public class HttpSessionReuseDetectionFilter extends Object implements javax.servlet.Filter, org.springframework.beans.factory.InitializingBean
request.getRemoteUser()
)
is attempting to authenticate again without logging out. Upon detecting this condition, the session is invalidated,
the security context is cleared, and the user is redirected to sessionReuseDetectedUrl
. This prevents
reuse of an HTTP session which contains potentially sensitive, user-specific data.
To use: Insert after httpSessionContextIntegrationFilter
but before
authenticationProcessingFilter
.
Note: Some code copied from AbstractProcessingFilter
.
Constructor and Description |
---|
HttpSessionReuseDetectionFilter() |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet() |
void |
destroy() |
void |
doFilter(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain) |
String |
getFilterProcessesUrl() |
String |
getSessionReuseDetectedUrl() |
void |
init(javax.servlet.FilterConfig filterConfig) |
void |
setFilterProcessesUrl(String filterProcessesUrl) |
void |
setSessionReuseDetectedUrl(String sessionReuseDetectedUrl) |
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
init
in interface javax.servlet.Filter
javax.servlet.ServletException
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
doFilter
in interface javax.servlet.Filter
IOException
javax.servlet.ServletException
public void destroy()
destroy
in interface javax.servlet.Filter
public void afterPropertiesSet() throws Exception
afterPropertiesSet
in interface org.springframework.beans.factory.InitializingBean
Exception
public String getFilterProcessesUrl()
public void setFilterProcessesUrl(String filterProcessesUrl)
public String getSessionReuseDetectedUrl()
public void setSessionReuseDetectedUrl(String sessionReuseDetectedUrl)