Package org.springframework.security.web.context

Class AbstractSecurityWebApplicationInitializer

  • All Implemented Interfaces:
    org.springframework.web.WebApplicationInitializer
    public abstract class AbstractSecurityWebApplicationInitializer
extends java.lang.Object
implements org.springframework.web.WebApplicationInitializer
    Registers the DelegatingFilterProxy to use the springSecurityFilterChain before any other registered Filter. When used with AbstractSecurityWebApplicationInitializer(Class...), it will also register a ContextLoaderListener. When used with AbstractSecurityWebApplicationInitializer(), this class is typically used in addition to a subclass of AbstractContextLoaderInitializer.

    By default the DelegatingFilterProxy is registered without support, but can be enabled by overriding isAsyncSecuritySupported() and getSecurityDispatcherTypes().

    Additional configuration before and after the springSecurityFilterChain can be added by overriding afterSpringSecurityFilterChain(ServletContext).

    Caveats

    Subclasses of AbstractDispatcherServletInitializer will register their filters before any other Filter. This means that you will typically want to ensure subclasses of AbstractDispatcherServletInitializer are invoked first. This can be done by ensuring the Order or Ordered of AbstractDispatcherServletInitializer are sooner than subclasses of AbstractSecurityWebApplicationInitializer.

    • Field Detail

      • DEFAULT_FILTER_NAME

        public static final java.lang.String DEFAULT_FILTER_NAME
        See Also:
        Constant Field Values

    • Constructor Detail

      • AbstractSecurityWebApplicationInitializer

        protected AbstractSecurityWebApplicationInitializer()
        Creates a new instance that assumes the Spring Security configuration is loaded by some other means than this class. For example, a user might create a ContextLoaderListener using a subclass of AbstractContextLoaderInitializer.
        See Also:
        ContextLoaderListener

      • AbstractSecurityWebApplicationInitializer

        protected AbstractSecurityWebApplicationInitializer​(java.lang.Class<?>... configurationClasses)
        Creates a new instance that will instantiate the ContextLoaderListener with the specified classes.
        Parameters:
        configurationClasses -

    • Method Detail

      • onStartup

        public final void onStartup​(javax.servlet.ServletContext servletContext)
        Specified by:
        onStartup in interface org.springframework.web.WebApplicationInitializer

      • enableHttpSessionEventPublisher

        protected boolean enableHttpSessionEventPublisher()
        Override this if HttpSessionEventPublisher should be added as a listener. This should be true, if session management has specified a maximum number of sessions.
        Returns:
        true to add HttpSessionEventPublisher, else false

      • insertFilters

        protected final void insertFilters​(javax.servlet.ServletContext servletContext,
                                   javax.servlet.Filter... filters)
        Inserts the provided Filters before existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().
        Parameters:
        servletContext - the ServletContext to use
        filters - the Filters to register

      • appendFilters

        protected final void appendFilters​(javax.servlet.ServletContext servletContext,
                                   javax.servlet.Filter... filters)
        Inserts the provided Filters after existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().
        Parameters:
        servletContext - the ServletContext to use
        filters - the Filters to register

      • getSessionTrackingModes

        protected java.util.Set<javax.servlet.SessionTrackingMode> getSessionTrackingModes()
        Determines how a session should be tracked. By default, SessionTrackingMode.COOKIE is used.

        Note that SessionTrackingMode.URL is intentionally omitted to help protected against session fixation attacks. SessionTrackingMode.SSL is omitted because SSL configuration is required for this to work.

        Subclasses can override this method to make customizations.

        Returns:

      • getDispatcherWebApplicationContextSuffix

        protected java.lang.String getDispatcherWebApplicationContextSuffix()
        Return the <servlet-name> to use the DispatcherServlet's WebApplicationContext to find the DelegatingFilterProxy or null to use the parent ApplicationContext.

        For example, if you are using AbstractDispatcherServletInitializer or AbstractAnnotationConfigDispatcherServletInitializer and using the provided Servlet name, you can return "dispatcher" from this method to use the DispatcherServlet's WebApplicationContext.

        Returns:
        the <servlet-name> of the DispatcherServlet to use its WebApplicationContext or null (default) to use the parent ApplicationContext.

      • beforeSpringSecurityFilterChain

        protected void beforeSpringSecurityFilterChain​(javax.servlet.ServletContext servletContext)
        Invoked before the springSecurityFilterChain is added.
        Parameters:
        servletContext - the ServletContext

      • afterSpringSecurityFilterChain

        protected void afterSpringSecurityFilterChain​(javax.servlet.ServletContext servletContext)
        Invoked after the springSecurityFilterChain is added.
        Parameters:
        servletContext - the ServletContext

      • getSecurityDispatcherTypes

        protected java.util.EnumSet<javax.servlet.DispatcherType> getSecurityDispatcherTypes()
        Get the DispatcherType for the springSecurityFilterChain.
        Returns:

      • isAsyncSecuritySupported

        protected boolean isAsyncSecuritySupported()
        Determine if the springSecurityFilterChain should be marked as supporting asynch. Default is true.
        Returns:
        true if springSecurityFilterChain should be marked as supporting asynch