public class HttpSessionSecurityContextRepository extends java.lang.Object implements SecurityContextRepository
SecurityContextRepository
implementation which stores the security context in
the HttpSession
between requests.
The HttpSession
will be queried to retrieve the SecurityContext
in the
loadContext method (using the key SPRING_SECURITY_CONTEXT_KEY
by
default). If a valid SecurityContext
cannot be obtained from the
HttpSession
for whatever reason, a fresh SecurityContext
will be
created by calling by SecurityContextHolder.createEmptyContext()
and this
instance will be returned instead.
When saveContext is called, the context will be stored under the same key, provided
With the standard configuration, no HttpSession
will be created during
loadContext if one does not already exist. When saveContext is called
at the end of the web request, and no session exists, a new HttpSession
will
only be created if the supplied SecurityContext
is not equal to an empty
SecurityContext
instance. This avoids needless HttpSession
creation, but automates the storage of changes made to the context during the request.
Note that if SecurityContextPersistenceFilter
is configured to eagerly create
sessions, then the session-minimisation logic applied here will not make any
difference. If you are using eager session creation, then you should ensure that the
allowSessionCreation property of this class is set to true (the
default).
If for whatever reason no HttpSession
should ever be created (for
example, if Basic authentication is being used or similar clients that will never
present the same jsessionid
), then allowSessionCreation
should be set to false
. Only do this if you really
need to conserve server memory and ensure all classes using the
SecurityContextHolder
are designed to have no persistence of the
SecurityContext
between web requests.
Modifier and Type | Field and Description |
---|---|
protected org.apache.commons.logging.Log |
logger |
static java.lang.String |
SPRING_SECURITY_CONTEXT_KEY
The default key under which the security context will be stored in the session.
|
Constructor and Description |
---|
HttpSessionSecurityContextRepository() |
Modifier and Type | Method and Description |
---|---|
boolean |
containsContext(javax.servlet.http.HttpServletRequest request)
Allows the repository to be queried as to whether it contains a security context
for the current request.
|
protected SecurityContext |
generateNewContext()
By default, calls
SecurityContextHolder.createEmptyContext() to obtain a
new context (there should be no context present in the holder when this method is
called). |
SecurityContext |
loadContext(HttpRequestResponseHolder requestResponseHolder)
Gets the security context for the current request (if available) and returns it.
|
void |
saveContext(SecurityContext context,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Stores the security context on completion of a request.
|
void |
setAllowSessionCreation(boolean allowSessionCreation)
If set to true (the default), a session will be created (if required) to store the
security context if it is determined that its contents are different from the
default empty context value.
|
void |
setDisableUrlRewriting(boolean disableUrlRewriting)
Allows the use of session identifiers in URLs to be disabled.
|
void |
setSpringSecurityContextKey(java.lang.String springSecurityContextKey)
Allows the session attribute name to be customized for this repository instance.
|
void |
setTrustResolver(AuthenticationTrustResolver trustResolver)
Sets the
AuthenticationTrustResolver to be used. |
public static final java.lang.String SPRING_SECURITY_CONTEXT_KEY
protected final org.apache.commons.logging.Log logger
public HttpSessionSecurityContextRepository()
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder)
If the session is null, the context object is null or the context object stored in
the session is not an instance of SecurityContext
, a new context object
will be generated and returned.
loadContext
in interface SecurityContextRepository
requestResponseHolder
- holder for the current request and response for which
the context should be loaded.public void saveContext(SecurityContext context, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
SecurityContextRepository
saveContext
in interface SecurityContextRepository
context
- the non-null context which was obtained from the holder.public boolean containsContext(javax.servlet.http.HttpServletRequest request)
SecurityContextRepository
containsContext
in interface SecurityContextRepository
request
- the current requestprotected SecurityContext generateNewContext()
SecurityContextHolder.createEmptyContext()
to obtain a
new context (there should be no context present in the holder when this method is
called). Using this approach the context creation strategy is decided by the
SecurityContextHolderStrategy
in use. The default implementations will
return a new SecurityContextImpl.public void setAllowSessionCreation(boolean allowSessionCreation)
Note that setting this flag to false does not prevent this class from storing the security context. If your application (or another filter) creates a session, then the security context will still be stored for an authenticated user.
allowSessionCreation
- public void setDisableUrlRewriting(boolean disableUrlRewriting)
disableUrlRewriting
- set to true to disable URL encoding methods in
the response wrapper and prevent the use of jsessionid parameters.public void setSpringSecurityContextKey(java.lang.String springSecurityContextKey)
springSecurityContextKey
- the key under which the security context will be
stored. Defaults to SPRING_SECURITY_CONTEXT_KEY
.public void setTrustResolver(AuthenticationTrustResolver trustResolver)
AuthenticationTrustResolver
to be used. The default is
AuthenticationTrustResolverImpl
.trustResolver
- the AuthenticationTrustResolver
to use. Cannot be
null.