Class SessionManagementFilter
- java.lang.Object
-
- org.springframework.web.filter.GenericFilterBean
-
- org.springframework.security.web.session.SessionManagementFilter
-
- All Implemented Interfaces:
javax.servlet.Filter,org.springframework.beans.factory.Aware,org.springframework.beans.factory.BeanNameAware,org.springframework.beans.factory.DisposableBean,org.springframework.beans.factory.InitializingBean,org.springframework.context.EnvironmentAware,org.springframework.core.env.EnvironmentCapable,org.springframework.web.context.ServletContextAware
public class SessionManagementFilter extends org.springframework.web.filter.GenericFilterBeanDetects that a user has been authenticated since the start of the request and, if they have, calls the configuredSessionAuthenticationStrategyto perform any session-related activity such as activating session-fixation protection mechanisms or checking for multiple concurrent logins.- Since:
- 2.0
-
-
Constructor Summary
Constructors Constructor Description SessionManagementFilter(SecurityContextRepository securityContextRepository)SessionManagementFilter(SecurityContextRepository securityContextRepository, SessionAuthenticationStrategy sessionStrategy)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voiddoFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)voidsetAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).voidsetInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy)Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID.voidsetTrustResolver(AuthenticationTrustResolver trustResolver)Sets theAuthenticationTrustResolverto be used.
-
-
-
Constructor Detail
-
SessionManagementFilter
public SessionManagementFilter(SecurityContextRepository securityContextRepository)
-
SessionManagementFilter
public SessionManagementFilter(SecurityContextRepository securityContextRepository, SessionAuthenticationStrategy sessionStrategy)
-
-
Method Detail
-
doFilter
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException- Throws:
java.io.IOExceptionjavax.servlet.ServletException
-
setInvalidSessionStrategy
public void setInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy)
Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID. If the property is not set, no action will be taken.- Parameters:
invalidSessionStrategy- the strategy to invoke. Typically aSimpleRedirectInvalidSessionStrategy.
-
setAuthenticationFailureHandler
public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).
-
setTrustResolver
public void setTrustResolver(AuthenticationTrustResolver trustResolver)
Sets theAuthenticationTrustResolverto be used. The default isAuthenticationTrustResolverImpl.- Parameters:
trustResolver- theAuthenticationTrustResolverto use. Cannot be null.
-
-