public class CompositeSessionAuthenticationStrategy extends Object implements SessionAuthenticationStrategy
SessionAuthenticationStrategy
that accepts multiple
SessionAuthenticationStrategy
implementations to delegate to. Each
SessionAuthenticationStrategy
is invoked in turn. The invocations are short
circuited if any exception, (i.e. SessionAuthenticationException) is thrown.
Typical usage would include having the following delegates (in this order)
ConcurrentSessionControlAuthenticationStrategy
- verifies that a user is
allowed to authenticate (i.e. they have not already logged into the application.SessionFixationProtectionStrategy
- If session fixation is desired,
SessionFixationProtectionStrategy
should be after
ConcurrentSessionControlAuthenticationStrategy
to prevent unnecessary
HttpSession
creation if the
ConcurrentSessionControlAuthenticationStrategy
rejects authentication.RegisterSessionAuthenticationStrategy
- It is important this is after
SessionFixationProtectionStrategy
so that the correct session is registered.Constructor and Description |
---|
CompositeSessionAuthenticationStrategy(List<SessionAuthenticationStrategy> delegateStrategies) |
Modifier and Type | Method and Description |
---|---|
void |
onAuthentication(Authentication authentication,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Performs Http session-related functionality when a new authentication occurs.
|
String |
toString() |
public CompositeSessionAuthenticationStrategy(List<SessionAuthenticationStrategy> delegateStrategies)
public void onAuthentication(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws SessionAuthenticationException
SessionAuthenticationStrategy
onAuthentication
in interface SessionAuthenticationStrategy
SessionAuthenticationException
- if it is decided that the authentication is
not allowed for the session. This will typically be because the user has too many
sessions open at once.