1.0)",
@@ -31,8 +31,9 @@ Import-Template:
  org.springframework.jdbc.*;version="[3.0.0, 3.1.0)";resolution:=optional,
  org.springframework.mock.web;version="[3.0.0, 3.1.0)";resolution:=optional,
  org.springframework.web.context.*;version="[3.0.0, 3.1.0)";resolution:=optional,
+ org.springframework.web.filter.*;version="[3.0.0, 3.1.0)",
  org.springframework.util;version="[3.0.0, 3.1.0)";resolution:=optional,
  org.w3c.dom;version="0";resolution:=optional,
  org.xml.sax;version="0";resolution:=optional,
  javax.servlet.*;version="0",
- javax.xml.parsers.*;version="0";resolution:=optional
+ javax.xml.parsers.*;version="0";resolution:=optional