|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.springframework.security.web.context.HttpSessionSecurityContextRepository
public class HttpSessionSecurityContextRepository
A SecurityContextRepository
implementation which stores the security context in the HttpSession
between requests.
The HttpSession
will be queried to retrieve the SecurityContext
in the loadContext
method (using the key SPRING_SECURITY_CONTEXT_KEY
). If a valid SecurityContext
cannot be
obtained from the HttpSession
for whatever reason, a fresh SecurityContext
will be created
by calling by SecurityContextHolder.createEmptyContext()
and this instance will be returned instead.
When saveContext is called, the context will be stored under the same key, provided
With the standard configuration, no HttpSession
will be created during loadContext if one does
not already exist. When saveContext is called at the end of the web request, and no session exists, a new
HttpSession
will only be created if the supplied SecurityContext
is not equal
to an empty SecurityContext
instance. This avoids needless HttpSession
creation,
but automates the storage of changes made to the context during the request. Note that if
SecurityContextPersistenceFilter
is configured to eagerly create sessions, then the session-minimisation
logic applied here will not make any difference. If you are using eager session creation, then you should
ensure that the allowSessionCreation property of this class is set to true (the default).
If for whatever reason no HttpSession
should ever be created (for example, if
Basic authentication is being used or similar clients that will never present the same jsessionid), then
allowSessionCreation
should be set to false
.
Only do this if you really need to conserve server memory and ensure all classes using the
SecurityContextHolder
are designed to have no persistence of the SecurityContext
between web requests.
Field Summary | |
---|---|
protected org.apache.commons.logging.Log |
logger
|
static String |
SPRING_SECURITY_CONTEXT_KEY
|
Constructor Summary | |
---|---|
HttpSessionSecurityContextRepository()
|
Method Summary | |
---|---|
boolean |
containsContext(HttpServletRequest request)
Allows the repository to be queried as to whether it contains a security context for the current request. |
SecurityContext |
loadContext(HttpRequestResponseHolder requestResponseHolder)
Gets the security context for the current request (if available) and returns it. |
void |
saveContext(SecurityContext context,
HttpServletRequest request,
HttpServletResponse response)
Stores the security context on completion of a request. |
void |
setAllowSessionCreation(boolean allowSessionCreation)
If set to true (the default), a session will be created (if required) to store the security context if it is determined that its contents are different from the default empty context value. |
void |
setCloneFromHttpSession(boolean cloneFromHttpSession)
Deprecated. Override the loadContext method and copy the created context instead. |
void |
setDisableUrlRewriting(boolean disableUrlRewriting)
Allows the use of session identifiers in URLs to be disabled. |
void |
setSecurityContextClass(Class contextClass)
Deprecated. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final String SPRING_SECURITY_CONTEXT_KEY
protected final org.apache.commons.logging.Log logger
Constructor Detail |
---|
public HttpSessionSecurityContextRepository()
Method Detail |
---|
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder)
If the session is null, the context object is null or the context object stored in the session is not an instance of SecurityContext, a new context object will be generated and returned.
If cloneFromHttpSession is set to true, it will attempt to clone the context object first and return the cloned instance.
loadContext
in interface SecurityContextRepository
requestResponseHolder
- holder for the current request and response for which the context should be loaded.
public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response)
SecurityContextRepository
saveContext
in interface SecurityContextRepository
context
- the non-null context which was obtained from the holder.public boolean containsContext(HttpServletRequest request)
SecurityContextRepository
containsContext
in interface SecurityContextRepository
request
- the current request
@Deprecated public void setSecurityContextClass(Class contextClass)
@Deprecated public void setCloneFromHttpSession(boolean cloneFromHttpSession)
loadContext
method and copy the created context instead.
SecurityContext
retrieved from the session is stored directly in the
SecurityContextHolder
, meaning that it is shared between concurrent threads.
In this case, if one thread modifies the contents of the context, all threads will see the same
change.
cloneFromHttpSession
- set to true to clone the security context retrieved from the session.
Defaults to false.public void setAllowSessionCreation(boolean allowSessionCreation)
Note that setting this flag to false does not prevent this class from storing the security context. If your application (or another filter) creates a session, then the security context will still be stored for an authenticated user.
allowSessionCreation
- public void setDisableUrlRewriting(boolean disableUrlRewriting)
disableUrlRewriting
- set to true to disable URL encoding methods in the response wrapper
and prevent the use of jsessionid parameters.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |