Spring Security Framework

org.springframework.security.context
Class PortletSessionContextIntegrationInterceptor

java.lang.Object
  extended by org.springframework.security.context.PortletSessionContextIntegrationInterceptor
All Implemented Interfaces:
InitializingBean, HandlerInterceptor

public class PortletSessionContextIntegrationInterceptor
extends Object
implements InitializingBean, HandlerInterceptor

This interceptor populates the SecurityContextHolder with information obtained from the PortletSession. It is applied to both ActionRequests and RenderRequests

The PortletSession will be queried to retrieve the SecurityContext that should be stored against the SecurityContextHolder for the duration of the portlet request. At the end of the request, any updates made to the SecurityContextHolder will be persisted back to the PortletSession by this interceptor.

If a valid SecurityContext cannot be obtained from the PortletSession for whatever reason, a fresh SecurityContext will be created and used instead. The created object will be of the instance defined by the setContext(Class) method (which defaults to SecurityContextImpl.

A PortletSession may be created by this interceptor if one does not already exist. If at the end of the portlet request the PortletSession does not exist, one will only be created if the current contents of the SecurityContextHolder are not the Object.equals(java.lang.Object) to a new instance of context. This avoids needless PortletSession creation, and automates the storage of changes made to the SecurityContextHolder. There is one exception to this rule, that is if the forceEagerSessionCreation property is true, in which case sessions will always be created irrespective of normal session-minimization logic (the default is false, as this is resource intensive and not recommended).

If for whatever reason no PortletSession should ever be created, the allowSessionCreation property should be set to false. Only do this if you really need to conserve server memory and ensure all classes using the SecurityContextHolder are designed to have no persistence of the SecurityContext between web requests. Please note that if forceEagerSessionCreation is true, the allowSessionCreation must also be true (setting it to false will cause a startup-time error).

This interceptor must be executed before

any authentication processing mechanisms. These mechanisms (specifically PortletProcessingInterceptor) expect the SecurityContextHolder to contain a valid SecurityContext by the time they execute.

An important nuance to this interceptor is that (by default) the SecurityContext is stored into the APPLICATION_SCOPE of the PortletSession. This doesn't just mean you will be sharing it with all the other portlets in your webapp (which is generally a good idea). It also means that (if you have done all the other appropriate magic), you will share this SecurityContext with servlets in your webapp. This is very useful if you have servlets serving images or processing AJAX calls from your portlets since they can now use the HttpSessionContextIntegrationFilter to access the same SecurityContext object from the session. This allows these calls to be secured as well as the portlet calls.

Much of the logic of this interceptor comes from the HttpSessionContextIntegrationFilter class which fills the same purpose on the servlet side. Ben Alex and Patrick Burlson are listed as authors here because they are the authors of that class and there are blocks of code that essentially identical between the two. (Making this a good candidate for refactoring someday.)

Unlike HttpSessionContextIntegrationFilter, this interceptor does not check to see if it is getting applied multiple times. This shouldn't be a problem since the application of interceptors is under the control of the Spring Portlet MVC framework and tends to be more explicit and more predictable than the application of filters. However, you should still be careful to only apply this inteceptor to your request once.

Since:
2.0
Version:
$Id$
Author:
John A. Lewis, Ben Alex, Patrick Burleson

Field Summary
protected static org.apache.commons.logging.Log logger
           
static String SPRING_SECURITY_CONTEXT_KEY
           
 
Constructor Summary
PortletSessionContextIntegrationInterceptor()
           
 
Method Summary
 void afterActionCompletion(javax.portlet.ActionRequest request, javax.portlet.ActionResponse response, Object handler, Exception ex)
           
 void afterPropertiesSet()
           
 void afterRenderCompletion(javax.portlet.RenderRequest request, javax.portlet.RenderResponse response, Object handler, Exception ex)
           
