org.springframework.security.web.context

Class HttpSessionSecurityContextRepository

java.lang.Object

org.springframework.security.web.context.HttpSessionSecurityContextRepository

All Implemented Interfaces:

SecurityContextRepository

public class HttpSessionSecurityContextRepository
extends Object
implements SecurityContextRepository

A SecurityContextRepository implementation which stores the security context in the HttpSession between requests.

The HttpSession will be queried to retrieve the SecurityContext in the loadContext method (using the key SPRING_SECURITY_CONTEXT_KEY by default). If a valid SecurityContext cannot be obtained from the HttpSession for whatever reason, a fresh SecurityContext will be created by calling by SecurityContextHolder.createEmptyContext() and this instance will be returned instead.

When saveContext is called, the context will be stored under the same key, provided

1. The value has changed
2. The configured AuthenticationTrustResolver does not report that the contents represent an anonymous user

With the standard configuration, no HttpSession will be created during loadContext if one does not already exist. When saveContext is called at the end of the web request, and no session exists, a new HttpSession will only be created if the supplied SecurityContext is not equal to an empty SecurityContext instance. This avoids needless HttpSession creation, but automates the storage of changes made to the context during the request. Note that if SecurityContextPersistenceFilter is configured to eagerly create sessions, then the session-minimisation logic applied here will not make any difference. If you are using eager session creation, then you should ensure that the allowSessionCreation property of this class is set to true (the default).

If for whatever reason no HttpSession should ever be created (for example, if Basic authentication is being used or similar clients that will never present the same jsessionid), then allowSessionCreation should be set to false. Only do this if you really need to conserve server memory and ensure all classes using the SecurityContextHolder are designed to have no persistence of the SecurityContext between web requests.

Since:

3.0

Field Summary

Fields

Modifier and Type	Field and Description
protected org.apache.commons.logging.Log	logger
static String	SPRING_SECURITY_CONTEXT_KEY The default key under which the security context will be stored in the session.

Constructor Summary

Constructors

Constructor and Description
HttpSessionSecurityContextRepository()

Method Summary

Methods

Modifier and Type	Method and Description
boolean	containsContext(javax.servlet.http.HttpServletRequest request) Allows the repository to be queried as to whether it contains a security context for the current request.
protected SecurityContext	generateNewContext() By default, calls SecurityContextHolder.createEmptyContext() to obtain a new context (there should be no context present in the holder when this method is called).
SecurityContext	loadContext(HttpRequestResponseHolder requestResponseHolder) Gets the security context for the current request (if available) and returns it.
void	saveContext(SecurityContext context, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Stores the security context on completion of a request.
void	setAllowSessionCreation(boolean allowSessionCreation) If set to true (the default), a session will be created (if required) to store the security context if it is determined that its contents are different from the default empty context value.
void	setDisableUrlRewriting(boolean disableUrlRewriting) Allows the use of session identifiers in URLs to be disabled.
void	setSpringSecurityContextKey(String springSecurityContextKey) Allows the session attribute name to be customized for this repository instance.
void	setTrustResolver(AuthenticationTrustResolver trustResolver) Sets the AuthenticationTrustResolver to be used.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SPRING_SECURITY_CONTEXT_KEY

public static final String SPRING_SECURITY_CONTEXT_KEY

The default key under which the security context will be stored in the session.

See Also:

Constant Field Values

logger

protected final org.apache.commons.logging.Log logger

Constructor Detail

HttpSessionSecurityContextRepository

public HttpSessionSecurityContextRepository()

Method Detail

loadContext

public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder)

Gets the security context for the current request (if available) and returns it.

If the session is null, the context object is null or the context object stored in the session is not an instance of SecurityContext, a new context object will be generated and returned.

Specified by:

loadContext in interface SecurityContextRepository

Parameters:

requestResponseHolder - holder for the current request and response for which the context should be loaded.

Returns:

The security context which should be used for the current request, never null.

saveContext

public void saveContext(SecurityContext context,
               javax.servlet.http.HttpServletRequest request,
               javax.servlet.http.HttpServletResponse response)

Description copied from interface: SecurityContextRepository

Stores the security context on completion of a request.

Specified by:

saveContext in interface SecurityContextRepository

Parameters:

context - the non-null context which was obtained from the holder.

containsContext

public boolean containsContext(javax.servlet.http.HttpServletRequest request)

Description copied from interface: SecurityContextRepository

Allows the repository to be queried as to whether it contains a security context for the current request.

Specified by:

containsContext in interface SecurityContextRepository

Parameters:

request - the current request

Returns:

true if a context is found for the request, false otherwise

generateNewContext

protected SecurityContext generateNewContext()

By default, calls SecurityContextHolder.createEmptyContext() to obtain a new context (there should be no context present in the holder when this method is called). Using this approach the context creation strategy is decided by the SecurityContextHolderStrategy in use. The default implementations will return a new SecurityContextImpl.

Returns:

a new SecurityContext instance. Never null.

setAllowSessionCreation

public void setAllowSessionCreation(boolean allowSessionCreation)

If set to true (the default), a session will be created (if required) to store the security context if it is determined that its contents are different from the default empty context value.

Note that setting this flag to false does not prevent this class from storing the security context. If your application (or another filter) creates a session, then the security context will still be stored for an authenticated user.

Parameters:

allowSessionCreation -

setDisableUrlRewriting

public void setDisableUrlRewriting(boolean disableUrlRewriting)

Allows the use of session identifiers in URLs to be disabled. Off by default.

Parameters:

disableUrlRewriting - set to true to disable URL encoding methods in the response wrapper and prevent the use of jsessionid parameters.

setSpringSecurityContextKey

public void setSpringSecurityContextKey(String springSecurityContextKey)

Allows the session attribute name to be customized for this repository instance.

Parameters:

springSecurityContextKey - the key under which the security context will be stored. Defaults to SPRING_SECURITY_CONTEXT_KEY.

setTrustResolver

public void setTrustResolver(AuthenticationTrustResolver trustResolver)

Sets the AuthenticationTrustResolver to be used. The default is AuthenticationTrustResolverImpl.

Parameters:

trustResolver - the AuthenticationTrustResolver to use. Cannot be null.