Package org.springframework.security.web.session

Class ConcurrentSessionFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.security.web.session.ConcurrentSessionFilter

All Implemented Interfaces:

jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

public class ConcurrentSessionFilter
extends org.springframework.web.filter.GenericFilterBean

Filter required by concurrent session handling package.

This filter performs two functions. First, it calls SessionRegistry.refreshLastRequest(String) for each request so that registered sessions always have a correct "last update" date/time. Second, it retrieves a SessionInformation from the SessionRegistry for each request and checks if the session has been marked as expired. If it has been marked as expired, the configured logout handlers will be called (as happens with LogoutFilter), typically to invalidate the session. To handle the expired session a call to the SessionInformationExpiredStrategy is made. The session invalidation will cause an HttpSessionDestroyedEvent to be published via the HttpSessionEventPublisher registered in web.xml.

Field Summary

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor	Description
ConcurrentSessionFilter(SessionRegistry sessionRegistry)
ConcurrentSessionFilter(SessionRegistry sessionRegistry, String expiredUrl)	Deprecated. use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.
ConcurrentSessionFilter(SessionRegistry sessionRegistry, SessionInformationExpiredStrategy sessionInformationExpiredStrategy)

Method Summary

Modifier and Type	Method	Description
void	afterPropertiesSet()
protected String	determineExpiredUrl(jakarta.servlet.http.HttpServletRequest request, SessionInformation info)	Deprecated. Use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
void	doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain)
void	setLogoutHandlers(List<LogoutHandler> handlers)	Set list of LogoutHandler
void	setLogoutHandlers(LogoutHandler[] handlers)
void	setRedirectStrategy(RedirectStrategy redirectStrategy)	Deprecated. use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
void	setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)	Sets the SecurityContextHolderStrategy to use.

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

ConcurrentSessionFilter

public ConcurrentSessionFilter(SessionRegistry sessionRegistry)

ConcurrentSessionFilter

@Deprecated
public ConcurrentSessionFilter(SessionRegistry sessionRegistry,
 String expiredUrl)

Deprecated.

use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.

Creates a new instance

Parameters:

sessionRegistry - the SessionRegistry to use

expiredUrl - the URL to redirect to

ConcurrentSessionFilter

public ConcurrentSessionFilter(SessionRegistry sessionRegistry,
 SessionInformationExpiredStrategy sessionInformationExpiredStrategy)

Method Details

afterPropertiesSet

public void afterPropertiesSet()

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Overrides:

afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean

doFilter

public void doFilter(jakarta.servlet.ServletRequest request,
 jakarta.servlet.ServletResponse response,
 jakarta.servlet.FilterChain chain)
              throws IOException,
jakarta.servlet.ServletException

Throws:

IOException

jakarta.servlet.ServletException

determineExpiredUrl

@Deprecated
protected String determineExpiredUrl(jakarta.servlet.http.HttpServletRequest request,
 SessionInformation info)

Deprecated.

Use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.

Determine the URL for expiration

Parameters:

request - the HttpServletRequest

info - the SessionInformation

Returns:

the URL for expiration

setSecurityContextHolderStrategy

public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)

Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.

Since:

5.8

setLogoutHandlers

public void setLogoutHandlers(LogoutHandler[] handlers)

setLogoutHandlers

public void setLogoutHandlers(List<LogoutHandler> handlers)

Set list of LogoutHandler

Parameters:

handlers - list of LogoutHandler

Since:

5.2.0

setRedirectStrategy

@Deprecated
public void setRedirectStrategy(RedirectStrategy redirectStrategy)

Deprecated.

use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.

Sets the RedirectStrategy used with ConcurrentSessionFilter(SessionRegistry, String)

Parameters:

redirectStrategy - the RedirectStrategy to use