Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.springframework.security.web.context
Class AbstractSecurityWebApplicationInitializer

java.lang.Object
  extended by org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer
All Implemented Interfaces:
WebApplicationInitializer
public abstract class AbstractSecurityWebApplicationInitializer
extends Object
implements WebApplicationInitializer

Registers the DelegatingFilterProxy to use the springSecurityFilterChain before any other registered Filter. When used with AbstractSecurityWebApplicationInitializer(Class...), it will also register a ContextLoaderListener. When used with AbstractSecurityWebApplicationInitializer(), this class is typically used in addition to a subclass of AbstractContextLoaderInitializer.

By default the DelegatingFilterProxy is registered without support, but can be enabled by overriding isAsyncSecuritySupported() and getSecurityDispatcherTypes().

Additional configuration before and after the springSecurityFilterChain can be added by overriding afterSpringSecurityFilterChain(ServletContext).

Caveats

Subclasses of AbstractDispatcherServletInitializer will register their filters before any other Filter. This means that you will typically want to ensure subclasses of AbstractDispatcherServletInitializer are invoked first. This can be done by ensuring the Order or Ordered of AbstractDispatcherServletInitializer are sooner than subclasses of AbstractSecurityWebApplicationInitializer.

Field Summary
static String DEFAULT_FILTER_NAME
           
 
Constructor Summary
protected AbstractSecurityWebApplicationInitializer()
          Creates a new instance that assumes the Spring Security configuration is loaded by some other means than this class.
protected AbstractSecurityWebApplicationInitializer(Class<?>... configurationClasses)
          Creates a new instance that will instantiate the ContextLoaderListener with the specified classes.
 
Method Summary
protected  void afterSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)
          Invoked after the springSecurityFilterChain is added.
protected  void appendFilters(javax.servlet.ServletContext servletContext, javax.servlet.Filter... filters)
          Inserts the provided Filters after existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().
protected  boolean enableHttpSessionEventPublisher()
          Override this if HttpSessionEventPublisher should be added as a listener.
protected  String getDispatcherWebApplicationContextSuffix()
          Return the to use the DispatcherServlet's WebApplicationContext to find the DelegatingFilterProxy or null to use the parent ApplicationContext.
protected  EnumSet<javax.servlet.DispatcherType> getSecurityDispatcherTypes()
          Get the DispatcherType for the springSecurityFilterChain.
protected  Set<javax.servlet.SessionTrackingMode> getSessionTrackingModes()
          Determines how a session should be tracked.
protected  void insertFilters(javax.servlet.ServletContext servletContext, javax.servlet.Filter... filters)
          Inserts the provided Filters before existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().
protected  boolean isAsyncSecuritySupported()
          Determine if the springSecurityFilterChain should be marked as supporting asynch.
 void onStartup(javax.servlet.ServletContext servletContext)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

DEFAULT_FILTER_NAME

public static final String DEFAULT_FILTER_NAME
See Also:
Constant Field Values
Constructor Detail

AbstractSecurityWebApplicationInitializer

protected AbstractSecurityWebApplicationInitializer()
Creates a new instance that assumes the Spring Security configuration is loaded by some other means than this class. For example, a user might create a ContextLoaderListener using a subclass of AbstractContextLoaderInitializer.

See Also:
ContextLoaderListener

AbstractSecurityWebApplicationInitializer

protected AbstractSecurityWebApplicationInitializer(Class<?>... configurationClasses)
Creates a new instance that will instantiate the ContextLoaderListener with the specified classes.

Parameters:
configurationClasses -
Method Detail

onStartup

public final void onStartup(javax.servlet.ServletContext servletContext)
                     throws javax.servlet.ServletException
Specified by:
onStartup in interface WebApplicationInitializer
Throws:
javax.servlet.ServletException

enableHttpSessionEventPublisher

protected boolean enableHttpSessionEventPublisher()
Override this if HttpSessionEventPublisher should be added as a listener. This should be true, if session management has specified a maximum number of sessions.

Returns:
true to add HttpSessionEventPublisher, else false

insertFilters

protected final void insertFilters(javax.servlet.ServletContext servletContext,
                                   javax.servlet.Filter... filters)
Inserts the provided Filters before existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().

Parameters:
servletContext - the ServletContext to use
filters - the Filters to register

appendFilters

protected final void appendFilters(javax.servlet.ServletContext servletContext,
                                   javax.servlet.Filter... filters)
Inserts the provided Filters after existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().

Parameters:
servletContext - the ServletContext to use
filters - the Filters to register

getSessionTrackingModes

protected Set<javax.servlet.SessionTrackingMode> getSessionTrackingModes()
Determines how a session should be tracked. By default, SessionTrackingMode.COOKIE is used.

Note that SessionTrackingMode.URL is intentionally omitted to help protected against session fixation attacks. SessionTrackingMode.SSL is omitted because SSL configuration is required for this to work.

Subclasses can override this method to make customizations.

Returns:

getDispatcherWebApplicationContextSuffix

protected String getDispatcherWebApplicationContextSuffix()
Return the to use the DispatcherServlet's WebApplicationContext to find the DelegatingFilterProxy or null to use the parent ApplicationContext.

For example, if you are using AbstractDispatcherServletInitializer or AbstractAnnotationConfigDispatcherServletInitializer and using the provided Servlet name, you can return "dispatcher" from this method to use the DispatcherServlet's WebApplicationContext.

Returns:
the of the DispatcherServlet to use its WebApplicationContext or null (default) to use the parent ApplicationContext.

afterSpringSecurityFilterChain

protected void afterSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)
Invoked after the springSecurityFilterChain is added.

Parameters:
servletContext - the ServletContext

getSecurityDispatcherTypes

protected EnumSet<javax.servlet.DispatcherType> getSecurityDispatcherTypes()
Get the DispatcherType for the springSecurityFilterChain.

Returns:

isAsyncSecuritySupported

protected boolean isAsyncSecuritySupported()
Determine if the springSecurityFilterChain should be marked as supporting asynch. Default is true.

Returns:
true if springSecurityFilterChain should be marked as supporting asynch
Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD