Class SessionRepositoryFilter<S extends Session>
java.lang.Object
org.springframework.session.web.http.SessionRepositoryFilter<S>
- Type Parameters:
S
- theSession
type.
- All Implemented Interfaces:
jakarta.servlet.Filter
Switches the
HttpSession
implementation to be backed by a
Session
.
The SessionRepositoryFilter
wraps the
HttpServletRequest
and overrides the methods to get an
HttpSession
to be backed by a
Session
returned by the
SessionRepository
.
The SessionRepositoryFilter
uses a HttpSessionIdResolver
(default
CookieHttpSessionIdResolver
) to bridge logic between an
HttpSession
and the
Session
abstraction. Specifically:
- The session id is looked up using
HttpSessionIdResolver.resolveSessionIds(jakarta.servlet.http.HttpServletRequest)
. The default is to look in a cookie named SESSION. - The session id of newly created
Session
is sent to the client usingHttpSessionIdResolver.setSessionId(jakarta.servlet.http.HttpServletRequest, jakarta.servlet.http.HttpServletResponse, String)
- The client is notified that the session id is no longer valid with
HttpSessionIdResolver.expireSession(jakarta.servlet.http.HttpServletRequest, jakarta.servlet.http.HttpServletResponse)
The SessionRepositoryFilter must be placed before any Filter that access the HttpSession or that might commit the response to ensure the session is overridden and persisted properly.
- Since:
- 1.0
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
Suffix that gets appended to the filter name for the "already filtered" request attribute.static final int
The default filter order.static final String
Invalid session id (not backed by the session repository) request attribute name.static final String
The session repository request attribute name. -
Constructor Summary
ConstructorDescriptionSessionRepositoryFilter
(SessionRepository<S> sessionRepository) Creates a new instance. -
Method Summary
Modifier and TypeMethodDescriptionvoid
destroy()
final void
doFilter
(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain filterChain) ThisdoFilter
implementation stores a request attribute for "already filtered", proceeding without filtering again if the attribute is already there.protected void
doFilterInternal
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) Same contract as fordoFilter
, but guaranteed to be just invoked once per request within a single request thread.protected void
doFilterNestedErrorDispatch
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) Typically an ERROR dispatch happens after the REQUEST dispatch completes, and the filter chain starts anew.protected String
Return the name of the request attribute that identifies that a request is already filtered.void
init
(jakarta.servlet.FilterConfig config) void
setHttpSessionIdResolver
(HttpSessionIdResolver httpSessionIdResolver) Sets theHttpSessionIdResolver
to be used.
-
Field Details
-
SESSION_REPOSITORY_ATTR
The session repository request attribute name. -
INVALID_SESSION_ID_ATTR
Invalid session id (not backed by the session repository) request attribute name. -
DEFAULT_ORDER
public static final int DEFAULT_ORDERThe default filter order.- See Also:
-
ALREADY_FILTERED_SUFFIX
Suffix that gets appended to the filter name for the "already filtered" request attribute.- See Also:
-
-
Constructor Details
-
SessionRepositoryFilter
Creates a new instance.- Parameters:
sessionRepository
- theSessionRepository
to use. Cannot be null.
-
-
Method Details
-
setHttpSessionIdResolver
Sets theHttpSessionIdResolver
to be used. The default is aCookieHttpSessionIdResolver
.- Parameters:
httpSessionIdResolver
- theHttpSessionIdResolver
to use. Cannot be null.
-
doFilterInternal
protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws jakarta.servlet.ServletException, IOException Same contract as fordoFilter
, but guaranteed to be just invoked once per request within a single request thread.Provides HttpServletRequest and HttpServletResponse arguments instead of the default ServletRequest and ServletResponse ones.
- Parameters:
request
- the requestresponse
- the responsefilterChain
- the FilterChain- Throws:
jakarta.servlet.ServletException
- thrown when a non-I/O exception has occurredIOException
- thrown when an I/O exception of some sort has occurred- See Also:
-
Filter.doFilter(jakarta.servlet.ServletRequest, jakarta.servlet.ServletResponse, jakarta.servlet.FilterChain)
-
doFilterNestedErrorDispatch
protected void doFilterNestedErrorDispatch(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws jakarta.servlet.ServletException, IOException Typically an ERROR dispatch happens after the REQUEST dispatch completes, and the filter chain starts anew. On some servers however the ERROR dispatch may be nested within the REQUEST dispatch, e.g. as a result of callingsendError
on the response. In that case we are still in the filter chain, on the same thread, but the request and response have been switched to the original, unwrapped ones.Sub-classes may use this method to filter such nested ERROR dispatches and re-apply wrapping on the request or response.
ThreadLocal
context, if any, should still be active as we are still nested within the filter chain.- Parameters:
request
- the requestresponse
- the responsefilterChain
- the filter chain- Throws:
jakarta.servlet.ServletException
- if request is not HTTP requestIOException
- in case of I/O operation exception
-
doFilter
public final void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain filterChain) throws jakarta.servlet.ServletException, IOException ThisdoFilter
implementation stores a request attribute for "already filtered", proceeding without filtering again if the attribute is already there.- Specified by:
doFilter
in interfacejakarta.servlet.Filter
- Parameters:
request
- the requestresponse
- the responsefilterChain
- the filter chain- Throws:
jakarta.servlet.ServletException
- if request is not HTTP requestIOException
- in case of I/O operation exception
-
getAlreadyFilteredAttributeName
Return the name of the request attribute that identifies that a request is already filtered.The default implementation takes the configured name of the concrete filter instance and appends ".FILTERED". If the filter is not fully initialized, it falls back to its class name.
- Returns:
- the name of request attribute indicating already filtered request
- See Also:
-
init
public void init(jakarta.servlet.FilterConfig config) - Specified by:
init
in interfacejakarta.servlet.Filter
-
destroy
public void destroy()- Specified by:
destroy
in interfacejakarta.servlet.Filter
-