org.springframework.security.web.session
Class SessionManagementFilter

java.lang.Object
  extended by org.springframework.web.filter.GenericFilterBean
      extended by org.springframework.security.web.session.SessionManagementFilter
All Implemented Interfaces:
Filter, BeanNameAware, DisposableBean, InitializingBean, ServletContextAware

public class SessionManagementFilter
extends GenericFilterBean

Detects that a user has been authenticated since the start of the request and, if they have, calls the configured SessionAuthenticationStrategy to perform any session-related activity such as activating session-fixation protection mechanisms or checking for multiple concurrent logins.

Since:
2.0
Version:
$Id: SessionManagementFilter.java 3921 2009-10-05 16:40:32Z ltaylor $
Author:
Martin Algesten, Luke Taylor

Field Summary
 
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
 
Constructor Summary
SessionManagementFilter(SecurityContextRepository securityContextRepository)
           
 
Method Summary
 void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
           
 void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
          The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).
 void setInvalidSessionUrl(String invalidSessionUrl)
          Sets the URL to which the response should be redirected if the user agent requests an invalid session Id.
 void setRedirectStrategy(RedirectStrategy redirectStrategy)
           
 void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy)
          Sets the strategy object which handles the session management behaviour when a user has been authenticated during the current request.
 
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SessionManagementFilter

public SessionManagementFilter(SecurityContextRepository securityContextRepository)
Method Detail

doFilter

public void doFilter(ServletRequest req,
                     ServletResponse res,
                     FilterChain chain)
              throws IOException,
                     ServletException
Throws:
IOException
ServletException

setSessionAuthenticationStrategy

public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy)
Sets the strategy object which handles the session management behaviour when a user has been authenticated during the current request.

Parameters:
sessionStrategy - the strategy object. If not set, a SessionFixationProtectionStrategy is used.

setInvalidSessionUrl

public void setInvalidSessionUrl(String invalidSessionUrl)
Sets the URL to which the response should be redirected if the user agent requests an invalid session Id. If the property is not set, no action will be taken.

Parameters:
invalidSessionUrl -

setAuthenticationFailureHandler

public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).


setRedirectStrategy

public void setRedirectStrategy(RedirectStrategy redirectStrategy)


Copyright © 2004-2009 SpringSource, Inc. All Rights Reserved.