Package org.springframework.security.web.context

Class RequestAttributeSecurityContextRepository

java.lang.Object

org.springframework.security.web.context.RequestAttributeSecurityContextRepository

All Implemented Interfaces:

SecurityContextRepository

public final class RequestAttributeSecurityContextRepository
extends Object
implements SecurityContextRepository

Stores the SecurityContext on a ServletRequest.setAttribute(String, Object) so that it can be restored when different dispatch types occur. It will not be available on subsequent requests. Unlike HttpSessionSecurityContextRepository this filter has no need to persist the SecurityContext on the response being committed because the SecurityContext will not be available for subsequent requests for RequestAttributeSecurityContextRepository.

Since:

5.7

Field Summary

Fields

Modifier and Type	Field	Description
static final String	DEFAULT_REQUEST_ATTR_NAME	The default request attribute name to use.

Constructor Summary

Constructors

Constructor	Description
RequestAttributeSecurityContextRepository()	Creates a new instance using DEFAULT_REQUEST_ATTR_NAME.
RequestAttributeSecurityContextRepository(String requestAttributeName)	Creates a new instance with the specified request attribute name.

Method Summary

Modifier and Type	Method	Description
boolean	containsContext(jakarta.servlet.http.HttpServletRequest request)	Allows the repository to be queried as to whether it contains a security context for the current request.
SecurityContext	loadContext(HttpRequestResponseHolder requestResponseHolder)	Obtains the security context for the supplied request.
DeferredSecurityContext	loadDeferredContext(jakarta.servlet.http.HttpServletRequest request)	Defers loading the SecurityContext using the HttpServletRequest until it is needed by the application.
void	saveContext(SecurityContext context, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)	Stores the security context on completion of a request.
void	setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)	Sets the SecurityContextHolderStrategy to use.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

DEFAULT_REQUEST_ATTR_NAME

public static final String DEFAULT_REQUEST_ATTR_NAME

The default request attribute name to use.

Constructor Details

RequestAttributeSecurityContextRepository

public RequestAttributeSecurityContextRepository()

Creates a new instance using DEFAULT_REQUEST_ATTR_NAME.

RequestAttributeSecurityContextRepository

public RequestAttributeSecurityContextRepository(String requestAttributeName)

Creates a new instance with the specified request attribute name.

Parameters:

requestAttributeName - the request attribute name to set to the SecurityContext.

Method Details

containsContext

public boolean containsContext(jakarta.servlet.http.HttpServletRequest request)

Description copied from interface: SecurityContextRepository

Allows the repository to be queried as to whether it contains a security context for the current request.

Specified by:

containsContext in interface SecurityContextRepository

Parameters:

request - the current request

Returns:

true if a context is found for the request, false otherwise

loadContext

public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder)

Description copied from interface: SecurityContextRepository

Obtains the security context for the supplied request. For an unauthenticated user, an empty context implementation should be returned. This method should not return null.

The use of the HttpRequestResponseHolder parameter allows implementations to return wrapped versions of the request or response (or both), allowing them to access implementation-specific state for the request. The values obtained from the holder will be passed on to the filter chain and also to the saveContext method when it is finally called to allow implicit saves of the SecurityContext. Implementations may wish to return a subclass of SaveContextOnUpdateOrErrorResponseWrapper as the response object, which guarantees that the context is persisted when an error or redirect occurs. Implementations may allow passing in the original request response to allow explicit saves.

Specified by:

loadContext in interface SecurityContextRepository

Parameters:

requestResponseHolder - holder for the current request and response for which the context should be loaded.

Returns:

The security context which should be used for the current request, never null.

loadDeferredContext

public DeferredSecurityContext loadDeferredContext(jakarta.servlet.http.HttpServletRequest request)

Description copied from interface: SecurityContextRepository

Defers loading the SecurityContext using the HttpServletRequest until it is needed by the application.

Specified by:

loadDeferredContext in interface SecurityContextRepository

Parameters:

request - the HttpServletRequest to load the SecurityContext from

Returns:

a DeferredSecurityContext that returns the SecurityContext which cannot be null

saveContext

public void saveContext(SecurityContext context,
 jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response)

Description copied from interface: SecurityContextRepository

Stores the security context on completion of a request.

Specified by:

saveContext in interface SecurityContextRepository

Parameters:

context - the non-null context which was obtained from the holder.

setSecurityContextHolderStrategy

public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)

Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.

Since:

5.8