org.springframework.security.web.session
Class SessionManagementFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.session.SessionManagementFilter
- All Implemented Interfaces:
- javax.servlet.Filter, Aware, BeanNameAware, DisposableBean, InitializingBean, EnvironmentAware, ServletContextAware
public class SessionManagementFilter
- extends GenericFilterBean
Detects that a user has been authenticated since the start of the request and, if they have, calls the
configured SessionAuthenticationStrategy
to perform any session-related activity such as
activating session-fixation protection mechanisms or checking for multiple concurrent logins.
- Since:
- 2.0
Methods inherited from class org.springframework.web.filter.GenericFilterBean |
addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
SessionManagementFilter
public SessionManagementFilter(SecurityContextRepository securityContextRepository)
SessionManagementFilter
public SessionManagementFilter(SecurityContextRepository securityContextRepository,
SessionAuthenticationStrategy sessionStrategy)
doFilter
public void doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
setSessionAuthenticationStrategy
@Deprecated
public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)
- Deprecated. Use constructor injection
- Sets the strategy object which handles the session management behaviour when a
user has been authenticated during the current request.
- Parameters:
sessionAuthenticationStrategy
- the strategy object. If not set, a SessionFixationProtectionStrategy
is used.
setInvalidSessionStrategy
public void setInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy)
- Sets the strategy which will be invoked instead of allowing the filter chain to prceed, if the user agent
requests an invalid session Id. If the property is not set, no action will be taken.
- Parameters:
invalidSessionStrategy
- the strategy to invoke. Typically a SimpleRedirectInvalidSessionStrategy
.
setAuthenticationFailureHandler
public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
- The handler which will be invoked if the AuthenticatedSessionStrategy raises a
SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this
session (typically because they already have too many sessions open).