Class ChangeSessionIdAuthenticationStrategy

  • All Implemented Interfaces:
    org.springframework.beans.factory.Aware, org.springframework.context.ApplicationEventPublisherAware, SessionAuthenticationStrategy

    public final class ChangeSessionIdAuthenticationStrategy
    extends java.lang.Object
    Uses HttpServletRequest.changeSessionId() to protect against session fixation attacks. This is the default implementation.
    Since:
    3.2
    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected org.apache.commons.logging.Log logger  
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void onAuthentication​(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Called when a user is newly authenticated.
      protected void onSessionChange​(java.lang.String originalSessionId, javax.servlet.http.HttpSession newSession, Authentication auth)
      Called when the session has been changed and the old attributes have been migrated to the new session.
      void setAlwaysCreateSession​(boolean alwaysCreateSession)  
      void setApplicationEventPublisher​(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
      Sets the ApplicationEventPublisher to use for submitting SessionFixationProtectionEvent.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • logger

        protected final org.apache.commons.logging.Log logger
    • Constructor Detail

      • ChangeSessionIdAuthenticationStrategy

        public ChangeSessionIdAuthenticationStrategy()
    • Method Detail

      • onAuthentication

        public void onAuthentication​(Authentication authentication,
                                     javax.servlet.http.HttpServletRequest request,
                                     javax.servlet.http.HttpServletResponse response)
        Called when a user is newly authenticated.

        If a session already exists, and matches the session Id from the client, a new session will be created, and the session attributes copied to it (if migrateSessionAttributes is set). If the client's requested session Id is invalid, nothing will be done, since there is no need to change the session Id if it doesn't match the current session.

        If there is no session, no action is taken unless the alwaysCreateSession property is set, in which case a session will be created if one doesn't already exist.

        Specified by:
        onAuthentication in interface SessionAuthenticationStrategy
      • onSessionChange

        protected void onSessionChange​(java.lang.String originalSessionId,
                                       javax.servlet.http.HttpSession newSession,
                                       Authentication auth)
        Called when the session has been changed and the old attributes have been migrated to the new session. Only called if a session existed to start with. Allows subclasses to plug in additional behaviour. *

        The default implementation of this method publishes a SessionFixationProtectionEvent to notify the application that the session ID has changed. If you override this method and still wish these events to be published, you should call super.onSessionChange() within your overriding method.

        Parameters:
        originalSessionId - the original session identifier
        newSession - the newly created session
        auth - the token for the newly authenticated principal
      • setApplicationEventPublisher

        public void setApplicationEventPublisher​(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
        Sets the ApplicationEventPublisher to use for submitting SessionFixationProtectionEvent. The default is to not submit the SessionFixationProtectionEvent.
        Specified by:
        setApplicationEventPublisher in interface org.springframework.context.ApplicationEventPublisherAware
        Parameters:
        applicationEventPublisher - the ApplicationEventPublisher. Cannot be null.
      • setAlwaysCreateSession

        public void setAlwaysCreateSession​(boolean alwaysCreateSession)