Class HttpSessionSecurityContextRepository
- java.lang.Object
-
- org.springframework.security.web.context.HttpSessionSecurityContextRepository
-
- All Implemented Interfaces:
SecurityContextRepository
public class HttpSessionSecurityContextRepository extends java.lang.Object implements SecurityContextRepository
ASecurityContextRepository
implementation which stores the security context in theHttpSession
between requests.The
HttpSession
will be queried to retrieve theSecurityContext
in the loadContext method (using the keySPRING_SECURITY_CONTEXT_KEY
by default). If a validSecurityContext
cannot be obtained from theHttpSession
for whatever reason, a freshSecurityContext
will be created by calling bySecurityContextHolder.createEmptyContext()
and this instance will be returned instead.When saveContext is called, the context will be stored under the same key, provided
- The value has changed
- The configured AuthenticationTrustResolver does not report that the contents represent an anonymous user
With the standard configuration, no
HttpSession
will be created during loadContext if one does not already exist. When saveContext is called at the end of the web request, and no session exists, a newHttpSession
will only be created if the suppliedSecurityContext
is not equal to an emptySecurityContext
instance. This avoids needlessHttpSession
creation, but automates the storage of changes made to the context during the request. Note that ifSecurityContextPersistenceFilter
is configured to eagerly create sessions, then the session-minimisation logic applied here will not make any difference. If you are using eager session creation, then you should ensure that the allowSessionCreation property of this class is set to true (the default).If for whatever reason no
HttpSession
should ever be created (for example, if Basic authentication is being used or similar clients that will never present the samejsessionid
), thenallowSessionCreation
should be set tofalse
. Only do this if you really need to conserve server memory and ensure all classes using theSecurityContextHolder
are designed to have no persistence of theSecurityContext
between web requests.- Since:
- 3.0
-
-
Field Summary
Fields Modifier and Type Field Description protected org.apache.commons.logging.Log
logger
static java.lang.String
SPRING_SECURITY_CONTEXT_KEY
The default key under which the security context will be stored in the session.
-
Constructor Summary
Constructors Constructor Description HttpSessionSecurityContextRepository()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
containsContext(javax.servlet.http.HttpServletRequest request)
Allows the repository to be queried as to whether it contains a security context for the current request.protected SecurityContext
generateNewContext()
By default, callsSecurityContextHolder.createEmptyContext()
to obtain a new context (there should be no context present in the holder when this method is called).SecurityContext
loadContext(HttpRequestResponseHolder requestResponseHolder)
Gets the security context for the current request (if available) and returns it.DeferredSecurityContext
loadDeferredContext(javax.servlet.http.HttpServletRequest request)
Defers loading theSecurityContext
using theHttpServletRequest
until it is needed by the application.void
saveContext(SecurityContext context, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Stores the security context on completion of a request.void
setAllowSessionCreation(boolean allowSessionCreation)
If set to true (the default), a session will be created (if required) to store the security context if it is determined that its contents are different from the default empty context value.void
setDisableUrlRewriting(boolean disableUrlRewriting)
Allows the use of session identifiers in URLs to be disabled.void
setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy)
Sets theSecurityContextHolderStrategy
to use.void
setSpringSecurityContextKey(java.lang.String springSecurityContextKey)
Allows the session attribute name to be customized for this repository instance.void
setTrustResolver(AuthenticationTrustResolver trustResolver)
Sets theAuthenticationTrustResolver
to be used.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.springframework.security.web.context.SecurityContextRepository
loadContext
-
-
-
-
Field Detail
-
SPRING_SECURITY_CONTEXT_KEY
public static final java.lang.String SPRING_SECURITY_CONTEXT_KEY
The default key under which the security context will be stored in the session.- See Also:
- Constant Field Values
-
logger
protected final org.apache.commons.logging.Log logger
-
-
Method Detail
-
loadContext
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder)
Gets the security context for the current request (if available) and returns it.If the session is null, the context object is null or the context object stored in the session is not an instance of
SecurityContext
, a new context object will be generated and returned.- Specified by:
loadContext
in interfaceSecurityContextRepository
- Parameters:
requestResponseHolder
- holder for the current request and response for which the context should be loaded.- Returns:
- The security context which should be used for the current request, never null.
-
loadDeferredContext
public DeferredSecurityContext loadDeferredContext(javax.servlet.http.HttpServletRequest request)
Description copied from interface:SecurityContextRepository
Defers loading theSecurityContext
using theHttpServletRequest
until it is needed by the application.- Specified by:
loadDeferredContext
in interfaceSecurityContextRepository
- Parameters:
request
- theHttpServletRequest
to load theSecurityContext
from- Returns:
- a
DeferredSecurityContext
that returns theSecurityContext
which cannot be null
-
saveContext
public void saveContext(SecurityContext context, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Description copied from interface:SecurityContextRepository
Stores the security context on completion of a request.- Specified by:
saveContext
in interfaceSecurityContextRepository
- Parameters:
context
- the non-null context which was obtained from the holder.
-
containsContext
public boolean containsContext(javax.servlet.http.HttpServletRequest request)
Description copied from interface:SecurityContextRepository
Allows the repository to be queried as to whether it contains a security context for the current request.- Specified by:
containsContext
in interfaceSecurityContextRepository
- Parameters:
request
- the current request- Returns:
- true if a context is found for the request, false otherwise
-
generateNewContext
protected SecurityContext generateNewContext()
By default, callsSecurityContextHolder.createEmptyContext()
to obtain a new context (there should be no context present in the holder when this method is called). Using this approach the context creation strategy is decided by theSecurityContextHolderStrategy
in use. The default implementations will return a new SecurityContextImpl.- Returns:
- a new SecurityContext instance. Never null.
-
setAllowSessionCreation
public void setAllowSessionCreation(boolean allowSessionCreation)
If set to true (the default), a session will be created (if required) to store the security context if it is determined that its contents are different from the default empty context value.Note that setting this flag to false does not prevent this class from storing the security context. If your application (or another filter) creates a session, then the security context will still be stored for an authenticated user.
- Parameters:
allowSessionCreation
-
-
setDisableUrlRewriting
public void setDisableUrlRewriting(boolean disableUrlRewriting)
Allows the use of session identifiers in URLs to be disabled. Off by default.- Parameters:
disableUrlRewriting
- set to true to disable URL encoding methods in the response wrapper and prevent the use of jsessionid parameters.
-
setSpringSecurityContextKey
public void setSpringSecurityContextKey(java.lang.String springSecurityContextKey)
Allows the session attribute name to be customized for this repository instance.- Parameters:
springSecurityContextKey
- the key under which the security context will be stored. Defaults toSPRING_SECURITY_CONTEXT_KEY
.
-
setSecurityContextHolderStrategy
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy)
Sets theSecurityContextHolderStrategy
to use. The default action is to use theSecurityContextHolderStrategy
stored inSecurityContextHolder
.- Since:
- 5.8
-
setTrustResolver
public void setTrustResolver(AuthenticationTrustResolver trustResolver)
Sets theAuthenticationTrustResolver
to be used. The default isAuthenticationTrustResolverImpl
.- Parameters:
trustResolver
- theAuthenticationTrustResolver
to use. Cannot be null.
-
-