Package org.springframework.security.web.authentication.session
Strategy interface and implementations for handling session-related behaviour for a newly authenticated user.
Comes with support for:
- Protection against session-fixation attacks
- Controlling the number of sessions an authenticated user can have open
-
Interface Summary Interface Description SessionAuthenticationStrategy Allows pluggable support for HttpSession-related behaviour when an authentication occurs. -
Class Summary Class Description ChangeSessionIdAuthenticationStrategy UsesHttpServletRequest.changeSessionId()
to protect against session fixation attacks.CompositeSessionAuthenticationStrategy ASessionAuthenticationStrategy
that accepts multipleSessionAuthenticationStrategy
implementations to delegate to.ConcurrentSessionControlAuthenticationStrategy Strategy which handles concurrent session-control.NullAuthenticatedSessionStrategy RegisterSessionAuthenticationStrategy Strategy used to register a user with theSessionRegistry
after successfulAuthentication
.SessionFixationProtectionEvent Indicates a session ID was changed for the purposes of session fixation protection.SessionFixationProtectionStrategy UsesHttpServletRequest.invalidate()
to protect against session fixation attacks. -
Exception Summary Exception Description SessionAuthenticationException Thrown by an SessionAuthenticationStrategy to indicate that an authentication object is not valid for the current session, typically because the same user has exceeded the number of sessions they are allowed to have concurrently.