Spring Security Framework

org.springframework.security.ui
Class SessionFixationProtectionFilter

java.lang.Object
  extended by org.springframework.security.ui.SpringSecurityFilter
      extended by org.springframework.security.ui.SessionFixationProtectionFilter
All Implemented Interfaces:
Filter, Ordered

public class SessionFixationProtectionFilter
extends SpringSecurityFilter

Detects that a user has been authenticated since the start of the request and starts a new session.

This is essentially a generalization of the functionality that was implemented for SEC-399. Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used with Spring Security's concurrent session control.

Since:
2.0
Author:
Martin Algesten, Luke Taylor

Field Summary
 
Fields inherited from class org.springframework.security.ui.SpringSecurityFilter
logger
 
Fields inherited from interface org.springframework.core.Ordered
HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE
 
Constructor Summary
SessionFixationProtectionFilter()
           
 
Method Summary
protected  void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
           
 int getOrder()
           
 void setMigrateSessionAttributes(boolean migrateSessionAttributes)
           
 void setSessionRegistry(SessionRegistry sessionRegistry)
           
protected  void startNewSessionIfRequired(HttpServletRequest request, HttpServletResponse response)
          Called when the a user wasn't authenticated at the start of the request but has been during it
 
Methods inherited from class org.springframework.security.ui.SpringSecurityFilter
destroy, doFilter, init, toString
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Constructor Detail

SessionFixationProtectionFilter

public SessionFixationProtectionFilter()
Method Detail

doFilterHttp

protected void doFilterHttp(HttpServletRequest request,
                            HttpServletResponse response,
                            FilterChain chain)
                     throws IOException,
                            ServletException
Specified by:
doFilterHttp in class SpringSecurityFilter
Throws:
IOException
ServletException

setMigrateSessionAttributes

public void setMigrateSessionAttributes(boolean migrateSessionAttributes)

setSessionRegistry

public void setSessionRegistry(SessionRegistry sessionRegistry)

getOrder

public int getOrder()

startNewSessionIfRequired

protected void startNewSessionIfRequired(HttpServletRequest request,
                                         HttpServletResponse response)
Called when the a user wasn't authenticated at the start of the request but has been during it

A new session will be created, the session attributes copied to it (if migrateSessionAttributes is set) and the sessionRegistry updated with the new session information.


Spring Security Framework

Copyright © 2004-2010 SpringSource, Inc. All Rights Reserved.