Package org.springframework.session.web.http

Class SessionRepositoryFilter<S extends Session>

java.lang.Object
org.springframework.session.web.http.SessionRepositoryFilter<S>
Type Parameters:
S - the Session type.
All Implemented Interfaces:
javax.servlet.Filter
@Order(-2147483598) public class SessionRepositoryFilter<S extends Session> extends Object
Switches the HttpSession implementation to be backed by a Session. The SessionRepositoryFilter wraps the HttpServletRequest and overrides the methods to get an HttpSession to be backed by a Session returned by the SessionRepository. The SessionRepositoryFilter uses a HttpSessionIdResolver (default CookieHttpSessionIdResolver) to bridge logic between an HttpSession and the Session abstraction. Specifically:

The SessionRepositoryFilter must be placed before any Filter that access the HttpSession or that might commit the response to ensure the session is overridden and persisted properly.

Since:
1.0

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    ALREADY_FILTERED_SUFFIX
    Suffix that gets appended to the filter name for the "already filtered" request attribute.
    static final int
    DEFAULT_ORDER
    The default filter order.
    static final String
    INVALID_SESSION_ID_ATTR
    Invalid session id (not backed by the session repository) request attribute name.
    static final String
    SESSION_REPOSITORY_ATTR
    The session repository request attribute name.

  • Constructor Summary

    Constructors
    Constructor
    Description
    SessionRepositoryFilter(SessionRepository<S> sessionRepository)
    Creates a new instance.

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    destroy()
     
    final void
    doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain filterChain)
    This doFilter implementation stores a request attribute for "already filtered", proceeding without filtering again if the attribute is already there.
    protected void
    doFilterInternal(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain)
    Same contract as for doFilter, but guaranteed to be just invoked once per request within a single request thread.
    protected void
    doFilterNestedErrorDispatch(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain)
    Typically an ERROR dispatch happens after the REQUEST dispatch completes, and the filter chain starts anew.
    protected String
    getAlreadyFilteredAttributeName()
    Return the name of the request attribute that identifies that a request is already filtered.
    void
    init(javax.servlet.FilterConfig config)
     
    void
    setHttpSessionIdResolver(HttpSessionIdResolver httpSessionIdResolver)
    Sets the HttpSessionIdResolver to be used.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • SESSION_REPOSITORY_ATTR

      public static final String SESSION_REPOSITORY_ATTR
      The session repository request attribute name.

    • INVALID_SESSION_ID_ATTR

      public static final String INVALID_SESSION_ID_ATTR
      Invalid session id (not backed by the session repository) request attribute name.

    • DEFAULT_ORDER

      public static final int DEFAULT_ORDER
      The default filter order.
      See Also:

    • ALREADY_FILTERED_SUFFIX

      public static final String ALREADY_FILTERED_SUFFIX
      Suffix that gets appended to the filter name for the "already filtered" request attribute.
      See Also:

  • Constructor Details

    • SessionRepositoryFilter

      public SessionRepositoryFilter(SessionRepository<S> sessionRepository)
      Creates a new instance.
      Parameters:
      sessionRepository - the SessionRepository to use. Cannot be null.

  • Method Details

    • setHttpSessionIdResolver

      public void setHttpSessionIdResolver(HttpSessionIdResolver httpSessionIdResolver)
      Sets the HttpSessionIdResolver to be used. The default is a CookieHttpSessionIdResolver.
      Parameters:
      httpSessionIdResolver - the HttpSessionIdResolver to use. Cannot be null.

    • doFilterInternal

      protected void doFilterInternal(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws javax.servlet.ServletException, IOException
      Same contract as for doFilter, but guaranteed to be just invoked once per request within a single request thread.

      Provides HttpServletRequest and HttpServletResponse arguments instead of the default ServletRequest and ServletResponse ones.

      Parameters:
      request - the request
      response - the response
      filterChain - the FilterChain
      Throws:
      javax.servlet.ServletException - thrown when a non-I/O exception has occurred
      IOException - thrown when an I/O exception of some sort has occurred
      See Also:
      • Filter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)

    • doFilterNestedErrorDispatch

      protected void doFilterNestedErrorDispatch(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws javax.servlet.ServletException, IOException
      Typically an ERROR dispatch happens after the REQUEST dispatch completes, and the filter chain starts anew. On some servers however the ERROR dispatch may be nested within the REQUEST dispatch, e.g. as a result of calling sendError on the response. In that case we are still in the filter chain, on the same thread, but the request and response have been switched to the original, unwrapped ones.

      Sub-classes may use this method to filter such nested ERROR dispatches and re-apply wrapping on the request or response. ThreadLocal context, if any, should still be active as we are still nested within the filter chain.

      Parameters:
      request - the request
      response - the response
      filterChain - the filter chain
      Throws:
      javax.servlet.ServletException - if request is not HTTP request
      IOException - in case of I/O operation exception

    • doFilter

      public final void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain filterChain) throws javax.servlet.ServletException, IOException
      This doFilter implementation stores a request attribute for "already filtered", proceeding without filtering again if the attribute is already there.
      Specified by:
      doFilter in interface javax.servlet.Filter
      Parameters:
      request - the request
      response - the response
      filterChain - the filter chain
      Throws:
      javax.servlet.ServletException - if request is not HTTP request
      IOException - in case of I/O operation exception

    • getAlreadyFilteredAttributeName

      protected String getAlreadyFilteredAttributeName()
      Return the name of the request attribute that identifies that a request is already filtered.

      The default implementation takes the configured name of the concrete filter instance and appends ".FILTERED". If the filter is not fully initialized, it falls back to its class name.

      Returns:
      the name of request attribute indicating already filtered request
      See Also:

    • init

      public void init(javax.servlet.FilterConfig config)
      Specified by:
      init in interface javax.servlet.Filter

    • destroy

      public void destroy()
      Specified by:
      destroy in interface javax.servlet.Filter