public abstract class AbstractSecurityWebApplicationInitializer extends Object implements WebApplicationInitializer
DelegatingFilterProxy
to use the springSecurityFilterChain before
any other registered Filter
. When used with
AbstractSecurityWebApplicationInitializer(Class...)
, it will also register a
ContextLoaderListener
. When used with
AbstractSecurityWebApplicationInitializer()
, this class is typically used in
addition to a subclass of AbstractContextLoaderInitializer
.
By default the DelegatingFilterProxy
is registered without support, but can be
enabled by overriding isAsyncSecuritySupported()
and
getSecurityDispatcherTypes()
.
Additional configuration before and after the springSecurityFilterChain can be added by
overriding afterSpringSecurityFilterChain(ServletContext)
.
Subclasses of AbstractDispatcherServletInitializer will register their filters before
any other Filter
. This means that you will typically want to ensure subclasses
of AbstractDispatcherServletInitializer are invoked first. This can be done by ensuring
the Order
or Ordered
of AbstractDispatcherServletInitializer are sooner
than subclasses of AbstractSecurityWebApplicationInitializer
.
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_FILTER_NAME |
Modifier | Constructor and Description |
---|---|
protected |
AbstractSecurityWebApplicationInitializer()
Creates a new instance that assumes the Spring Security configuration is loaded by
some other means than this class.
|
protected |
AbstractSecurityWebApplicationInitializer(Class<?>... configurationClasses)
Creates a new instance that will instantiate the
ContextLoaderListener with
the specified classes. |
Modifier and Type | Method and Description |
---|---|
protected void |
afterSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)
Invoked after the springSecurityFilterChain is added.
|
protected void |
appendFilters(javax.servlet.ServletContext servletContext,
javax.servlet.Filter... filters)
Inserts the provided
Filter s after existing Filter s using default
generated names, getSecurityDispatcherTypes() , and
isAsyncSecuritySupported() . |
protected void |
beforeSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)
Invoked before the springSecurityFilterChain is added.
|
protected boolean |
enableHttpSessionEventPublisher()
Override this if
HttpSessionEventPublisher should be added as a listener. |
protected String |
getDispatcherWebApplicationContextSuffix()
Return the <servlet-name> to use the DispatcherServlet's
WebApplicationContext to find the DelegatingFilterProxy or null to
use the parent ApplicationContext . |
protected EnumSet<javax.servlet.DispatcherType> |
getSecurityDispatcherTypes()
Get the
DispatcherType for the springSecurityFilterChain. |
protected Set<javax.servlet.SessionTrackingMode> |
getSessionTrackingModes()
Determines how a session should be tracked.
|
protected void |
insertFilters(javax.servlet.ServletContext servletContext,
javax.servlet.Filter... filters)
Inserts the provided
Filter s before existing Filter s using default
generated names, getSecurityDispatcherTypes() , and
isAsyncSecuritySupported() . |
protected boolean |
isAsyncSecuritySupported()
Determine if the springSecurityFilterChain should be marked as supporting asynch.
|
void |
onStartup(javax.servlet.ServletContext servletContext) |
public static final String DEFAULT_FILTER_NAME
protected AbstractSecurityWebApplicationInitializer()
ContextLoaderListener
using a subclass of
AbstractContextLoaderInitializer
.ContextLoaderListener
protected AbstractSecurityWebApplicationInitializer(Class<?>... configurationClasses)
ContextLoaderListener
with
the specified classes.configurationClasses
- public final void onStartup(javax.servlet.ServletContext servletContext) throws javax.servlet.ServletException
onStartup
in interface WebApplicationInitializer
javax.servlet.ServletException
protected boolean enableHttpSessionEventPublisher()
HttpSessionEventPublisher
should be added as a listener.
This should be true, if session management has specified a maximum number of
sessions.HttpSessionEventPublisher
, else falseprotected final void insertFilters(javax.servlet.ServletContext servletContext, javax.servlet.Filter... filters)
Filter
s before existing Filter
s using default
generated names, getSecurityDispatcherTypes()
, and
isAsyncSecuritySupported()
.servletContext
- the ServletContext
to usefilters
- the Filter
s to registerprotected final void appendFilters(javax.servlet.ServletContext servletContext, javax.servlet.Filter... filters)
Filter
s after existing Filter
s using default
generated names, getSecurityDispatcherTypes()
, and
isAsyncSecuritySupported()
.servletContext
- the ServletContext
to usefilters
- the Filter
s to registerprotected Set<javax.servlet.SessionTrackingMode> getSessionTrackingModes()
SessionTrackingMode.COOKIE
is used.
Note that SessionTrackingMode.URL
is intentionally omitted to help
protected against session
fixation attacks. SessionTrackingMode.SSL
is omitted because SSL
configuration is required for this to work.
Subclasses can override this method to make customizations.
protected String getDispatcherWebApplicationContextSuffix()
WebApplicationContext
to find the DelegatingFilterProxy
or null to
use the parent ApplicationContext
.
For example, if you are using AbstractDispatcherServletInitializer or
AbstractAnnotationConfigDispatcherServletInitializer and using the provided Servlet
name, you can return "dispatcher" from this method to use the DispatcherServlet's
WebApplicationContext
.
WebApplicationContext
or null (default) to use the parent
ApplicationContext
.protected void beforeSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)
servletContext
- the ServletContext
protected void afterSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)
servletContext
- the ServletContext
protected EnumSet<javax.servlet.DispatcherType> getSecurityDispatcherTypes()
DispatcherType
for the springSecurityFilterChain.protected boolean isAsyncSecuritySupported()