Package org.springframework.security.config.annotation.web.configurers

Class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>

  • All Implemented Interfaces:
    SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,​H>
    public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<SessionManagementConfigurer<H>,​H>
    Allows configuring session management.

    Security Filters

    The following Filters are populated
    • SessionManagementFilter
    • ConcurrentSessionFilter if there are restrictions on how many concurrent sessions a user can have

    Shared Objects Created

    The following shared objects are created:

    Shared Objects Used

    • SecurityContextRepository
    • AuthenticationTrustResolver is optionally used to populate the HttpSessionSecurityContextRepository and SessionManagementFilter
    Since:
    3.2
    See Also:
    SessionManagementFilter, ConcurrentSessionFilter

    • Method Detail

      • invalidSessionUrl

        public SessionManagementConfigurer<H> invalidSessionUrl​(java.lang.String invalidSessionUrl)
        Setting this attribute will inject the SessionManagementFilter with a SimpleRedirectInvalidSessionStrategy configured with the attribute value. When an invalid session ID is submitted, the strategy will be invoked, redirecting to the configured URL.
        Parameters:
        invalidSessionUrl - the URL to redirect to when an invalid session is detected
        Returns:
        the SessionManagementConfigurer for further customization

      • requireExplicitAuthenticationStrategy

        public SessionManagementConfigurer<H> requireExplicitAuthenticationStrategy​(boolean requireExplicitAuthenticationStrategy)
        Setting this means that explicit invocation of SessionAuthenticationStrategy is required.
        Parameters:
        requireExplicitAuthenticationStrategy - require explicit invocation of SessionAuthenticationStrategy
        Returns:
        the SessionManagementConfigurer for further customization

      • invalidSessionStrategy

        public SessionManagementConfigurer<H> invalidSessionStrategy​(org.springframework.security.web.session.InvalidSessionStrategy invalidSessionStrategy)
        Setting this attribute will inject the provided invalidSessionStrategy into the SessionManagementFilter. When an invalid session ID is submitted, the strategy will be invoked, redirecting to the configured URL.
        Parameters:
        invalidSessionStrategy - the strategy to use when an invalid session ID is submitted.
        Returns:
        the SessionManagementConfigurer for further customization

      • sessionAuthenticationErrorUrl

        public SessionManagementConfigurer<H> sessionAuthenticationErrorUrl​(java.lang.String sessionAuthenticationErrorUrl)
        Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.
        Parameters:
        sessionAuthenticationErrorUrl - the URL to redirect to
        Returns:
        the SessionManagementConfigurer for further customization

      • sessionAuthenticationFailureHandler

        public SessionManagementConfigurer<H> sessionAuthenticationFailureHandler​(org.springframework.security.web.authentication.AuthenticationFailureHandler sessionAuthenticationFailureHandler)
        Defines the AuthenticationFailureHandler which will be used when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.
        Parameters:
        sessionAuthenticationFailureHandler - the handler to use
        Returns:
        the SessionManagementConfigurer for further customization

      • enableSessionUrlRewriting

        public SessionManagementConfigurer<H> enableSessionUrlRewriting​(boolean enableSessionUrlRewriting)
        If set to true, allows HTTP sessions to be rewritten in the URLs when using HttpServletResponse.encodeRedirectURL(String) or HttpServletResponse.encodeURL(String), otherwise disallows HTTP sessions to be included in the URL. This prevents leaking information to external domains.

        This is achieved by guarding HttpServletResponse.encodeURL(java.lang.String) and HttpServletResponse.encodeRedirectURL(java.lang.String) invocations. Any code that also overrides either of these two methods, like ResourceUrlEncodingFilter, needs to come after the security filter chain or risk being skipped.

        Parameters:
        enableSessionUrlRewriting - true if should allow the JSESSIONID to be rewritten into the URLs, else false (default)
        Returns:
        the SessionManagementConfigurer for further customization
        See Also:
        HttpSessionSecurityContextRepository.setDisableUrlRewriting(boolean)

      • sessionAuthenticationStrategy

        public SessionManagementConfigurer<H> sessionAuthenticationStrategy​(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy)
        Allows explicitly specifying the SessionAuthenticationStrategy. The default is to use ChangeSessionIdAuthenticationStrategy. If restricting the maximum number of sessions is configured, then CompositeSessionAuthenticationStrategy delegating to ConcurrentSessionControlAuthenticationStrategy, the default OR supplied SessionAuthenticationStrategy and RegisterSessionAuthenticationStrategy.

        NOTE: Supplying a custom SessionAuthenticationStrategy will override the default session fixation strategy.

        Parameters:
        sessionAuthenticationStrategy -
        Returns:
        the SessionManagementConfigurer for further customizations