Package org.springframework.security.web.authentication.session

Class CompositeSessionAuthenticationStrategy

java.lang.Object

org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy

All Implemented Interfaces:

SessionAuthenticationStrategy

public class CompositeSessionAuthenticationStrategy
extends Object
implements SessionAuthenticationStrategy

A SessionAuthenticationStrategy that accepts multiple SessionAuthenticationStrategy implementations to delegate to. Each SessionAuthenticationStrategy is invoked in turn. The invocations are short circuited if any exception, (i.e. SessionAuthenticationException) is thrown.

Typical usage would include having the following delegates (in this order)

• ConcurrentSessionControlAuthenticationStrategy - verifies that a user is allowed to authenticate (i.e. they have not already logged into the application.
• SessionFixationProtectionStrategy - If session fixation is desired, SessionFixationProtectionStrategy should be after ConcurrentSessionControlAuthenticationStrategy to prevent unnecessary HttpSession creation if the ConcurrentSessionControlAuthenticationStrategy rejects authentication.
• RegisterSessionAuthenticationStrategy - It is important this is after SessionFixationProtectionStrategy so that the correct session is registered.

Since:

3.2

Constructor Summary

Constructors

Constructor	Description
CompositeSessionAuthenticationStrategy(List<SessionAuthenticationStrategy> delegateStrategies)

Method Summary

Modifier and Type	Method	Description
void	onAuthentication(Authentication authentication, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)	Performs Http session-related functionality when a new authentication occurs.
String	toString()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Details

CompositeSessionAuthenticationStrategy

public CompositeSessionAuthenticationStrategy(List<SessionAuthenticationStrategy> delegateStrategies)

Method Details

onAuthentication

public void onAuthentication(Authentication authentication,
 jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response)
                      throws SessionAuthenticationException

Description copied from interface: SessionAuthenticationStrategy

Performs Http session-related functionality when a new authentication occurs.

Specified by:

onAuthentication in interface SessionAuthenticationStrategy

Throws:

SessionAuthenticationException - if it is decided that the authentication is not allowed for the session. This will typically be because the user has too many sessions open at once.

toString

public String toString()

Overrides:

toString in class Object