Package org.springframework.security.web.context

Class AbstractSecurityWebApplicationInitializer

java.lang.Object
org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer
All Implemented Interfaces:
org.springframework.web.WebApplicationInitializer
public abstract class AbstractSecurityWebApplicationInitializer extends Object implements org.springframework.web.WebApplicationInitializer
Registers the DelegatingFilterProxy to use the springSecurityFilterChain before any other registered Filter. When used with AbstractSecurityWebApplicationInitializer(Class...), it will also register a ContextLoaderListener. When used with AbstractSecurityWebApplicationInitializer(), this class is typically used in addition to a subclass of AbstractContextLoaderInitializer.

By default the DelegatingFilterProxy is registered without support, but can be enabled by overriding isAsyncSecuritySupported() and getSecurityDispatcherTypes().

Additional configuration before and after the springSecurityFilterChain can be added by overriding afterSpringSecurityFilterChain(ServletContext).

Caveats

Subclasses of AbstractDispatcherServletInitializer will register their filters before any other Filter. This means that you will typically want to ensure subclasses of AbstractDispatcherServletInitializer are invoked first. This can be done by ensuring the Order or Ordered of AbstractDispatcherServletInitializer are sooner than subclasses of AbstractSecurityWebApplicationInitializer.

  • Field Details

  • Constructor Details

    • AbstractSecurityWebApplicationInitializer

      protected AbstractSecurityWebApplicationInitializer()
      Creates a new instance that assumes the Spring Security configuration is loaded by some other means than this class. For example, a user might create a ContextLoaderListener using a subclass of AbstractContextLoaderInitializer.
      See Also:
      • ContextLoaderListener

    • AbstractSecurityWebApplicationInitializer

      protected AbstractSecurityWebApplicationInitializer(Class<?>... configurationClasses)
      Creates a new instance that will instantiate the ContextLoaderListener with the specified classes.
      Parameters:
      configurationClasses -

  • Method Details

    • onStartup

      public final void onStartup(jakarta.servlet.ServletContext servletContext)
      Specified by:
      onStartup in interface org.springframework.web.WebApplicationInitializer

    • enableHttpSessionEventPublisher

      protected boolean enableHttpSessionEventPublisher()
      Override this if HttpSessionEventPublisher should be added as a listener. This should be true, if session management has specified a maximum number of sessions.
      Returns:
      true to add HttpSessionEventPublisher, else false

    • insertFilters

      protected final void insertFilters(jakarta.servlet.ServletContext servletContext, jakarta.servlet.Filter... filters)
      Inserts the provided Filters before existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().
      Parameters:
      servletContext - the ServletContext to use
      filters - the Filters to register

    • appendFilters

      protected final void appendFilters(jakarta.servlet.ServletContext servletContext, jakarta.servlet.Filter... filters)
      Inserts the provided Filters after existing Filters using default generated names, getSecurityDispatcherTypes(), and isAsyncSecuritySupported().
      Parameters:
      servletContext - the ServletContext to use
      filters - the Filters to register

    • getSessionTrackingModes

      protected Set<jakarta.servlet.SessionTrackingMode> getSessionTrackingModes()
      Determines how a session should be tracked. By default, SessionTrackingMode.COOKIE is used.

      Note that SessionTrackingMode.URL is intentionally omitted to help protected against session fixation attacks. SessionTrackingMode.SSL is omitted because SSL configuration is required for this to work.

      Subclasses can override this method to make customizations.

      Returns:

    • getDispatcherWebApplicationContextSuffix

      protected @Nullable String getDispatcherWebApplicationContextSuffix()
      Return the <servlet-name> to use the DispatcherServlet's WebApplicationContext to find the DelegatingFilterProxy or null to use the parent ApplicationContext.

      For example, if you are using AbstractDispatcherServletInitializer or AbstractAnnotationConfigDispatcherServletInitializer and using the provided Servlet name, you can return "dispatcher" from this method to use the DispatcherServlet's WebApplicationContext.

      Returns:
      the <servlet-name> of the DispatcherServlet to use its WebApplicationContext or null (default) to use the parent ApplicationContext.

    • beforeSpringSecurityFilterChain

      protected void beforeSpringSecurityFilterChain(jakarta.servlet.ServletContext servletContext)
      Invoked before the springSecurityFilterChain is added.
      Parameters:
      servletContext - the ServletContext

    • afterSpringSecurityFilterChain

      protected void afterSpringSecurityFilterChain(jakarta.servlet.ServletContext servletContext)
      Invoked after the springSecurityFilterChain is added.
      Parameters:
      servletContext - the ServletContext

    • getSecurityDispatcherTypes

      protected EnumSet<jakarta.servlet.DispatcherType> getSecurityDispatcherTypes()
      Get the DispatcherType for the springSecurityFilterChain.
      Returns:

    • isAsyncSecuritySupported

      protected boolean isAsyncSecuritySupported()
      Determine if the springSecurityFilterChain should be marked as supporting async. Default is true.
      Returns:
      true if springSecurityFilterChain should be marked as supporting async