Class SessionManagementFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.session.SessionManagementFilter
- All Implemented Interfaces:
jakarta.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.EnvironmentAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
public class SessionManagementFilter
extends org.springframework.web.filter.GenericFilterBean
Detects that a user has been authenticated since the start of the request and, if they
have, calls the configured
SessionAuthenticationStrategy
to perform any
session-related activity such as activating session-fixation protection mechanisms or
checking for multiple concurrent logins.- Since:
- 2.0
-
Field Summary
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
-
Constructor Summary
ConstructorDescriptionSessionManagementFilter
(SecurityContextRepository securityContextRepository) SessionManagementFilter
(SecurityContextRepository securityContextRepository, SessionAuthenticationStrategy sessionStrategy) -
Method Summary
Modifier and TypeMethodDescriptionvoid
doFilter
(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) void
setAuthenticationFailureHandler
(AuthenticationFailureHandler failureHandler) The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).void
setInvalidSessionStrategy
(InvalidSessionStrategy invalidSessionStrategy) Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID.void
setSecurityContextHolderStrategy
(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use.void
setTrustResolver
(AuthenticationTrustResolver trustResolver) Sets theAuthenticationTrustResolver
to be used.Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
SessionManagementFilter
-
SessionManagementFilter
public SessionManagementFilter(SecurityContextRepository securityContextRepository, SessionAuthenticationStrategy sessionStrategy)
-
-
Method Details
-
doFilter
public void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException - Throws:
IOException
jakarta.servlet.ServletException
-
setInvalidSessionStrategy
Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID. If the property is not set, no action will be taken.- Parameters:
invalidSessionStrategy
- the strategy to invoke. Typically aSimpleRedirectInvalidSessionStrategy
.
-
setAuthenticationFailureHandler
The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open). -
setTrustResolver
Sets theAuthenticationTrustResolver
to be used. The default isAuthenticationTrustResolverImpl
.- Parameters:
trustResolver
- theAuthenticationTrustResolver
to use. Cannot be null.
-
setSecurityContextHolderStrategy
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use. The default action is to use theSecurityContextHolderStrategy
stored inSecurityContextHolder
.- Since:
- 5.8
-