Class SaveContextOnUpdateOrErrorResponseWrapper

java.lang.Object
jakarta.servlet.ServletResponseWrapper
jakarta.servlet.http.HttpServletResponseWrapper
org.springframework.security.web.util.OnCommittedResponseWrapper
org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper
All Implemented Interfaces:
jakarta.servlet.http.HttpServletResponse, jakarta.servlet.ServletResponse

public abstract class SaveContextOnUpdateOrErrorResponseWrapper extends OnCommittedResponseWrapper
Base class for response wrappers which encapsulate the logic for storing a security context and which store the SecurityContext when a sendError(), sendRedirect, getOutputStream().close(), getOutputStream().flush(), getWriter().close(), or getWriter().flush() happens on the same thread that this SaveContextOnUpdateOrErrorResponseWrapper was created. See issue SEC-398 and SEC-2005.

Sub-classes should implement the saveContext(SecurityContext context) method.

Support is also provided for disabling URL rewriting

Since:
3.0
  • Field Summary

    Fields inherited from interface jakarta.servlet.http.HttpServletResponse

    SC_ACCEPTED, SC_BAD_GATEWAY, SC_BAD_REQUEST, SC_CONFLICT, SC_CONTINUE, SC_CREATED, SC_EXPECTATION_FAILED, SC_FORBIDDEN, SC_FOUND, SC_GATEWAY_TIMEOUT, SC_GONE, SC_HTTP_VERSION_NOT_SUPPORTED, SC_INTERNAL_SERVER_ERROR, SC_LENGTH_REQUIRED, SC_METHOD_NOT_ALLOWED, SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_MULTIPLE_CHOICES, SC_NO_CONTENT, SC_NON_AUTHORITATIVE_INFORMATION, SC_NOT_ACCEPTABLE, SC_NOT_FOUND, SC_NOT_IMPLEMENTED, SC_NOT_MODIFIED, SC_OK, SC_PARTIAL_CONTENT, SC_PAYMENT_REQUIRED, SC_PRECONDITION_FAILED, SC_PROXY_AUTHENTICATION_REQUIRED, SC_REQUEST_ENTITY_TOO_LARGE, SC_REQUEST_TIMEOUT, SC_REQUEST_URI_TOO_LONG, SC_REQUESTED_RANGE_NOT_SATISFIABLE, SC_RESET_CONTENT, SC_SEE_OTHER, SC_SERVICE_UNAVAILABLE, SC_SWITCHING_PROTOCOLS, SC_TEMPORARY_REDIRECT, SC_UNAUTHORIZED, SC_UNSUPPORTED_MEDIA_TYPE, SC_USE_PROXY
  • Constructor Summary

    Constructors
    Constructor
    Description
    SaveContextOnUpdateOrErrorResponseWrapper(jakarta.servlet.http.HttpServletResponse response, boolean disableUrlRewriting)
     
  • Method Summary

    Modifier and Type
    Method
    Description
    void
    Invoke this method to disable automatic saving of the SecurityContext when the HttpServletResponse is committed.
    final String
     
    final String
     
    final String
     
    final String
     
    final boolean
    Tells if the response wrapper has called saveContext() because of this wrapper.
    protected void
    Calls saveContext() with the current contents of the SecurityContextHolder as long as () was not invoked.
    protected abstract void
    Implements the logic for storing the security context.

    Methods inherited from class jakarta.servlet.http.HttpServletResponseWrapper

    addCookie, addDateHeader, addIntHeader, containsHeader, getHeader, getHeaderNames, getHeaders, getStatus, getTrailerFields, setDateHeader, setHeader, setIntHeader, setStatus, setStatus, setTrailerFields

    Methods inherited from class jakarta.servlet.ServletResponseWrapper

    getBufferSize, getCharacterEncoding, getContentType, getLocale, getResponse, isCommitted, isWrapperFor, isWrapperFor, reset, resetBuffer, setBufferSize, setCharacterEncoding, setContentType, setLocale, setResponse

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    Methods inherited from interface jakarta.servlet.ServletResponse

    getBufferSize, getCharacterEncoding, getContentType, getLocale, isCommitted, reset, resetBuffer, setBufferSize, setCharacterEncoding, setContentType, setLocale
  • Constructor Details

    • SaveContextOnUpdateOrErrorResponseWrapper

      public SaveContextOnUpdateOrErrorResponseWrapper(jakarta.servlet.http.HttpServletResponse response, boolean disableUrlRewriting)
      Parameters:
      response - the response to be wrapped
      disableUrlRewriting - turns the URL encoding methods into null operations, preventing the use of URL rewriting to add the session identifier as a URL parameter.
  • Method Details

    • disableSaveOnResponseCommitted

      public void disableSaveOnResponseCommitted()
      Invoke this method to disable automatic saving of the SecurityContext when the HttpServletResponse is committed. This can be useful in the event that Async Web Requests are made which may no longer contain the SecurityContext on it.
    • saveContext

      protected abstract void saveContext(SecurityContext context)
      Implements the logic for storing the security context.
      Parameters:
      context - the SecurityContext instance to store
    • onResponseCommitted

      protected void onResponseCommitted()
      Calls saveContext() with the current contents of the SecurityContextHolder as long as () was not invoked.
      Specified by:
      onResponseCommitted in class OnCommittedResponseWrapper
    • encodeRedirectUrl

      public final String encodeRedirectUrl(String url)
      Specified by:
      encodeRedirectUrl in interface jakarta.servlet.http.HttpServletResponse
      Overrides:
      encodeRedirectUrl in class jakarta.servlet.http.HttpServletResponseWrapper
    • encodeRedirectURL

      public final String encodeRedirectURL(String url)
      Specified by:
      encodeRedirectURL in interface jakarta.servlet.http.HttpServletResponse
      Overrides:
      encodeRedirectURL in class jakarta.servlet.http.HttpServletResponseWrapper
    • encodeUrl

      public final String encodeUrl(String url)
      Specified by:
      encodeUrl in interface jakarta.servlet.http.HttpServletResponse
      Overrides:
      encodeUrl in class jakarta.servlet.http.HttpServletResponseWrapper
    • encodeURL

      public final String encodeURL(String url)
      Specified by:
      encodeURL in interface jakarta.servlet.http.HttpServletResponse
      Overrides:
      encodeURL in class jakarta.servlet.http.HttpServletResponseWrapper
    • isContextSaved

      public final boolean isContextSaved()
      Tells if the response wrapper has called saveContext() because of this wrapper.