org.springframework.security.ui

Class SessionFixationProtectionFilter

java.lang.Object

org.springframework.security.ui.SpringSecurityFilter

org.springframework.security.ui.SessionFixationProtectionFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.core.Ordered

public class SessionFixationProtectionFilter
extends SpringSecurityFilter

Detects that a user has been authenticated since the start of the request and starts a new session.

This is essentially a generalization of the functionality that was implemented for SEC-399. Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used with Spring Security's concurrent session control.

Since:

2.0

Author:

Martin Algesten, Luke Taylor

Field Summary

Fields inherited from class org.springframework.security.ui.SpringSecurityFilter

logger

Fields inherited from interface org.springframework.core.Ordered

HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE

Constructor Summary

Constructors

Constructor and Description
SessionFixationProtectionFilter()

Method Summary

Methods

Modifier and Type	Method and Description
protected void	doFilterHttp(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
int	getOrder()
void	setMigrateSessionAttributes(boolean migrateSessionAttributes)
void	setSessionRegistry(SessionRegistry sessionRegistry)
protected void	startNewSessionIfRequired(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Called when the a user wasn't authenticated at the start of the request but has been during it

Methods inherited from class org.springframework.security.ui.SpringSecurityFilter

destroy, doFilter, init, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

SessionFixationProtectionFilter

public SessionFixationProtectionFilter()

Method Detail

doFilterHttp

protected void doFilterHttp(javax.servlet.http.HttpServletRequest request,
                javax.servlet.http.HttpServletResponse response,
                javax.servlet.FilterChain chain)
                     throws java.io.IOException,
                            javax.servlet.ServletException

Specified by:

doFilterHttp in class SpringSecurityFilter

Throws:

java.io.IOException

javax.servlet.ServletException

setMigrateSessionAttributes

public void setMigrateSessionAttributes(boolean migrateSessionAttributes)

setSessionRegistry

public void setSessionRegistry(SessionRegistry sessionRegistry)

getOrder

public int getOrder()

startNewSessionIfRequired

protected void startNewSessionIfRequired(javax.servlet.http.HttpServletRequest request,
                             javax.servlet.http.HttpServletResponse response)

Called when the a user wasn't authenticated at the start of the request but has been during it

A new session will be created, the session attributes copied to it (if migrateSessionAttributes is set) and the sessionRegistry updated with the new session information.