org.springframework.security.web.context

Class AbstractSecurityWebApplicationInitializer

java.lang.Object

org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer

All Implemented Interfaces:

WebApplicationInitializer

public abstract class AbstractSecurityWebApplicationInitializer
extends Object
implements WebApplicationInitializer

Registers the DelegatingFilterProxy to use the springSecurityFilterChain before any other registered Filter. When used with AbstractSecurityWebApplicationInitializer(Class...), it will also register a ContextLoaderListener. When used with AbstractSecurityWebApplicationInitializer(), this class is typically used in addition to a subclass of AbstractContextLoaderInitializer.

By default the DelegatingFilterProxy is registered without support, but can be enabled by overriding isAsyncSecuritySupported() and getSecurityDispatcherTypes().

Additional configuration before and after the springSecurityFilterChain can be added by overriding afterSpringSecurityFilterChain(ServletContext).

Caveats

Subclasses of AbstractDispatcherServletInitializer will register their filters before any other Filter. This means that you will typically want to ensure subclasses of AbstractDispatcherServletInitializer are invoked first. This can be done by ensuring the Order or Ordered of AbstractDispatcherServletInitializer are sooner than subclasses of AbstractSecurityWebApplicationInitializer.

Field Summary

Fields

Modifier and Type	Field and Description
static String	DEFAULT_FILTER_NAME

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	AbstractSecurityWebApplicationInitializer() Creates a new instance that assumes the Spring Security configuration is loaded by some other means than this class.
protected	AbstractSecurityWebApplicationInitializer(Class<?>... configurationClasses) Creates a new instance that will instantiate the ContextLoaderListener with the specified classes.

Method Summary

Modifier and Type	Method and Description
protected void	afterSpringSecurityFilterChain(javax.servlet.ServletContext servletContext) Invoked after the springSecurityFilterChain is added.
protected void	appendFilters(javax.servlet.ServletContext servletContext, javax.servlet.Filter... filters) Inserts the provided Filters after existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().
protected void	beforeSpringSecurityFilterChain(javax.servlet.ServletContext servletContext) Invoked before the springSecurityFilterChain is added.
protected boolean	enableHttpSessionEventPublisher() Override this if HttpSessionEventPublisher should be added as a listener.
protected String	getDispatcherWebApplicationContextSuffix() Return the <servlet-name> to use the DispatcherServlet's WebApplicationContext to find the DelegatingFilterProxy or null to use the parent ApplicationContext.
protected EnumSet<javax.servlet.DispatcherType>	getSecurityDispatcherTypes() Get the DispatcherType for the springSecurityFilterChain.
protected Set<javax.servlet.SessionTrackingMode>	getSessionTrackingModes() Determines how a session should be tracked.
protected void	insertFilters(javax.servlet.ServletContext servletContext, javax.servlet.Filter... filters) Inserts the provided Filters before existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().
protected boolean	isAsyncSecuritySupported() Determine if the springSecurityFilterChain should be marked as supporting asynch.
void	onStartup(javax.servlet.ServletContext servletContext)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_FILTER_NAME

public static final String DEFAULT_FILTER_NAME

See Also:

Constant Field Values

Constructor Detail

AbstractSecurityWebApplicationInitializer

protected AbstractSecurityWebApplicationInitializer()

Creates a new instance that assumes the Spring Security configuration is loaded by some other means than this class. For example, a user might create a ContextLoaderListener using a subclass of AbstractContextLoaderInitializer.

See Also:

ContextLoaderListener

AbstractSecurityWebApplicationInitializer

protected AbstractSecurityWebApplicationInitializer(Class<?>... configurationClasses)

Creates a new instance that will instantiate the ContextLoaderListener with the specified classes.

Parameters:

configurationClasses -

Method Detail

onStartup

public final void onStartup(javax.servlet.ServletContext servletContext)
                     throws javax.servlet.ServletException

Specified by:

onStartup in interface WebApplicationInitializer

Throws:

javax.servlet.ServletException

enableHttpSessionEventPublisher

protected boolean enableHttpSessionEventPublisher()

Override this if HttpSessionEventPublisher should be added as a listener. This should be true, if session management has specified a maximum number of sessions.

Returns:

true to add HttpSessionEventPublisher, else false

insertFilters

protected final void insertFilters(javax.servlet.ServletContext servletContext,
                                   javax.servlet.Filter... filters)

Inserts the provided Filters before existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().

Parameters:

servletContext - the ServletContext to use

filters - the Filters to register

appendFilters

protected final void appendFilters(javax.servlet.ServletContext servletContext,
                                   javax.servlet.Filter... filters)

Inserts the provided Filters after existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().

Parameters:

servletContext - the ServletContext to use

filters - the Filters to register

getSessionTrackingModes

protected Set<javax.servlet.SessionTrackingMode> getSessionTrackingModes()

Determines how a session should be tracked. By default, SessionTrackingMode.COOKIE is used.

Note that SessionTrackingMode.URL is intentionally omitted to help protected against session fixation attacks. SessionTrackingMode.SSL is omitted because SSL configuration is required for this to work.

Subclasses can override this method to make customizations.

Returns:

getDispatcherWebApplicationContextSuffix

protected String getDispatcherWebApplicationContextSuffix()

Return the <servlet-name> to use the DispatcherServlet's WebApplicationContext to find the DelegatingFilterProxy or null to use the parent ApplicationContext.

For example, if you are using AbstractDispatcherServletInitializer or AbstractAnnotationConfigDispatcherServletInitializer and using the provided Servlet name, you can return "dispatcher" from this method to use the DispatcherServlet's WebApplicationContext.

Returns:

the <servlet-name> of the DispatcherServlet to use its WebApplicationContext or null (default) to use the parent ApplicationContext.

beforeSpringSecurityFilterChain

protected void beforeSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)

Invoked before the springSecurityFilterChain is added.

Parameters:

servletContext - the ServletContext

afterSpringSecurityFilterChain

protected void afterSpringSecurityFilterChain(javax.servlet.ServletContext servletContext)

Invoked after the springSecurityFilterChain is added.

Parameters:

servletContext - the ServletContext

getSecurityDispatcherTypes

protected EnumSet<javax.servlet.DispatcherType> getSecurityDispatcherTypes()

Get the DispatcherType for the springSecurityFilterChain.

Returns:

isAsyncSecuritySupported

protected boolean isAsyncSecuritySupported()

Determine if the springSecurityFilterChain should be marked as supporting asynch. Default is true.

Returns:

true if springSecurityFilterChain should be marked as supporting asynch