Package org.springframework.security.web.session

Class ConcurrentSessionFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    public class ConcurrentSessionFilter
extends org.springframework.web.filter.GenericFilterBean
    Filter required by concurrent session handling package.

    This filter performs two functions. First, it calls SessionRegistry.refreshLastRequest(String) for each request so that registered sessions always have a correct "last update" date/time. Second, it retrieves a SessionInformation from the SessionRegistry for each request and checks if the session has been marked as expired. If it has been marked as expired, the configured logout handlers will be called (as happens with LogoutFilter), typically to invalidate the session. To handle the expired session a call to the SessionInformationExpiredStrategy is made. The session invalidation will cause an HttpSessionDestroyedEvent to be published via the HttpSessionEventPublisher registered in web.xml.

    • Constructor Detail

      • ConcurrentSessionFilter

        public ConcurrentSessionFilter​(org.springframework.security.core.session.SessionRegistry sessionRegistry)

      • ConcurrentSessionFilter

        public ConcurrentSessionFilter​(org.springframework.security.core.session.SessionRegistry sessionRegistry,
                               SessionInformationExpiredStrategy sessionInformationExpiredStrategy)

    • Method Detail

      • afterPropertiesSet

        public void afterPropertiesSet()
        Specified by:
        afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
        Overrides:
        afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
        Throws:
        java.io.IOException
        javax.servlet.ServletException

      • determineExpiredUrl

        @Deprecated
protected java.lang.String determineExpiredUrl​(javax.servlet.http.HttpServletRequest request,
                                               org.springframework.security.core.session.SessionInformation info)
        Deprecated.
        Use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
        Determine the URL for expiration
        Parameters:
        request - the HttpServletRequest
        info - the SessionInformation
        Returns:
        the URL for expiration

      • setSecurityContextHolderStrategy

        public void setSecurityContextHolderStrategy​(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)
        Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.
        Since:
        5.8

      • setLogoutHandlers

        public void setLogoutHandlers​(LogoutHandler[] handlers)