Package org.springframework.security.web.session

Class SessionManagementFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.security.web.session.SessionManagementFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

public class SessionManagementFilter
extends org.springframework.web.filter.GenericFilterBean

Detects that a user has been authenticated since the start of the request and, if they have, calls the configured SessionAuthenticationStrategy to perform any session-related activity such as activating session-fixation protection mechanisms or checking for multiple concurrent logins.

Since:

2.0

Field Summary

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor	Description
SessionManagementFilter(SecurityContextRepository securityContextRepository)
SessionManagementFilter(SecurityContextRepository securityContextRepository, SessionAuthenticationStrategy sessionStrategy)

Method Summary

Modifier and Type	Method	Description
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
void	setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)	The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).
void	setInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy)	Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID.
void	setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)	Sets the SecurityContextHolderStrategy to use.
void	setTrustResolver(AuthenticationTrustResolver trustResolver)	Sets the AuthenticationTrustResolver to be used.

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SessionManagementFilter

public SessionManagementFilter(SecurityContextRepository securityContextRepository)

SessionManagementFilter

public SessionManagementFilter(SecurityContextRepository securityContextRepository,
                               SessionAuthenticationStrategy sessionStrategy)

Method Detail

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException

Throws:

java.io.IOException

javax.servlet.ServletException

setInvalidSessionStrategy

public void setInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy)

Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID. If the property is not set, no action will be taken.

Parameters:

invalidSessionStrategy - the strategy to invoke. Typically a SimpleRedirectInvalidSessionStrategy.

setAuthenticationFailureHandler

public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)

The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).

setTrustResolver

public void setTrustResolver(AuthenticationTrustResolver trustResolver)

Sets the AuthenticationTrustResolver to be used. The default is AuthenticationTrustResolverImpl.

Parameters:

trustResolver - the AuthenticationTrustResolver to use. Cannot be null.

setSecurityContextHolderStrategy

public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)

Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.

Since:

5.8