public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<SessionManagementConfigurer<H>,H>
SessionManagementFilter
ConcurrentSessionFilter
if there are restrictions on how many concurrent
sessions a user can haveSecurityContextRepository
AuthenticationTrustResolver
is optionally used to populate the
HttpSessionSecurityContextRepository
and SessionManagementFilter
SessionManagementFilter
,
ConcurrentSessionFilter
Modifier and Type | Class and Description |
---|---|
class |
SessionManagementConfigurer.ConcurrencyControlConfigurer
Allows configuring controlling of multiple sessions.
|
class |
SessionManagementConfigurer.SessionFixationConfigurer
Allows configuring SessionFixation protection
|
Constructor and Description |
---|
SessionManagementConfigurer()
Creates a new instance
|
Modifier and Type | Method and Description |
---|---|
void |
configure(H http)
Configure the
SecurityBuilder by setting the necessary properties on the
SecurityBuilder . |
SessionManagementConfigurer<H> |
enableSessionUrlRewriting(boolean enableSessionUrlRewriting)
If set to true, allows HTTP sessions to be rewritten in the URLs when using
HttpServletResponse.encodeRedirectURL(String) or
HttpServletResponse.encodeURL(String) , otherwise disallows HTTP sessions to
be included in the URL. |
void |
init(H http)
Initialize the
SecurityBuilder . |
SessionManagementConfigurer<H> |
invalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy)
Setting this attribute will inject the provided invalidSessionStrategy into the
SessionManagementFilter . |
SessionManagementConfigurer<H> |
invalidSessionUrl(java.lang.String invalidSessionUrl)
Setting this attribute will inject the
SessionManagementFilter with a
SimpleRedirectInvalidSessionStrategy configured with the attribute value. |
SessionManagementConfigurer.ConcurrencyControlConfigurer |
maximumSessions(int maximumSessions)
Controls the maximum number of sessions for a user.
|
SessionManagementConfigurer<H> |
sessionAuthenticationErrorUrl(java.lang.String sessionAuthenticationErrorUrl)
Defines the URL of the error page which should be shown when the
SessionAuthenticationStrategy raises an exception.
|
SessionManagementConfigurer<H> |
sessionAuthenticationFailureHandler(AuthenticationFailureHandler sessionAuthenticationFailureHandler)
Defines the
AuthenticationFailureHandler which will be used when the
SessionAuthenticationStrategy raises an exception. |
SessionManagementConfigurer<H> |
sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)
Allows explicitly specifying the
SessionAuthenticationStrategy . |
SessionManagementConfigurer<H> |
sessionConcurrency(Customizer<SessionManagementConfigurer.ConcurrencyControlConfigurer> sessionConcurrencyCustomizer)
Controls the maximum number of sessions for a user.
|
SessionManagementConfigurer<H> |
sessionCreationPolicy(SessionCreationPolicy sessionCreationPolicy)
Allows specifying the
SessionCreationPolicy |
SessionManagementConfigurer.SessionFixationConfigurer |
sessionFixation()
Allows changing the default
SessionFixationProtectionStrategy . |
SessionManagementConfigurer<H> |
sessionFixation(Customizer<SessionManagementConfigurer.SessionFixationConfigurer> sessionFixationCustomizer)
Allows configuring session fixation protection.
|
disable, withObjectPostProcessor
addObjectPostProcessor, and, getBuilder, postProcess, setBuilder
public SessionManagementConfigurer()
HttpSecurity.sessionManagement()
public SessionManagementConfigurer<H> invalidSessionUrl(java.lang.String invalidSessionUrl)
SessionManagementFilter
with a
SimpleRedirectInvalidSessionStrategy
configured with the attribute value.
