public class SessionFixationProtectionFilter extends SpringSecurityFilter
This is essentially a generalization of the functionality that was implemented for SEC-399. Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used with Spring Security's concurrent session control.
logger
Constructor and Description |
---|
SessionFixationProtectionFilter() |
Modifier and Type | Method and Description |
---|---|
protected void |
doFilterHttp(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain) |
int |
getOrder() |
void |
setMigrateSessionAttributes(boolean migrateSessionAttributes) |
void |
setSessionRegistry(SessionRegistry sessionRegistry) |
protected void |
startNewSessionIfRequired(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Called when the a user wasn't authenticated at the start of the request but has been during it
|
destroy, doFilter, init, toString
protected void doFilterHttp(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException
doFilterHttp
in class SpringSecurityFilter
java.io.IOException
javax.servlet.ServletException
public void setMigrateSessionAttributes(boolean migrateSessionAttributes)
public void setSessionRegistry(SessionRegistry sessionRegistry)
public int getOrder()
protected void startNewSessionIfRequired(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
A new session will be created, the session attributes copied to it (if migrateSessionAttributes is set) and the sessionRegistry updated with the new session information.