Package org.springframework.security.web.context

Class SecurityContextPersistenceFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.security.web.context.SecurityContextPersistenceFilter

All Implemented Interfaces:

jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

public class SecurityContextPersistenceFilter
extends org.springframework.web.filter.GenericFilterBean

Populates the SecurityContextHolder with information obtained from the configured SecurityContextRepository prior to the request and stores it back in the repository once the request has completed and clearing the context holder. By default it uses an HttpSessionSecurityContextRepository. See this class for information HttpSession related configuration options.

This filter will only execute once per request, to resolve servlet container (specifically Weblogic) incompatibilities.

This filter MUST be executed BEFORE any authentication processing mechanisms. Authentication processing mechanisms (e.g. BASIC, CAS processing filters etc) expect the SecurityContextHolder to contain a valid SecurityContext by the time they execute.

This is essentially a refactoring of the old HttpSessionContextIntegrationFilter to delegate the storage issues to a separate strategy, allowing for more customization in the way the security context is maintained between requests.

The forceEagerSessionCreation property can be used to ensure that a session is always available before the filter chain executes (the default is false, as this is resource intensive and not recommended).

Since:

3.0

Field Summary

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor	Description
SecurityContextPersistenceFilter()
SecurityContextPersistenceFilter(SecurityContextRepository repo)

Method Summary

Modifier and Type	Method	Description
void	doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain)
void	setForceEagerSessionCreation(boolean forceEagerSessionCreation)

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

SecurityContextPersistenceFilter

public SecurityContextPersistenceFilter()

SecurityContextPersistenceFilter

public SecurityContextPersistenceFilter(SecurityContextRepository repo)

Method Details

doFilter

public void doFilter(jakarta.servlet.ServletRequest request,
 jakarta.servlet.ServletResponse response,
 jakarta.servlet.FilterChain chain)
              throws IOException,
jakarta.servlet.ServletException

Throws:

IOException

jakarta.servlet.ServletException

setForceEagerSessionCreation

public void setForceEagerSessionCreation(boolean forceEagerSessionCreation)