When an invalid session ID is submitted, the strategy will be invoked, redirecting
to the configured URL.invalidSessionUrl
- the URL to redirect to when an invalid session is detectedSessionManagementConfigurer
for further customizationpublic SessionManagementConfigurer<H> invalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy)
SessionManagementFilter
. When an invalid session ID is submitted, the
strategy will be invoked, redirecting to the configured URL.invalidSessionStrategy
- the strategy to use when an invalid session ID is
submitted.SessionManagementConfigurer
for further customizationpublic SessionManagementConfigurer<H> sessionAuthenticationErrorUrl(java.lang.String sessionAuthenticationErrorUrl)
sessionAuthenticationErrorUrl
- the URL to redirect toSessionManagementConfigurer
for further customizationpublic SessionManagementConfigurer<H> sessionAuthenticationFailureHandler(AuthenticationFailureHandler sessionAuthenticationFailureHandler)
AuthenticationFailureHandler
which will be used when the
SessionAuthenticationStrategy raises an exception. If not set, an unauthorized
(402) error code will be returned to the client. Note that this attribute doesn't
apply if the error occurs during a form-based login, where the URL for
authentication failure will take precedence.sessionAuthenticationFailureHandler
- the handler to useSessionManagementConfigurer
for further customizationpublic SessionManagementConfigurer<H> enableSessionUrlRewriting(boolean enableSessionUrlRewriting)
HttpServletResponse.encodeRedirectURL(String)
or
HttpServletResponse.encodeURL(String)
, otherwise disallows HTTP sessions to
be included in the URL. This prevents leaking information to external domains.enableSessionUrlRewriting
- true if should allow the JSESSIONID to be
rewritten into the URLs, else false (default)SessionManagementConfigurer
for further customizationHttpSessionSecurityContextRepository.setDisableUrlRewriting(boolean)
public SessionManagementConfigurer<H> sessionCreationPolicy(SessionCreationPolicy sessionCreationPolicy)
SessionCreationPolicy
sessionCreationPolicy
- the SessionCreationPolicy
to use. Cannot be
null.SessionManagementConfigurer
for further customizationsjava.lang.IllegalArgumentException
- if SessionCreationPolicy
is null.SessionCreationPolicy
public SessionManagementConfigurer<H> sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)
SessionAuthenticationStrategy
.
The default is to use ChangeSessionIdAuthenticationStrategy
.
If restricting the maximum number of sessions is configured, then
CompositeSessionAuthenticationStrategy
delegating to
ConcurrentSessionControlAuthenticationStrategy
,
the default OR supplied SessionAuthenticationStrategy
and
RegisterSessionAuthenticationStrategy
.
NOTE: Supplying a custom SessionAuthenticationStrategy
will override the
default session fixation strategy.
sessionAuthenticationStrategy
- SessionManagementConfigurer
for further customizationspublic SessionManagementConfigurer.SessionFixationConfigurer sessionFixation()
SessionFixationProtectionStrategy
.SessionManagementConfigurer.SessionFixationConfigurer
for further customizationspublic SessionManagementConfigurer<H> sessionFixation(Customizer<SessionManagementConfigurer.SessionFixationConfigurer> sessionFixationCustomizer)
sessionFixationCustomizer
- the Customizer
to provide more options for
the SessionManagementConfigurer.SessionFixationConfigurer
SessionManagementConfigurer
for further customizationspublic SessionManagementConfigurer.ConcurrencyControlConfigurer maximumSessions(int maximumSessions)
maximumSessions
- the maximum number of sessions for a userSessionManagementConfigurer
for further customizationspublic SessionManagementConfigurer<H> sessionConcurrency(Customizer<SessionManagementConfigurer.ConcurrencyControlConfigurer> sessionConcurrencyCustomizer)
sessionConcurrencyCustomizer
- the Customizer
to provide more options for
the SessionManagementConfigurer.ConcurrencyControlConfigurer
SessionManagementConfigurer
for further customizationspublic void init(H http)
SecurityConfigurer
SecurityBuilder
. Here only shared state should be created
and modified, but not properties on the SecurityBuilder
used for building
the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder)
method uses
the correct shared objects when building. Configurers should be applied here.init
in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
init
in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
public void configure(H http)
SecurityConfigurer
SecurityBuilder
by setting the necessary properties on the
SecurityBuilder
.configure
in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
configure
in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>