Hi,

Is there any reason why the username/password parameter names are static final in AuthenticationProcessingFilter?

It seems to me that it would be more consistent (and flexible) to make these instance variables (since the filter will be a singleton anyway) and provide setters for them (so one can override the field names). If I'm overlooking something, I'd love to hear, otherwise I'm happy to submit a patch.

Cheers,

James.

Hi James

They're public static final just as it's good coding practice to do so for constants.

Realistically I can't see use cases where people would want to change these to some other values. They're also identical to those used by the Servlet spec for login forms, so they're widely known.

Don't forget if someone really needs to use different parameters, they're free to write their own AbstractProcessingFilter subclass. After all, the main method is only a dozen lines of code:


public Authentication attemptAuthentication(HttpServletRequest request)
throws AuthenticationException {
String username = request.getParameter(ACEGI_SECURITY_FORM_USERNAME_ KEY);
String password = request.getParameter(ACEGI_SECURITY_FORM_PASSWORD_ KEY);

if (username == null) {
username = "";
}

if (password == null) {
password = "";
}

UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
password);
authRequest.setDetails(request.getRemoteAddr());

return this.getAuthenticationManager().authenticate(authR equest);
}

Sure, I understand that is how constants should be coded, I just didn't understand why they were constants. However if this is what the Servlet spec mandates then I guess it makes sense. Thanks for clearing it up :)

J.