org.springframework.security.web.context

Class SaveContextOnUpdateOrErrorResponseWrapper

java.lang.Object

javax.servlet.ServletResponseWrapper

javax.servlet.http.HttpServletResponseWrapper

org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper

All Implemented Interfaces:

javax.servlet.http.HttpServletResponse, javax.servlet.ServletResponse

public abstract class SaveContextOnUpdateOrErrorResponseWrapper
extends javax.servlet.http.HttpServletResponseWrapper

Base class for response wrappers which encapsulate the logic for storing a security context and which store the SecurityContext when a sendError(), sendRedirect, getOutputStream().close(), getOutputStream().flush(), getWriter().close(), or getWriter().flush() happens on the same thread that this SaveContextOnUpdateOrErrorResponseWrapper was created. See issue SEC-398 and SEC-2005.

Sub-classes should implement the saveContext(SecurityContext context) method.

Support is also provided for disabling URL rewriting

Since:

3.0

Field Summary

Fields inherited from interface javax.servlet.http.HttpServletResponse

SC_ACCEPTED, SC_BAD_GATEWAY, SC_BAD_REQUEST, SC_CONFLICT, SC_CONTINUE, SC_CREATED, SC_EXPECTATION_FAILED, SC_FORBIDDEN, SC_FOUND, SC_GATEWAY_TIMEOUT, SC_GONE, SC_HTTP_VERSION_NOT_SUPPORTED, SC_INTERNAL_SERVER_ERROR, SC_LENGTH_REQUIRED, SC_METHOD_NOT_ALLOWED, SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_MULTIPLE_CHOICES, SC_NO_CONTENT, SC_NON_AUTHORITATIVE_INFORMATION, SC_NOT_ACCEPTABLE, SC_NOT_FOUND, SC_NOT_IMPLEMENTED, SC_NOT_MODIFIED, SC_OK, SC_PARTIAL_CONTENT, SC_PAYMENT_REQUIRED, SC_PRECONDITION_FAILED, SC_PROXY_AUTHENTICATION_REQUIRED, SC_REQUEST_ENTITY_TOO_LARGE, SC_REQUEST_TIMEOUT, SC_REQUEST_URI_TOO_LONG, SC_REQUESTED_RANGE_NOT_SATISFIABLE, SC_RESET_CONTENT, SC_SEE_OTHER, SC_SERVICE_UNAVAILABLE, SC_SWITCHING_PROTOCOLS, SC_TEMPORARY_REDIRECT, SC_UNAUTHORIZED, SC_UNSUPPORTED_MEDIA_TYPE, SC_USE_PROXY

Constructor Summary

Constructors

Constructor and Description
SaveContextOnUpdateOrErrorResponseWrapper(javax.servlet.http.HttpServletResponse response, boolean disableUrlRewriting)

Method Summary

Methods

Modifier and Type	Method and Description
void	addHeader(String name, String value)
void	disableOnResponseCommitted() Invoke this method to disable invoking OnCommittedResponseWrapper.onResponseCommitted() when the HttpServletResponse is committed.
void	disableSaveOnResponseCommitted() Invoke this method to disable automatic saving of the SecurityContext when the HttpServletResponse is committed.
String	encodeRedirectUrl(String url)
String	encodeRedirectURL(String url)
String	encodeUrl(String url)
String	encodeURL(String url)
void	flushBuffer() Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the superclass flushBuffer()
javax.servlet.ServletOutputStream	getOutputStream() Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the calling getOutputStream().close() or getOutputStream().flush()
PrintWriter	getWriter() Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the getWriter().close() or getWriter().flush()
boolean	isContextSaved() Tells if the response wrapper has called saveContext() because of this wrapper.
protected void	onResponseCommitted() Calls saveContext() with the current contents of the SecurityContextHolder as long as () was not invoked.
protected abstract void	saveContext(SecurityContext context) Implements the logic for storing the security context.
void	sendError(int sc) Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the superclass sendError()
void	sendError(int sc, String msg) Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the superclass sendError()
void	sendRedirect(String location) Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the superclass sendRedirect()
void	setContentLength(int len)

Methods inherited from class javax.servlet.http.HttpServletResponseWrapper

addCookie, addDateHeader, addIntHeader, containsHeader, getHeader, getHeaderNames, getHeaders, getStatus, setDateHeader, setHeader, setIntHeader, setStatus, setStatus

Methods inherited from class javax.servlet.ServletResponseWrapper

getBufferSize, getCharacterEncoding, getContentType, getLocale, getResponse, isCommitted, isWrapperFor, isWrapperFor, reset, resetBuffer, setBufferSize, setCharacterEncoding, setContentType, setLocale, setResponse

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface javax.servlet.ServletResponse

getBufferSize, getCharacterEncoding, getContentType, getLocale, isCommitted, reset, resetBuffer, setBufferSize, setCharacterEncoding, setContentType, setLocale

Constructor Detail

SaveContextOnUpdateOrErrorResponseWrapper

public SaveContextOnUpdateOrErrorResponseWrapper(javax.servlet.http.HttpServletResponse response,
                                         boolean disableUrlRewriting)

Parameters:

response - the response to be wrapped

disableUrlRewriting - turns the URL encoding methods into null operations, preventing the use of URL rewriting to add the session identifier as a URL parameter.

