public abstract class AbstractSecurityWebApplicationInitializer extends Object implements WebApplicationInitializer
DelegatingFilterProxy
to use the
springSecurityFilterChain before any other registered Filter
. When
used with AbstractSecurityWebApplicationInitializer(Class...)
, it
will also register a ContextLoaderListener
. When used with
AbstractSecurityWebApplicationInitializer()
, this class is typically
used in addition to a subclass of AbstractContextLoaderInitializer
.
By default the DelegatingFilterProxy
is registered without support,
but can be enabled by overriding isAsyncSecuritySupported()
and
getSecurityDispatcherTypes()
.
Additional configuration before and after the springSecurityFilterChain can
be added by overriding
afterSpringSecurityFilterChain(ServletContext)
.
Subclasses of AbstractDispatcherServletInitializer will register their
filters before any other Filter
. This means that you will typically
want to ensure subclasses of AbstractDispatcherServletInitializer are invoked
first. This can be done by ensuring the Order
or Ordered
of
AbstractDispatcherServletInitializer are sooner than subclasses of
AbstractSecurityWebApplicationInitializer
.
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_FILTER_NAME |
Modifier | Constructor and Description |
---|---|
protected |
AbstractSecurityWebApplicationInitializer()
Creates a new instance that assumes the Spring Security configuration is
loaded by some other means than this class.
|
protected |
AbstractSecurityWebApplicationInitializer(Class<?>... configurationClasses)
Creates a new instance that will instantiate the
ContextLoaderListener with the specified classes. |
Modifier and Type | Method and Description |
---|---|
protected void |
afterSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)
Invoked after the springSecurityFilterChain is added.
|
protected void |
appendFilters(javax.servlet.ServletContext servletContext,
javax.servlet.Filter... filters)
Inserts the provided
Filter s after existing Filter s
using default generated names, getSecurityDispatcherTypes() , and
isAsyncSecuritySupported() . |
protected void |
beforeSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)
Invoked before the springSecurityFilterChain is added.
|
protected boolean |
enableHttpSessionEventPublisher()
Override this if
HttpSessionEventPublisher should be added as a
listener. |
protected String |
getDispatcherWebApplicationContextSuffix()
Return the
WebApplicationContext to find the DelegatingFilterProxy
or null to use the parent ApplicationContext . |
protected EnumSet<javax.servlet.DispatcherType> |
getSecurityDispatcherTypes()
Get the
DispatcherType for the springSecurityFilterChain. |
protected Set<javax.servlet.SessionTrackingMode> |
getSessionTrackingModes()
Determines how a session should be tracked.
|
protected void |
insertFilters(javax.servlet.ServletContext servletContext,
javax.servlet.Filter... filters)
Inserts the provided
Filter s before existing Filter s
using default generated names, getSecurityDispatcherTypes() , and
isAsyncSecuritySupported() . |
protected boolean |
isAsyncSecuritySupported()
Determine if the springSecurityFilterChain should be marked as supporting
asynch.
|
void |
onStartup(javax.servlet.ServletContext servletContext) |
public static final String DEFAULT_FILTER_NAME
protected AbstractSecurityWebApplicationInitializer()
ContextLoaderListener
using a subclass of
AbstractContextLoaderInitializer
.ContextLoaderListener
protected AbstractSecurityWebApplicationInitializer(Class<?>... configurationClasses)
ContextLoaderListener
with the specified classes.configurationClasses
- public final void onStartup(javax.servlet.ServletContext servletContext) throws javax.servlet.ServletException
onStartup
in interface WebApplicationInitializer
javax.servlet.ServletException
protected boolean enableHttpSessionEventPublisher()
HttpSessionEventPublisher
should be added as a
listener. This should be true, if session management has specified a
maximum number of sessions.HttpSessionEventPublisher
, else falseprotected final void insertFilters(javax.servlet.ServletContext servletContext, javax.servlet.Filter... filters)
Filter
s before existing Filter
s
using default generated names, getSecurityDispatcherTypes()
, and
isAsyncSecuritySupported()
.servletContext
- the ServletContext
to usefilters
- the Filter
s to registerprotected final void appendFilters(javax.servlet.ServletContext servletContext, javax.servlet.Filter... filters)
Filter
s after existing Filter
s
using default generated names, getSecurityDispatcherTypes()
, and
isAsyncSecuritySupported()
.servletContext
- the ServletContext
to usefilters
- the Filter
s to registerprotected Set<javax.servlet.SessionTrackingMode> getSessionTrackingModes()
SessionTrackingMode.COOKIE
is used.
Note that SessionTrackingMode.URL
is intentionally omitted to
help protected against session fixation
attacks. SessionTrackingMode.SSL
is omitted because SSL
configuration is required for this to work.
Subclasses can override this method to make customizations.
protected String getDispatcherWebApplicationContextSuffix()
WebApplicationContext
to find the DelegatingFilterProxy
or null to use the parent ApplicationContext
.
For example, if you are using AbstractDispatcherServletInitializer or
AbstractAnnotationConfigDispatcherServletInitializer and using the
provided Servlet name, you can return "dispatcher" from this method to
use the DispatcherServlet's WebApplicationContext
.
WebApplicationContext
or null (default) to use the parent
ApplicationContext
.protected void beforeSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)
servletContext
- the ServletContext
protected void afterSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)
servletContext
- the ServletContext
protected EnumSet<javax.servlet.DispatcherType> getSecurityDispatcherTypes()
DispatcherType
for the springSecurityFilterChain.protected boolean isAsyncSecuritySupported()