Class SessionManagementFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.session.SessionManagementFilter
- All Implemented Interfaces:
jakarta.servlet.Filter,org.springframework.beans.factory.Aware,org.springframework.beans.factory.BeanNameAware,org.springframework.beans.factory.DisposableBean,org.springframework.beans.factory.InitializingBean,org.springframework.context.EnvironmentAware,org.springframework.core.env.EnvironmentCapable,org.springframework.web.context.ServletContextAware
public class SessionManagementFilter
extends org.springframework.web.filter.GenericFilterBean
Detects that a user has been authenticated since the start of the request and, if they
have, calls the configured
SessionAuthenticationStrategy to perform any
session-related activity such as activating session-fixation protection mechanisms or
checking for multiple concurrent logins.- Since:
- 2.0
-
Field Summary
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger -
Constructor Summary
ConstructorsConstructorDescriptionSessionManagementFilter(SecurityContextRepository securityContextRepository) SessionManagementFilter(SecurityContextRepository securityContextRepository, SessionAuthenticationStrategy sessionStrategy) -
Method Summary
Modifier and TypeMethodDescriptionvoiddoFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) voidsetAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler) The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).voidsetInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy) Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID.voidsetTrustResolver(AuthenticationTrustResolver trustResolver) Sets theAuthenticationTrustResolverto be used.Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
SessionManagementFilter
-
SessionManagementFilter
public SessionManagementFilter(SecurityContextRepository securityContextRepository, SessionAuthenticationStrategy sessionStrategy)
-
-
Method Details
-
doFilter
public void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException - Throws:
IOExceptionjakarta.servlet.ServletException
-
setInvalidSessionStrategy
Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID. If the property is not set, no action will be taken.- Parameters:
invalidSessionStrategy- the strategy to invoke. Typically aSimpleRedirectInvalidSessionStrategy.
-
setAuthenticationFailureHandler
The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open). -
setTrustResolver
Sets theAuthenticationTrustResolverto be used. The default isAuthenticationTrustResolverImpl.- Parameters:
trustResolver- theAuthenticationTrustResolverto use. Cannot be null.
-