org.springframework.security.web.context
Class HttpSessionContextIntegrationFilter

java.lang.Object
  extended by org.springframework.web.filter.GenericFilterBean
      extended by org.springframework.security.web.context.SecurityContextPersistenceFilter
          extended by org.springframework.security.web.context.HttpSessionContextIntegrationFilter
All Implemented Interfaces:
Filter, BeanNameAware, DisposableBean, InitializingBean, ServletContextAware

Deprecated. Use SecurityContextPersistenceFilter instead.

public class HttpSessionContextIntegrationFilter
extends SecurityContextPersistenceFilter
implements InitializingBean

Populates the SecurityContextHolder with information obtained from the HttpSession.

The HttpSession will be queried to retrieve the SecurityContext that should be stored against the SecurityContextHolder for the duration of the web request. At the end of the web request, any updates made to the SecurityContextHolder will be persisted back to the HttpSession by this filter.

If a valid SecurityContext cannot be obtained from the HttpSession for whatever reason, a fresh SecurityContext will be created and used instead. The created object will be of the instance defined by the setContextClass(Class) method (which defaults to SecurityContextImpl.

No HttpSession will be created by this filter if one does not already exist. If at the end of the web request the HttpSession does not exist, a HttpSession will only be created if the current contents of the SecurityContextHolder are not Object.equals(java.lang.Object) to a new instance of setContextClass(Class). This avoids needless HttpSession creation, but automates the storage of changes made to the SecurityContextHolder. There is one exception to this rule, that is if the forceEagerSessionCreation property is true, in which case sessions will always be created irrespective of normal session-minimisation logic (the default is false, as this is resource intensive and not recommended).

This filter will only execute once per request, to resolve servlet container (specifically Weblogic) incompatibilities.

If for whatever reason no HttpSession should ever be created (eg this filter is only being used with Basic authentication or similar clients that will never present the same jsessionid etc), the setAllowSessionCreation(boolean) should be set to false. Only do this if you really need to conserve server memory and ensure all classes using the SecurityContextHolder are designed to have no persistence of the SecurityContext between web requests. Please note that if forceEagerSessionCreation is true, the allowSessionCreation must also be true (setting it to false will cause a startup time error).

This filter MUST be executed BEFORE any authentication processing mechanisms. Authentication processing mechanisms (eg BASIC, CAS processing filters etc) expect the SecurityContextHolder to contain a valid SecurityContext by the time they execute.

Version:
$Id: HttpSessionContextIntegrationFilter.java 3813 2009-08-10 14:18:18Z ltaylor $
Author:
Ben Alex, Patrick Burleson, Luke Taylor, Martin Algesten

Field Summary
static String SPRING_SECURITY_CONTEXT_KEY
          Deprecated.  
 
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
 
Constructor Summary
HttpSessionContextIntegrationFilter()
          Deprecated.  
 
Method Summary
 void afterPropertiesSet()
          Deprecated.  
protected  Class<? extends SecurityContext> getContextClass()
          Deprecated.  
 boolean isAllowSessionCreation()
          Deprecated.  
 boolean isCloneFromHttpSession()
          Deprecated.  
 boolean isForceEagerSessionCreation()
          Deprecated.  
 void setAllowSessionCreation(boolean allowSessionCreation)
          Deprecated.  
 void setCloneFromHttpSession(boolean cloneFromHttpSession)
          Deprecated.  
 void setContextClass(Class secureContext)
          Deprecated.  
 void setForceEagerSessionCreation(boolean forceEagerSessionCreation)
          Deprecated.  
 
Methods inherited from class org.springframework.security.web.context.SecurityContextPersistenceFilter
doFilter, setSecurityContextRepository
 
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

SPRING_SECURITY_CONTEXT_KEY

public static final String SPRING_SECURITY_CONTEXT_KEY
Deprecated. 
See Also:
Constant Field Values
Constructor Detail

HttpSessionContextIntegrationFilter

public HttpSessionContextIntegrationFilter()
                                    throws ServletException
Deprecated. 
Throws:
ServletException
Method Detail

isCloneFromHttpSession

public boolean isCloneFromHttpSession()
Deprecated. 

setCloneFromHttpSession

public void setCloneFromHttpSession(boolean cloneFromHttpSession)
Deprecated. 

isAllowSessionCreation

public boolean isAllowSessionCreation()
Deprecated. 

setAllowSessionCreation

public void setAllowSessionCreation(boolean allowSessionCreation)
Deprecated. 

getContextClass

protected Class<? extends SecurityContext> getContextClass()
Deprecated. 

setContextClass

public void setContextClass(Class secureContext)
Deprecated. 

isForceEagerSessionCreation

public boolean isForceEagerSessionCreation()
Deprecated. 

setForceEagerSessionCreation

public void setForceEagerSessionCreation(boolean forceEagerSessionCreation)
Deprecated. 
Overrides:
setForceEagerSessionCreation in class SecurityContextPersistenceFilter

afterPropertiesSet

public void afterPropertiesSet()
Deprecated. 
Specified by:
afterPropertiesSet in interface InitializingBean
Overrides:
afterPropertiesSet in class GenericFilterBean


Copyright © 2004-2009 SpringSource, Inc. All Rights Reserved.