Class AbstractSecurityWebApplicationInitializer
- All Implemented Interfaces:
org.springframework.web.WebApplicationInitializer
DelegatingFilterProxy
to use the springSecurityFilterChain before
any other registered Filter
. When used with
AbstractSecurityWebApplicationInitializer(Class...)
, it will also register a
ContextLoaderListener
. When used with
AbstractSecurityWebApplicationInitializer()
, this class is typically used in
addition to a subclass of AbstractContextLoaderInitializer
.
By default the DelegatingFilterProxy
is registered without support, but can be
enabled by overriding isAsyncSecuritySupported()
and
getSecurityDispatcherTypes()
.
Additional configuration before and after the springSecurityFilterChain can be added by
overriding afterSpringSecurityFilterChain(ServletContext)
.
Caveats
Subclasses of AbstractDispatcherServletInitializer will register their filters before
any other Filter
. This means that you will typically want to ensure subclasses
of AbstractDispatcherServletInitializer are invoked first. This can be done by ensuring
the Order
or Ordered
of AbstractDispatcherServletInitializer are sooner
than subclasses of AbstractSecurityWebApplicationInitializer
.
-
Field Summary
-
Constructor Summary
ModifierConstructorDescriptionprotected
Creates a new instance that assumes the Spring Security configuration is loaded by some other means than this class.protected
AbstractSecurityWebApplicationInitializer
(Class<?>... configurationClasses) Creates a new instance that will instantiate theContextLoaderListener
with the specified classes. -
Method Summary
Modifier and TypeMethodDescriptionprotected void
afterSpringSecurityFilterChain
(jakarta.servlet.ServletContext servletContext) Invoked after the springSecurityFilterChain is added.protected final void
appendFilters
(jakarta.servlet.ServletContext servletContext, jakarta.servlet.Filter... filters) Inserts the providedFilter
s after existingFilter
s using default generated names,getSecurityDispatcherTypes()
, andisAsyncSecuritySupported()
.protected void
beforeSpringSecurityFilterChain
(jakarta.servlet.ServletContext servletContext) Invoked before the springSecurityFilterChain is added.protected boolean
Override this ifHttpSessionEventPublisher
should be added as a listener.protected String
Return the <servlet-name> to use the DispatcherServlet'sWebApplicationContext
to find theDelegatingFilterProxy
or null to use the parentApplicationContext
.protected EnumSet<jakarta.servlet.DispatcherType>
Get theDispatcherType
for the springSecurityFilterChain.protected Set<jakarta.servlet.SessionTrackingMode>
Determines how a session should be tracked.protected final void
insertFilters
(jakarta.servlet.ServletContext servletContext, jakarta.servlet.Filter... filters) Inserts the providedFilter
s before existingFilter
s using default generated names,getSecurityDispatcherTypes()
, andisAsyncSecuritySupported()
.protected boolean
Determine if the springSecurityFilterChain should be marked as supporting async.final void
onStartup
(jakarta.servlet.ServletContext servletContext)
-
Field Details
-
DEFAULT_FILTER_NAME
- See Also:
-
-
Constructor Details
-
AbstractSecurityWebApplicationInitializer
protected AbstractSecurityWebApplicationInitializer()Creates a new instance that assumes the Spring Security configuration is loaded by some other means than this class. For example, a user might create aContextLoaderListener
using a subclass ofAbstractContextLoaderInitializer
.- See Also:
-
ContextLoaderListener
-
AbstractSecurityWebApplicationInitializer
Creates a new instance that will instantiate theContextLoaderListener
with the specified classes.- Parameters:
configurationClasses
-
-
-
Method Details
-
onStartup
public final void onStartup(jakarta.servlet.ServletContext servletContext) - Specified by:
onStartup
in interfaceorg.springframework.web.WebApplicationInitializer
-
enableHttpSessionEventPublisher
protected boolean enableHttpSessionEventPublisher()Override this ifHttpSessionEventPublisher
should be added as a listener. This should be true, if session management has specified a maximum number of sessions.- Returns:
- true to add
HttpSessionEventPublisher
, else false
-
insertFilters
protected final void insertFilters(jakarta.servlet.ServletContext servletContext, jakarta.servlet.Filter... filters) Inserts the providedFilter
s before existingFilter
s using default generated names,getSecurityDispatcherTypes()
, andisAsyncSecuritySupported()
.- Parameters:
servletContext
- theServletContext
to usefilters
- theFilter
s to register
-
appendFilters
protected final void appendFilters(jakarta.servlet.ServletContext servletContext, jakarta.servlet.Filter... filters) Inserts the providedFilter
s after existingFilter
s using default generated names,getSecurityDispatcherTypes()
, andisAsyncSecuritySupported()
.- Parameters:
servletContext
- theServletContext
to usefilters
- theFilter
s to register
-
getSessionTrackingModes
Determines how a session should be tracked. By default,SessionTrackingMode.COOKIE
is used.Note that
SessionTrackingMode.URL
is intentionally omitted to help protected against session fixation attacks.SessionTrackingMode.SSL
is omitted because SSL configuration is required for this to work.Subclasses can override this method to make customizations.
- Returns:
-
getDispatcherWebApplicationContextSuffix
Return the <servlet-name> to use the DispatcherServlet'sWebApplicationContext
to find theDelegatingFilterProxy
or null to use the parentApplicationContext
.For example, if you are using AbstractDispatcherServletInitializer or AbstractAnnotationConfigDispatcherServletInitializer and using the provided Servlet name, you can return "dispatcher" from this method to use the DispatcherServlet's
WebApplicationContext
.- Returns:
- the <servlet-name> of the DispatcherServlet to use its
WebApplicationContext
or null (default) to use the parentApplicationContext
.
-
beforeSpringSecurityFilterChain
protected void beforeSpringSecurityFilterChain(jakarta.servlet.ServletContext servletContext) Invoked before the springSecurityFilterChain is added.- Parameters:
servletContext
- theServletContext
-
afterSpringSecurityFilterChain
protected void afterSpringSecurityFilterChain(jakarta.servlet.ServletContext servletContext) Invoked after the springSecurityFilterChain is added.- Parameters:
servletContext
- theServletContext
-
getSecurityDispatcherTypes
Get theDispatcherType
for the springSecurityFilterChain.- Returns:
-
isAsyncSecuritySupported
protected boolean isAsyncSecuritySupported()Determine if the springSecurityFilterChain should be marked as supporting async. Default is true.- Returns:
- true if springSecurityFilterChain should be marked as supporting async
-