org.springframework.security.ui
Class SessionFixationProtectionFilter
java.lang.Object
org.springframework.security.ui.SpringSecurityFilter
org.springframework.security.ui.SessionFixationProtectionFilter
- All Implemented Interfaces:
- javax.servlet.Filter, org.springframework.core.Ordered
public class SessionFixationProtectionFilter
- extends SpringSecurityFilter
Detects that a user has been authenticated since the start of the request and starts a new session.
This is essentially a generalization of the functionality that was implemented for SEC-399.
Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used
with Spring Security's concurrent session control.
- Since:
- 2.0
- Author:
- Martin Algesten, Luke Taylor
Fields inherited from interface org.springframework.core.Ordered |
HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE |
Method Summary |
protected void |
doFilterHttp(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain)
|
int |
getOrder()
|
void |
setMigrateSessionAttributes(boolean migrateSessionAttributes)
|
void |
setSessionRegistry(SessionRegistry sessionRegistry)
|
protected void |
startNewSessionIfRequired(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Called when the a user wasn't authenticated at the start of the request but has been during it |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
SessionFixationProtectionFilter
public SessionFixationProtectionFilter()
doFilterHttp
protected void doFilterHttp(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain)
throws java.io.IOException,
javax.servlet.ServletException
- Specified by:
doFilterHttp
in class SpringSecurityFilter
- Throws:
java.io.IOException
javax.servlet.ServletException
setMigrateSessionAttributes
public void setMigrateSessionAttributes(boolean migrateSessionAttributes)
setSessionRegistry
public void setSessionRegistry(SessionRegistry sessionRegistry)
getOrder
public int getOrder()
startNewSessionIfRequired
protected void startNewSessionIfRequired(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
- Called when the a user wasn't authenticated at the start of the request but has been during it
A new session will be created, the session attributes copied to it (if
migrateSessionAttributes is set) and the sessionRegistry updated with the new session information.