Package org.springframework.security.web.session

Class ConcurrentSessionFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.session.ConcurrentSessionFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class ConcurrentSessionFilter extends org.springframework.web.filter.GenericFilterBean
Filter required by concurrent session handling package.

This filter performs two functions. First, it calls SessionRegistry.refreshLastRequest(String) for each request so that registered sessions always have a correct "last update" date/time. Second, it retrieves a SessionInformation from the SessionRegistry for each request and checks if the session has been marked as expired. If it has been marked as expired, the configured logout handlers will be called (as happens with LogoutFilter), typically to invalidate the session. To handle the expired session a call to the SessionInformationExpiredStrategy is made. The session invalidation will cause an HttpSessionDestroyedEvent to be published via the HttpSessionEventPublisher registered in web.xml.

  • Constructor Details

  • Method Details

    • afterPropertiesSet

      public void afterPropertiesSet()
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
      Overrides:
      afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean

    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException
      Throws:
      IOException
      jakarta.servlet.ServletException

    • determineExpiredUrl

      @Deprecated protected String determineExpiredUrl(jakarta.servlet.http.HttpServletRequest request, org.springframework.security.core.session.SessionInformation info)
      Deprecated.
      Use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
      Determine the URL for expiration
      Parameters:
      request - the HttpServletRequest
      info - the SessionInformation
      Returns:
      the URL for expiration

    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)
      Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.
      Since:
      5.8

    • setLogoutHandlers

      public void setLogoutHandlers(LogoutHandler[] handlers)

    • setLogoutHandlers

      public void setLogoutHandlers(List<LogoutHandler> handlers)
      Set list of LogoutHandler
      Parameters:
      handlers - list of LogoutHandler
      Since:
      5.2.0

    • setRedirectStrategy

      @Deprecated public void setRedirectStrategy(RedirectStrategy redirectStrategy)
      Deprecated.
      use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
      Sets the RedirectStrategy used with ConcurrentSessionFilter(SessionRegistry, String)
      Parameters:
      redirectStrategy - the RedirectStrategy to use