Class ChangeSessionIdAuthenticationStrategy
- java.lang.Object
-
- org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy
-
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.context.ApplicationEventPublisherAware
,SessionAuthenticationStrategy
public final class ChangeSessionIdAuthenticationStrategy extends java.lang.Object
UsesHttpServletRequest.changeSessionId()
to protect against session fixation attacks. This is the default implementation.- Since:
- 3.2
-
-
Field Summary
Fields Modifier and Type Field Description protected org.apache.commons.logging.Log
logger
-
Constructor Summary
Constructors Constructor Description ChangeSessionIdAuthenticationStrategy()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
onAuthentication(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Called when a user is newly authenticated.protected void
onSessionChange(java.lang.String originalSessionId, javax.servlet.http.HttpSession newSession, Authentication auth)
Called when the session has been changed and the old attributes have been migrated to the new session.void
setAlwaysCreateSession(boolean alwaysCreateSession)
void
setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
Sets theApplicationEventPublisher
to use for submittingSessionFixationProtectionEvent
.
-
-
-
Method Detail
-
onAuthentication
public void onAuthentication(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Called when a user is newly authenticated.If a session already exists, and matches the session Id from the client, a new session will be created, and the session attributes copied to it (if
migrateSessionAttributes
is set). If the client's requested session Id is invalid, nothing will be done, since there is no need to change the session Id if it doesn't match the current session.If there is no session, no action is taken unless the
alwaysCreateSession
property is set, in which case a session will be created if one doesn't already exist.- Specified by:
onAuthentication
in interfaceSessionAuthenticationStrategy
-
onSessionChange
protected void onSessionChange(java.lang.String originalSessionId, javax.servlet.http.HttpSession newSession, Authentication auth)
Called when the session has been changed and the old attributes have been migrated to the new session. Only called if a session existed to start with. Allows subclasses to plug in additional behaviour. *The default implementation of this method publishes a
SessionFixationProtectionEvent
to notify the application that the session ID has changed. If you override this method and still wish these events to be published, you should callsuper.onSessionChange()
within your overriding method.- Parameters:
originalSessionId
- the original session identifiernewSession
- the newly created sessionauth
- the token for the newly authenticated principal
-
setApplicationEventPublisher
public void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
Sets theApplicationEventPublisher
to use for submittingSessionFixationProtectionEvent
. The default is to not submit theSessionFixationProtectionEvent
.- Specified by:
setApplicationEventPublisher
in interfaceorg.springframework.context.ApplicationEventPublisherAware
- Parameters:
applicationEventPublisher
- theApplicationEventPublisher
. Cannot be null.
-
setAlwaysCreateSession
public void setAlwaysCreateSession(boolean alwaysCreateSession)
-
-