Package org.springframework.security.web.session

Class SessionManagementFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    public class SessionManagementFilter
extends org.springframework.web.filter.GenericFilterBean
    Detects that a user has been authenticated since the start of the request and, if they have, calls the configured SessionAuthenticationStrategy to perform any session-related activity such as activating session-fixation protection mechanisms or checking for multiple concurrent logins.
    Since:
    2.0

    • Field Summary

      • Fields inherited from class org.springframework.web.filter.GenericFilterBean

        logger

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void doFilter​(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)  
      void setAuthenticationFailureHandler​(AuthenticationFailureHandler failureHandler)
      The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).
      void setInvalidSessionStrategy​(InvalidSessionStrategy invalidSessionStrategy)
      Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID.
      void setTrustResolver​(org.springframework.security.authentication.AuthenticationTrustResolver trustResolver)
      Sets the AuthenticationTrustResolver to be used.

      • Methods inherited from class org.springframework.web.filter.GenericFilterBean

        addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Method Detail

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
        Throws:
        java.io.IOException
        javax.servlet.ServletException

      • setInvalidSessionStrategy

        public void setInvalidSessionStrategy​(InvalidSessionStrategy invalidSessionStrategy)
        Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID. If the property is not set, no action will be taken.
        Parameters:
        invalidSessionStrategy - the strategy to invoke. Typically a SimpleRedirectInvalidSessionStrategy.

      • setAuthenticationFailureHandler

        public void setAuthenticationFailureHandler​(AuthenticationFailureHandler failureHandler)
        The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).

      • setTrustResolver

        public void setTrustResolver​(org.springframework.security.authentication.AuthenticationTrustResolver trustResolver)
        Sets the AuthenticationTrustResolver to be used. The default is AuthenticationTrustResolverImpl.
        Parameters:
        trustResolver - the AuthenticationTrustResolver to use. Cannot be null.