public class HttpSessionContextIntegrationFilter extends Object implements org.springframework.beans.factory.InitializingBean, javax.servlet.Filter
SecurityContextHolder with information obtained from
the HttpSession.
The HttpSession will be queried to retrieve the
SecurityContext that should be stored against the
SecurityContextHolder for the duration of the web request. At
the end of the web request, any updates made to the
SecurityContextHolder will be persisted back to the
HttpSession by this filter.
If a valid SecurityContext cannot be obtained from the
HttpSession for whatever reason, a fresh
SecurityContext will be created and used instead. The created
object will be of the instance defined by the setContext(Class)
method (which defaults to SecurityContextImpl.
No HttpSession will be created by this filter if one does not
already exist. If at the end of the web request the HttpSession
does not exist, a HttpSession will only be created if
the current contents of the SecurityContextHolder are not
Object.equals(java.lang.Object) to a new
instance of setContext(Class). This avoids needless
HttpSession creation, but automates the storage of changes
made to the SecurityContextHolder. There is one exception to
this rule, that is if the forceEagerSessionCreation property is
true, in which case sessions will always be created
irrespective of normal session-minimisation logic (the default is
false, as this is resource intensive and not recommended).
This filter will only execute once per request, to resolve servlet container
(specifically Weblogic) incompatibilities.
If for whatever reason no HttpSession should ever be
created (eg this filter is only being used with Basic authentication or
similar clients that will never present the same jsessionid
etc), the setAllowSessionCreation(boolean) should be set to
false. Only do this if you really need to conserve server
memory and ensure all classes using the SecurityContextHolder
are designed to have no persistence of the SecurityContext
between web requests. Please note that if forceEagerSessionCreation
is true, the allowSessionCreation must also be
true (setting it to false will cause a startup
time error).
This filter MUST be executed BEFORE any authentication processing mechanisms.
Authentication processing mechanisms (eg BASIC, CAS processing filters etc)
expect the SecurityContextHolder to contain a valid
SecurityContext by the time they execute.
| Modifier and Type | Field and Description |
|---|---|
static String |
ACEGI_SECURITY_CONTEXT_KEY |
protected static org.apache.commons.logging.Log |
logger |
| Constructor and Description |
|---|
HttpSessionContextIntegrationFilter() |
| Modifier and Type | Method and Description |
|---|---|
void |
afterPropertiesSet() |
void |
destroy()
Does nothing.
|
void |
doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain) |
SecurityContext |
generateNewContext() |
Class |
getContext() |
void |
init(javax.servlet.FilterConfig filterConfig)
Does nothing.
|
boolean |
isAllowSessionCreation() |
boolean |
isCloneFromHttpSession() |
boolean |
isForceEagerSessionCreation() |
void |
setAllowSessionCreation(boolean allowSessionCreation) |
void |
setCloneFromHttpSession(boolean cloneFromHttpSession) |
void |
setContext(Class secureContext) |
void |
setForceEagerSessionCreation(boolean forceEagerSessionCreation) |
protected static final org.apache.commons.logging.Log logger
public static final String ACEGI_SECURITY_CONTEXT_KEY
public HttpSessionContextIntegrationFilter()
throws javax.servlet.ServletException
javax.servlet.ServletExceptionpublic boolean isCloneFromHttpSession()
public void setCloneFromHttpSession(boolean cloneFromHttpSession)
public void afterPropertiesSet()
throws Exception
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBeanExceptionpublic void doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
doFilter in interface javax.servlet.FilterIOExceptionjavax.servlet.ServletExceptionpublic SecurityContext generateNewContext() throws javax.servlet.ServletException
javax.servlet.ServletExceptionpublic void init(javax.servlet.FilterConfig filterConfig)
throws javax.servlet.ServletException
init in interface javax.servlet.FilterfilterConfig - ignoredjavax.servlet.ServletException - ignoredpublic void destroy()
destroy in interface javax.servlet.Filterpublic boolean isAllowSessionCreation()
public void setAllowSessionCreation(boolean allowSessionCreation)
public Class getContext()
public void setContext(Class secureContext)
public boolean isForceEagerSessionCreation()
public void setForceEagerSessionCreation(boolean forceEagerSessionCreation)
Copyright © 2016. All rights reserved.