public class HttpSessionSecurityContextRepository extends Object implements SecurityContextRepository
SecurityContextRepositoryimplementation which stores the security context in the
HttpSession will be queried to retrieve the
SecurityContext in the loadContext
method (using the key
SPRING_SECURITY_CONTEXT_KEY by default). If a valid
SecurityContext cannot be
obtained from the
HttpSession for whatever reason, a fresh
SecurityContext will be created
by calling by
SecurityContextHolder.createEmptyContext() and this instance will be returned instead.
When saveContext is called, the context will be stored under the same key, provided
With the standard configuration, no
HttpSession will be created during loadContext if one does
not already exist. When saveContext is called at the end of the web request, and no session exists, a new
HttpSession will only be created if the supplied
SecurityContext is not equal
to an empty
SecurityContext instance. This avoids needless
but automates the storage of changes made to the context during the request. Note that if
SecurityContextPersistenceFilter is configured to eagerly create sessions, then the session-minimisation
logic applied here will not make any difference. If you are using eager session creation, then you should
ensure that the allowSessionCreation property of this class is set to true (the default).
If for whatever reason no
HttpSession should ever be created (for example, if
Basic authentication is being used or similar clients that will never present the same
allowSessionCreation should be set to
Only do this if you really need to conserve server memory and ensure all classes using the
SecurityContextHolder are designed to have no persistence of the
between web requests.
|Modifier and Type||Field and Description|
The default key under which the security context will be stored in the session.
|Constructor and Description|
|Modifier and Type||Method and Description|
Allows the repository to be queried as to whether it contains a security context for the current request.
By default, calls
Gets the security context for the current request (if available) and returns it.
Stores the security context on completion of a request.
If set to true (the default), a session will be created (if required) to store the security context if it is determined that its contents are different from the default empty context value.
Allows the use of session identifiers in URLs to be disabled.
Allows the session attribute name to be customized for this repository instance.
public static final String SPRING_SECURITY_CONTEXT_KEY
protected final org.apache.commons.logging.Log logger
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder)
If the session is null, the context object is null or the context object stored in the session
is not an instance of
SecurityContext, a new context object will be generated and
requestResponseHolder- holder for the current request and response for which the context should be loaded.
public void saveContext(SecurityContext context, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
context- the non-null context which was obtained from the holder.
public boolean containsContext(javax.servlet.http.HttpServletRequest request)
request- the current request
protected SecurityContext generateNewContext()
SecurityContextHolder.createEmptyContext()to obtain a new context (there should be no context present in the holder when this method is called). Using this approach the context creation strategy is decided by the
SecurityContextHolderStrategyin use. The default implementations will return a new SecurityContextImpl.
public void setAllowSessionCreation(boolean allowSessionCreation)
Note that setting this flag to false does not prevent this class from storing the security context. If your application (or another filter) creates a session, then the security context will still be stored for an authenticated user.
public void setDisableUrlRewriting(boolean disableUrlRewriting)
disableUrlRewriting- set to true to disable URL encoding methods in the response wrapper and prevent the use of jsessionid parameters.
public void setSpringSecurityContextKey(String springSecurityContextKey)
springSecurityContextKey- the key under which the security context will be stored. Defaults to
public void setTrustResolver(AuthenticationTrustResolver trustResolver)
AuthenticationTrustResolverto be used. The default is
AuthenticationTrustResolverto use. Cannot be null.