Class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
- java.lang.Object
-
- org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
-
- org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<SessionManagementConfigurer<H>,H>
-
- org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer<H>
-
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,H>
public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<SessionManagementConfigurer<H>,H>
Allows configuring session management.Security Filters
The following Filters are populatedSessionManagementFilter
ConcurrentSessionFilter
if there are restrictions on how many concurrent sessions a user can have
Shared Objects Created
The following shared objects are created:Shared Objects Used
SecurityContextRepository
AuthenticationTrustResolver
is optionally used to populate theHttpSessionSecurityContextRepository
andSessionManagementFilter
- Since:
- 3.2
- See Also:
SessionManagementFilter
,ConcurrentSessionFilter
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description class
SessionManagementConfigurer.ConcurrencyControlConfigurer
Allows configuring controlling of multiple sessions.class
SessionManagementConfigurer.SessionFixationConfigurer
Allows configuring SessionFixation protection
-
Constructor Summary
Constructors Constructor Description SessionManagementConfigurer()
Creates a new instance
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
configure(H http)
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.SessionManagementConfigurer<H>
enableSessionUrlRewriting(boolean enableSessionUrlRewriting)
If set to true, allows HTTP sessions to be rewritten in the URLs when usingHttpServletResponse.encodeRedirectURL(String)
orHttpServletResponse.encodeURL(String)
, otherwise disallows HTTP sessions to be included in the URL.void
init(H http)
Initialize theSecurityBuilder
.SessionManagementConfigurer<H>
invalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy)
Setting this attribute will inject the provided invalidSessionStrategy into theSessionManagementFilter
.SessionManagementConfigurer<H>
invalidSessionUrl(java.lang.String invalidSessionUrl)
Setting this attribute will inject theSessionManagementFilter
with aSimpleRedirectInvalidSessionStrategy
configured with the attribute value.SessionManagementConfigurer.ConcurrencyControlConfigurer
maximumSessions(int maximumSessions)
Controls the maximum number of sessions for a user.SessionManagementConfigurer<H>
sessionAuthenticationErrorUrl(java.lang.String sessionAuthenticationErrorUrl)
Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception.SessionManagementConfigurer<H>
sessionAuthenticationFailureHandler(AuthenticationFailureHandler sessionAuthenticationFailureHandler)
Defines theAuthenticationFailureHandler
which will be used when the SessionAuthenticationStrategy raises an exception.SessionManagementConfigurer<H>
sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)
Allows explicitly specifying theSessionAuthenticationStrategy
.SessionManagementConfigurer<H>
sessionConcurrency(Customizer<SessionManagementConfigurer.ConcurrencyControlConfigurer> sessionConcurrencyCustomizer)
Controls the maximum number of sessions for a user.SessionManagementConfigurer<H>
sessionCreationPolicy(SessionCreationPolicy sessionCreationPolicy)
Allows specifying theSessionCreationPolicy
SessionManagementConfigurer.SessionFixationConfigurer
sessionFixation()
Allows changing the defaultSessionFixationProtectionStrategy
.SessionManagementConfigurer<H>
sessionFixation(Customizer<SessionManagementConfigurer.SessionFixationConfigurer> sessionFixationCustomizer)
Allows configuring session fixation protection.-
Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, withObjectPostProcessor
-
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, postProcess, setBuilder
-
-
-
-
Constructor Detail
-
SessionManagementConfigurer
public SessionManagementConfigurer()
Creates a new instance- See Also:
HttpSecurity.sessionManagement()
-
-
Method Detail
-
invalidSessionUrl
public SessionManagementConfigurer<H> invalidSessionUrl(java.lang.String invalidSessionUrl)
Setting this attribute will inject theSessionManagementFilter
with aSimpleRedirectInvalidSessionStrategy
configured with the attribute value. When an invalid session ID is submitted, the strategy will be invoked, redirecting to the configured URL.- Parameters:
invalidSessionUrl
- the URL to redirect to when an invalid session is detected- Returns:
- the
SessionManagementConfigurer
for further customization
-
invalidSessionStrategy
public SessionManagementConfigurer<H> invalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy)
Setting this attribute will inject the provided invalidSessionStrategy into theSessionManagementFilter
. When an invalid session ID is submitted, the strategy will be invoked, redirecting to the configured URL.- Parameters:
invalidSessionStrategy
- the strategy to use when an invalid session ID is submitted.- Returns:
- the
SessionManagementConfigurer
for further customization
-
sessionAuthenticationErrorUrl
public SessionManagementConfigurer<H> sessionAuthenticationErrorUrl(java.lang.String sessionAuthenticationErrorUrl)
Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.- Parameters:
sessionAuthenticationErrorUrl
- the URL to redirect to- Returns:
- the
SessionManagementConfigurer
for further customization
-
sessionAuthenticationFailureHandler
public SessionManagementConfigurer<H> sessionAuthenticationFailureHandler(AuthenticationFailureHandler sessionAuthenticationFailureHandler)
Defines theAuthenticationFailureHandler
which will be used when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.- Parameters:
sessionAuthenticationFailureHandler
- the handler to use- Returns:
- the
SessionManagementConfigurer
for further customization
-
enableSessionUrlRewriting
public SessionManagementConfigurer<H> enableSessionUrlRewriting(boolean enableSessionUrlRewriting)
If set to true, allows HTTP sessions to be rewritten in the URLs when usingHttpServletResponse.encodeRedirectURL(String)
orHttpServletResponse.encodeURL(String)
, otherwise disallows HTTP sessions to be included in the URL. This prevents leaking information to external domains.This is achieved by guarding
HttpServletResponse.encodeURL(java.lang.String)
andHttpServletResponse.encodeRedirectURL(java.lang.String)
invocations. Any code that also overrides either of these two methods, likeResourceUrlEncodingFilter
, needs to come after the security filter chain or risk being skipped.- Parameters:
enableSessionUrlRewriting
- true if should allow the JSESSIONID to be rewritten into the URLs, else false (default)- Returns:
- the
SessionManagementConfigurer
for further customization - See Also:
HttpSessionSecurityContextRepository.setDisableUrlRewriting(boolean)
-
sessionCreationPolicy
public SessionManagementConfigurer<H> sessionCreationPolicy(SessionCreationPolicy sessionCreationPolicy)
Allows specifying theSessionCreationPolicy
- Parameters:
sessionCreationPolicy
- theSessionCreationPolicy
to use. Cannot be null.- Returns:
- the
SessionManagementConfigurer
for further customizations - Throws:
java.lang.IllegalArgumentException
- ifSessionCreationPolicy
is null.- See Also:
SessionCreationPolicy
-
sessionAuthenticationStrategy
public SessionManagementConfigurer<H> sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)
Allows explicitly specifying theSessionAuthenticationStrategy
. The default is to useChangeSessionIdAuthenticationStrategy
. If restricting the maximum number of sessions is configured, thenCompositeSessionAuthenticationStrategy
delegating toConcurrentSessionControlAuthenticationStrategy
, the default OR suppliedSessionAuthenticationStrategy
andRegisterSessionAuthenticationStrategy
.NOTE: Supplying a custom
SessionAuthenticationStrategy
will override the default session fixation strategy.- Parameters:
sessionAuthenticationStrategy
-- Returns:
- the
SessionManagementConfigurer
for further customizations
-
sessionFixation
public SessionManagementConfigurer.SessionFixationConfigurer sessionFixation()
Allows changing the defaultSessionFixationProtectionStrategy
.- Returns:
- the
SessionManagementConfigurer.SessionFixationConfigurer
for further customizations
-
sessionFixation
public SessionManagementConfigurer<H> sessionFixation(Customizer<SessionManagementConfigurer.SessionFixationConfigurer> sessionFixationCustomizer)
Allows configuring session fixation protection.- Parameters:
sessionFixationCustomizer
- theCustomizer
to provide more options for theSessionManagementConfigurer.SessionFixationConfigurer
- Returns:
- the
SessionManagementConfigurer
for further customizations
-
maximumSessions
public SessionManagementConfigurer.ConcurrencyControlConfigurer maximumSessions(int maximumSessions)
Controls the maximum number of sessions for a user. The default is to allow any number of users.- Parameters:
maximumSessions
- the maximum number of sessions for a user- Returns:
- the
SessionManagementConfigurer
for further customizations
-
sessionConcurrency
public SessionManagementConfigurer<H> sessionConcurrency(Customizer<SessionManagementConfigurer.ConcurrencyControlConfigurer> sessionConcurrencyCustomizer)
Controls the maximum number of sessions for a user. The default is to allow any number of users.- Parameters:
sessionConcurrencyCustomizer
- theCustomizer
to provide more options for theSessionManagementConfigurer.ConcurrencyControlConfigurer
- Returns:
- the
SessionManagementConfigurer
for further customizations
-
init
public void init(H http)
Description copied from interface:SecurityConfigurer
Initialize theSecurityBuilder
. Here only shared state should be created and modified, but not properties on theSecurityBuilder
used for building the object. This ensures that theSecurityConfigurer.configure(SecurityBuilder)
method uses the correct shared objects when building. Configurers should be applied here.- Specified by:
init
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
- Overrides:
init
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
-
configure
public void configure(H http)
Description copied from interface:SecurityConfigurer
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.- Specified by:
configure
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
- Overrides:
configure
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
-
-