org.springframework.security.ui
Class SessionFixationProtectionFilter
java.lang.Object
org.springframework.security.ui.SpringSecurityFilter
org.springframework.security.ui.SessionFixationProtectionFilter
- All Implemented Interfaces:
- Filter, Ordered
public class SessionFixationProtectionFilter
- extends SpringSecurityFilter
Detects that a user has been authenticated since the start of the request and starts a new session.
This is essentially a generalization of the functionality that was implemented for SEC-399.
Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used
with Spring Security's concurrent session control.
- Since:
- 2.0
- Author:
- Martin Algesten, Luke Taylor
SessionFixationProtectionFilter
public SessionFixationProtectionFilter()
doFilterHttp
protected void doFilterHttp(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain)
throws IOException,
ServletException
- Specified by:
doFilterHttp
in class SpringSecurityFilter
- Throws:
IOException
ServletException
setMigrateSessionAttributes
public void setMigrateSessionAttributes(boolean migrateSessionAttributes)
setSessionRegistry
public void setSessionRegistry(SessionRegistry sessionRegistry)
getOrder
public int getOrder()
startNewSessionIfRequired
protected void startNewSessionIfRequired(HttpServletRequest request,
HttpServletResponse response)
- Called when the a user wasn't authenticated at the start of the request but has been during it
A new session will be created, the session attributes copied to it (if
migrateSessionAttributes is set) and the sessionRegistry updated with the new session information.
Copyright © 2004-2010 SpringSource, Inc. All Rights Reserved.