Package org.springframework.security.config.annotation.web.configurers

Class SessionManagementConfigurer.SessionFixationConfigurer

java.lang.Object

org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer.SessionFixationConfigurer

Enclosing class:

SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>

public final class SessionManagementConfigurer.SessionFixationConfigurer
extends java.lang.Object

Allows configuring SessionFixation protection

Constructor Summary

Constructors

Constructor	Description
SessionFixationConfigurer()

Method Summary

Modifier and Type	Method	Description
SessionManagementConfigurer<H>	changeSessionId()	Specifies that the Servlet container-provided session fixation protection should be used.
SessionManagementConfigurer<H>	migrateSession()	Specifies that a new session should be created and the session attributes from the original HttpSession should be retained.
SessionManagementConfigurer<H>	newSession()	Specifies that a new session should be created, but the session attributes from the original HttpSession should not be retained.
SessionManagementConfigurer<H>	none()	Specifies that no session fixation protection should be enabled.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SessionFixationConfigurer

public SessionFixationConfigurer()

Method Detail

newSession

public SessionManagementConfigurer<H> newSession()

Specifies that a new session should be created, but the session attributes from the original HttpSession should not be retained.

Returns:

the SessionManagementConfigurer for further customizations

migrateSession

public SessionManagementConfigurer<H> migrateSession()

Specifies that a new session should be created and the session attributes from the original HttpSession should be retained.

Returns:

the SessionManagementConfigurer for further customizations

changeSessionId

public SessionManagementConfigurer<H> changeSessionId()

Specifies that the Servlet container-provided session fixation protection should be used. When a session authenticates, the Servlet method HttpServletRequest#changeSessionId() is called to change the session ID and retain all session attributes.

Returns:

the SessionManagementConfigurer for further customizations

none

public SessionManagementConfigurer<H> none()

Specifies that no session fixation protection should be enabled. This may be useful when utilizing other mechanisms for protecting against session fixation. For example, if application container session fixation protection is already in use. Otherwise, this option is not recommended.

Returns:

the SessionManagementConfigurer for further customizations