Method Detail

disableSaveOnResponseCommitted

public void disableSaveOnResponseCommitted()

Invoke this method to disable automatic saving of the SecurityContext when the HttpServletResponse is committed. This can be useful in the event that Async Web Requests are made which may no longer contain the SecurityContext on it.

saveContext

protected abstract void saveContext(SecurityContext context)

Implements the logic for storing the security context.

Parameters:

context - the SecurityContext instance to store

onResponseCommitted

protected void onResponseCommitted()

Calls saveContext() with the current contents of the SecurityContextHolder as long as () was not invoked.

encodeRedirectUrl

public final String encodeRedirectUrl(String url)

Specified by:

encodeRedirectUrl in interface javax.servlet.http.HttpServletResponse

Overrides:

encodeRedirectUrl in class javax.servlet.http.HttpServletResponseWrapper

encodeRedirectURL

public final String encodeRedirectURL(String url)

Specified by:

encodeRedirectURL in interface javax.servlet.http.HttpServletResponse

Overrides:

encodeRedirectURL in class javax.servlet.http.HttpServletResponseWrapper

encodeUrl

public final String encodeUrl(String url)

Specified by:

encodeUrl in interface javax.servlet.http.HttpServletResponse

Overrides:

encodeUrl in class javax.servlet.http.HttpServletResponseWrapper

encodeURL

public final String encodeURL(String url)

Specified by:

encodeURL in interface javax.servlet.http.HttpServletResponse

Overrides:

encodeURL in class javax.servlet.http.HttpServletResponseWrapper

isContextSaved

public final boolean isContextSaved()

Tells if the response wrapper has called saveContext() because of this wrapper.

addHeader

public void addHeader(String name,
             String value)

Specified by:

addHeader in interface javax.servlet.http.HttpServletResponse

Overrides:

addHeader in class javax.servlet.http.HttpServletResponseWrapper

setContentLength

public void setContentLength(int len)

Specified by:

setContentLength in interface javax.servlet.ServletResponse

Overrides:

setContentLength in class javax.servlet.ServletResponseWrapper

disableOnResponseCommitted

public void disableOnResponseCommitted()

Invoke this method to disable invoking OnCommittedResponseWrapper.onResponseCommitted() when the HttpServletResponse is committed. This can be useful in the event that Async Web Requests are made.

sendError

public final void sendError(int sc)
                     throws IOException

Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the superclass sendError()

Specified by:

sendError in interface javax.servlet.http.HttpServletResponse

Overrides:

sendError in class javax.servlet.http.HttpServletResponseWrapper

Throws:

IOException

sendError

public final void sendError(int sc,
             String msg)
                     throws IOException

Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the superclass sendError()

Specified by:

sendError in interface javax.servlet.http.HttpServletResponse

Overrides:

sendError in class javax.servlet.http.HttpServletResponseWrapper

Throws:

IOException

sendRedirect

public final void sendRedirect(String location)
                        throws IOException

Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the superclass sendRedirect()

Specified by:

sendRedirect in interface javax.servlet.http.HttpServletResponse

Overrides:

sendRedirect in class javax.servlet.http.HttpServletResponseWrapper

Throws:

IOException

getOutputStream

public javax.servlet.ServletOutputStream getOutputStream()
                                                  throws IOException

Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the calling getOutputStream().close() or getOutputStream().flush()

Specified by:

getOutputStream in interface javax.servlet.ServletResponse

Overrides:

getOutputStream in class javax.servlet.ServletResponseWrapper

Throws:

IOException

getWriter

public PrintWriter getWriter()
                      throws IOException

Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the getWriter().close() or getWriter().flush()

Specified by:

getWriter in interface javax.servlet.ServletResponse

Overrides:

getWriter in class javax.servlet.ServletResponseWrapper

Throws:

IOException

flushBuffer

public void flushBuffer()
                 throws IOException

Makes sure OnCommittedResponseWrapper.onResponseCommitted() is invoked before calling the superclass flushBuffer()

Specified by:

flushBuffer in interface javax.servlet.ServletResponse

Overrides:

flushBuffer in class javax.servlet.ServletResponseWrapper

Throws:

IOException