Package org.springframework.security.web.session

Class SessionManagementFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.session.SessionManagementFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class SessionManagementFilter extends org.springframework.web.filter.GenericFilterBean
Detects that a user has been authenticated since the start of the request and, if they have, calls the configured SessionAuthenticationStrategy to perform any session-related activity such as activating session-fixation protection mechanisms or checking for multiple concurrent logins.
Since:
2.0

  • Field Summary

    Fields inherited from class org.springframework.web.filter.GenericFilterBean

    logger

  • Constructor Summary

    Constructors
    Constructor
    Description
    SessionManagementFilter(SecurityContextRepository securityContextRepository)
     
    SessionManagementFilter(SecurityContextRepository securityContextRepository, SessionAuthenticationStrategy sessionStrategy)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain)
     
    void
    setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
    The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).
    void
    setInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy)
    Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID.
    void
    setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)
    Sets the SecurityContextHolderStrategy to use.
    void
    setTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver trustResolver)
    Sets the AuthenticationTrustResolver to be used.

    Methods inherited from class org.springframework.web.filter.GenericFilterBean

    addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

  • Method Details

    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException
      Throws:
      IOException
      jakarta.servlet.ServletException

    • setInvalidSessionStrategy

      public void setInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy)
      Sets the strategy which will be invoked instead of allowing the filter chain to proceed, if the user agent requests an invalid session ID. If the property is not set, no action will be taken.
      Parameters:
      invalidSessionStrategy - the strategy to invoke. Typically a SimpleRedirectInvalidSessionStrategy.

    • setAuthenticationFailureHandler

      public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
      The handler which will be invoked if the AuthenticatedSessionStrategy raises a SessionAuthenticationException, indicating that the user is not allowed to be authenticated for this session (typically because they already have too many sessions open).

    • setTrustResolver

      public void setTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver trustResolver)
      Sets the AuthenticationTrustResolver to be used. The default is AuthenticationTrustResolverImpl.
      Parameters:
      trustResolver - the AuthenticationTrustResolver to use. Cannot be null.

    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)
      Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.
      Since:
      5.8