 SecurityContext generateNewContext()
          Creates a new SecurityContext object.
 Class getContext()
           
 boolean isAllowSessionCreation()
           
 boolean isCloneFromPortletSession()
           
 boolean isForceEagerSessionCreation()
           
 boolean isUseApplicationScopePortletSession()
           
 void postHandleRender(javax.portlet.RenderRequest request, javax.portlet.RenderResponse response, Object handler, ModelAndView modelAndView)
           
 boolean preHandleAction(javax.portlet.ActionRequest request, javax.portlet.ActionResponse response, Object handler)
           
 boolean preHandleRender(javax.portlet.RenderRequest request, javax.portlet.RenderResponse response, Object handler)
           
 void setAllowSessionCreation(boolean allowSessionCreation)
           
 void setCloneFromPortletSession(boolean cloneFromPortletSession)
           
 void setContext(Class secureContext)
           
 void setForceEagerSessionCreation(boolean forceEagerSessionCreation)
           
 void setUseApplicationScopePortletSession(boolean useApplicationScopePortletSession)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

logger

protected static final org.apache.commons.logging.Log logger

SPRING_SECURITY_CONTEXT_KEY

public static final String SPRING_SECURITY_CONTEXT_KEY
See Also:
Constant Field Values
Constructor Detail

PortletSessionContextIntegrationInterceptor

public PortletSessionContextIntegrationInterceptor()
                                            throws javax.portlet.PortletException
Throws:
javax.portlet.PortletException
Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception
Specified by:
afterPropertiesSet in interface InitializingBean
Throws:
Exception

preHandleAction

public boolean preHandleAction(javax.portlet.ActionRequest request,
                               javax.portlet.ActionResponse response,
                               Object handler)
                        throws Exception
Specified by:
preHandleAction in interface HandlerInterceptor
Throws:
Exception

preHandleRender

public boolean preHandleRender(javax.portlet.RenderRequest request,
                               javax.portlet.RenderResponse response,
                               Object handler)
                        throws Exception
Specified by:
preHandleRender in interface HandlerInterceptor
Throws:
Exception

postHandleRender

public void postHandleRender(javax.portlet.RenderRequest request,
                             javax.portlet.RenderResponse response,
                             Object handler,
                             ModelAndView modelAndView)
                      throws Exception
Specified by:
postHandleRender in interface HandlerInterceptor
Throws:
Exception

afterActionCompletion

public void afterActionCompletion(javax.portlet.ActionRequest request,
                                  javax.portlet.ActionResponse response,
                                  Object handler,
                                  Exception ex)
                           throws Exception
Specified by:
afterActionCompletion in interface HandlerInterceptor
Throws:
Exception

afterRenderCompletion

public void afterRenderCompletion(javax.portlet.RenderRequest request,
                                  javax.portlet.RenderResponse response,
                                  Object handler,
                                  Exception ex)
                           throws Exception
Specified by:
afterRenderCompletion in interface HandlerInterceptor
Throws:
Exception

generateNewContext

public SecurityContext generateNewContext()
                                   throws javax.portlet.PortletException
Creates a new SecurityContext object. The specific class is determined by the setting of the context property.

Returns:
the new SecurityContext
Throws:
javax.portlet.PortletException - if the creation throws an InstantiationException or an IllegalAccessException, then this method will wrap them in a PortletException

getContext

public Class getContext()

setContext

public void setContext(Class secureContext)

isAllowSessionCreation

public boolean isAllowSessionCreation()

setAllowSessionCreation

public void setAllowSessionCreation(boolean allowSessionCreation)

isForceEagerSessionCreation

public boolean isForceEagerSessionCreation()

setForceEagerSessionCreation

public void setForceEagerSessionCreation(boolean forceEagerSessionCreation)

isCloneFromPortletSession

public boolean isCloneFromPortletSession()

setCloneFromPortletSession

public void setCloneFromPortletSession(boolean cloneFromPortletSession)

isUseApplicationScopePortletSession

public boolean isUseApplicationScopePortletSession()

setUseApplicationScopePortletSession

public void setUseApplicationScopePortletSession(boolean useApplicationScopePortletSession)

Spring Security Framework

Copyright © 2004-2010 SpringSource, Inc. All Rights Reserved.