public final class ChangeSessionIdAuthenticationStrategy extends Object
HttpServletRequest.changeSessionId()
to protect against session fixation
attacks. This is the default implementation for Servlet 3.1+.Modifier and Type | Class and Description |
---|---|
protected static class |
org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy.NullEventPublisher |
Modifier and Type | Field and Description |
---|---|
protected org.apache.commons.logging.Log |
logger |
Constructor and Description |
---|
ChangeSessionIdAuthenticationStrategy() |
Modifier and Type | Method and Description |
---|---|
void |
onAuthentication(Authentication authentication,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Called when a user is newly authenticated.
|
protected void |
onSessionChange(String originalSessionId,
javax.servlet.http.HttpSession newSession,
Authentication auth)
Called when the session has been changed and the old attributes have been migrated
to the new session.
|
void |
setAlwaysCreateSession(boolean alwaysCreateSession) |
void |
setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
Sets the
ApplicationEventPublisher to use for submitting
SessionFixationProtectionEvent . |
public ChangeSessionIdAuthenticationStrategy()
public void onAuthentication(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
If a session already exists, and matches the session Id from the client, a new
session will be created, and the session attributes copied to it (if
migrateSessionAttributes
is set). If the client's requested session Id is
invalid, nothing will be done, since there is no need to change the session Id if
it doesn't match the current session.
If there is no session, no action is taken unless the alwaysCreateSession
property is set, in which case a session will be created if one doesn't already
exist.
onAuthentication
in interface SessionAuthenticationStrategy
protected void onSessionChange(String originalSessionId, javax.servlet.http.HttpSession newSession, Authentication auth)
The default implementation of this method publishes a
SessionFixationProtectionEvent
to notify the application that the session
ID has changed. If you override this method and still wish these events to be
published, you should call super.onSessionChange()
within your overriding
method.
originalSessionId
- the original session identifiernewSession
- the newly created sessionauth
- the token for the newly authenticated principalpublic void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
ApplicationEventPublisher
to use for submitting
SessionFixationProtectionEvent
. The default is to not submit the
SessionFixationProtectionEvent
.setApplicationEventPublisher
in interface ApplicationEventPublisherAware
applicationEventPublisher
- the ApplicationEventPublisher
. Cannot be
null.public void setAlwaysCreateSession(boolean alwaysCreateSession)