org.springframework.security.web.authentication.session

Class CompositeSessionAuthenticationStrategy

java.lang.Object

org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy

All Implemented Interfaces:

SessionAuthenticationStrategy

public class CompositeSessionAuthenticationStrategy
extends Object
implements SessionAuthenticationStrategy

A SessionAuthenticationStrategy that accepts multiple SessionAuthenticationStrategy implementations to delegate to. Each SessionAuthenticationStrategy is invoked in turn. The invocations are short circuited if any exception, (i.e. SessionAuthenticationException) is thrown.

Typical usage would include having the following delegates (in this order)

• ConcurrentSessionControlAuthenticationStrategy - verifies that a user is allowed to authenticate (i.e. they have not already logged into the application.
• SessionFixationProtectionStrategy - If session fixation is desired, SessionFixationProtectionStrategy should be after ConcurrentSessionControlAuthenticationStrategy to prevent unnecessary HttpSession creation if the ConcurrentSessionControlAuthenticationStrategy rejects authentication.
• RegisterSessionAuthenticationStrategy - It is important this is after SessionFixationProtectionStrategy so that the correct session is registered.

Since:

3.2

Constructor Summary

Constructors

Constructor and Description
CompositeSessionAuthenticationStrategy(List<SessionAuthenticationStrategy> delegateStrategies)

Method Summary

Methods

Modifier and Type	Method and Description
void	onAuthentication(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Performs Http session-related functionality when a new authentication occurs.
String	toString()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

CompositeSessionAuthenticationStrategy

public CompositeSessionAuthenticationStrategy(List<SessionAuthenticationStrategy> delegateStrategies)

Method Detail

onAuthentication

public void onAuthentication(Authentication authentication,
                    javax.servlet.http.HttpServletRequest request,
                    javax.servlet.http.HttpServletResponse response)
                      throws SessionAuthenticationException

Description copied from interface: SessionAuthenticationStrategy

Performs Http session-related functionality when a new authentication occurs.

Specified by:

onAuthentication in interface SessionAuthenticationStrategy

Throws:

SessionAuthenticationException - if it is decided that the authentication is not allowed for the session. This will typically be because the user has too many sessions open at once.

toString

public String toString()

Overrides:

toString in class Object