SessionManagementConfigurer (Spring Security 3.2.0.RC1 API)

Overview

Package

Class

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.springframework.security.config.annotation.web.configurers
Class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object
  org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
      org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer<H>

All Implemented Interfaces:: SecurityConfigurer<DefaultSecurityFilterChain,H>

public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>

Allows configuring session management.

Security Filters

The following Filters are populated

SessionManagementFilter
ConcurrentSessionFilter if there are restrictions on how many concurrent sessions a user can have

Shared Objects Created

The following shared objects are created:

Shared Objects Used

SecurityContextRepository

Since:: 3.2
See Also:: SessionManagementFilter, ConcurrentSessionFilter

Nested Class Summary
`class`	`SessionManagementConfigurer.ConcurrencyControlConfigurer` Allows configuring controlling of multiple sessions.
`class`	`SessionManagementConfigurer.SessionFixationConfigurer` Allows configuring SessionFixation protection

Constructor Summary
`SessionManagementConfigurer()` Creates a new instance

Method Summary
`void`	`configure(H http)` Configure the `SecurityBuilder` by setting the necessary properties on the `SecurityBuilder`.
`B`	`disable()` Disables the `AbstractHttpConfigurer` by removing it.
`SessionManagementConfigurer<H>`	`enableSessionUrlRewriting(boolean enableSessionUrlRewriting)` If set to true, allows HTTP sessions to be rewritten in the URLs when using `HttpServletResponse.encodeRedirectURL(String)` or `HttpServletResponse.encodeURL(String)`, otherwise disallows HTTP sessions to be included in the URL.
`void`	`init(H builder)` Initialize the `SecurityBuilder`.
`SessionManagementConfigurer<H>`	`invalidSessionUrl(String invalidSessionUrl)` Setting this attribute will inject the `SessionManagementFilter` with a `SimpleRedirectInvalidSessionStrategy` configured with the attribute value.
`SessionManagementConfigurer.ConcurrencyControlConfigurer`	`maximumSessions(int maximumSessions)` Controls the maximum number of sessions for a user.
`SessionManagementConfigurer<H>`	`sessionAuthenticationErrorUrl(String sessionAuthenticationErrorUrl)` Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception.
`SessionManagementConfigurer<H>`	`sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)` Allows explicitly specifying the `SessionAuthenticationStrategy`.
`SessionManagementConfigurer<H>`	`sessionCreationPolicy(SessionCreationPolicy sessionCreationPolicy)` Allows specifying the `SessionCreationPolicy`
`SessionManagementConfigurer.SessionFixationConfigurer`	`sessionFixation()`
`T`	`withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor)`

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
`addObjectPostProcessor, and, getBuilder, postProcess, setBuilder`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

SessionManagementConfigurer

public SessionManagementConfigurer()

Creates a new instance

See Also:: HttpSecurity.sessionManagement()

Method Detail

invalidSessionUrl

public SessionManagementConfigurer<H> invalidSessionUrl(String invalidSessionUrl)

Setting this attribute will inject the SessionManagementFilter with a SimpleRedirectInvalidSessionStrategy configured with the attribute value. When an invalid session ID is submitted, the strategy will be invoked, redirecting to the configured URL.

Parameters:: invalidSessionUrl - the URL to redirect to when an invalid session is detected
Returns:: the SessionManagementConfigurer for further customization

sessionAuthenticationErrorUrl

public SessionManagementConfigurer<H> sessionAuthenticationErrorUrl(String sessionAuthenticationErrorUrl)

Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.

Parameters:: sessionAuthenticationErrorUrl - the URL to redirect to
Returns:: the SessionManagementConfigurer for further customization

enableSessionUrlRewriting

public SessionManagementConfigurer<H> enableSessionUrlRewriting(boolean enableSessionUrlRewriting)

If set to true, allows HTTP sessions to be rewritten in the URLs when using HttpServletResponse.encodeRedirectURL(String) or HttpServletResponse.encodeURL(String), otherwise disallows HTTP sessions to be included in the URL. This prevents leaking information to external domains.

Parameters:: enableSessionUrlRewriting - true if should allow the JSESSIONID to be rewritten into the URLs, else false (default)
Returns:: the SessionManagementConfigurer for further customization
See Also:: HttpSessionSecurityContextRepository.setDisableUrlRewriting(boolean)

sessionCreationPolicy

public SessionManagementConfigurer<H> sessionCreationPolicy(SessionCreationPolicy sessionCreationPolicy)

Allows specifying the SessionCreationPolicy

Parameters:: sessionCreationPolicy - the SessionCreationPolicy to use. Cannot be null.
Returns:: the SessionManagementConfigurer for further customizations
Throws:: IllegalArgumentException - if SessionCreationPolicy is null.
See Also:: SessionCreationPolicy

sessionAuthenticationStrategy

public SessionManagementConfigurer<H> sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)

Allows explicitly specifying the SessionAuthenticationStrategy. The default is to use SessionFixationProtectionStrategy. If restricting the maximum number of sessions is configured, then CompositeSessionAuthenticationStrategy delegating to ConcurrentSessionControlAuthenticationStrategy, SessionFixationProtectionStrategy (optional), and RegisterSessionAuthenticationStrategy will be used.

Parameters:: sessionAuthenticationStrategy -
Returns:: the SessionManagementConfigurer for further customizations

sessionFixation

public SessionManagementConfigurer.SessionFixationConfigurer sessionFixation()

maximumSessions

public SessionManagementConfigurer.ConcurrencyControlConfigurer maximumSessions(int maximumSessions)

Controls the maximum number of sessions for a user. The default is to allow any number of users.

Parameters:: maximumSessions - the maximum number of sessions for a user
Returns:: the SessionManagementConfigurer for further customizations

init

public void init(H builder)
          throws Exception

Description copied from interface: SecurityConfigurer

Initialize the SecurityBuilder. Here only shared state should be created and modified, but not properties on the SecurityBuilder used for building the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder) method uses the correct shared objects when building.

Specified by:: init in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
Overrides:: init in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Throws:: Exception

configure

public void configure(H http)
               throws Exception