org.pentaho.platform.web.http.security
Class HttpSessionReuseDetectionFilter
java.lang.Object
org.pentaho.platform.web.http.security.HttpSessionReuseDetectionFilter
public class HttpSessionReuseDetectionFilter
- extends Object
Detects when an HTTP session which contains a logged-in user (as indicated by
request.getRemoteUser()
) is attempting to authenticate again
without logging out. Upon detecting this condition, the session is
invalidated, the security context is cleared, and the user is redirected to
sessionReuseDetectedUrl
. This prevents reuse of an HTTP
session which contains potentially sensitive, user-specific data.
To use: Insert after httpSessionContextIntegrationFilter
but
before authenticationProcessingFilter
.
Note: Some code copied from AbstractProcessingFilter
.
- Author:
- mlowery
HttpSessionReuseDetectionFilter
public HttpSessionReuseDetectionFilter()
init
public void init(FilterConfig filterConfig)
throws ServletException
- Throws:
ServletException
doFilter
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
throws IOException,
ServletException
- Throws:
IOException
ServletException
destroy
public void destroy()
afterPropertiesSet
public void afterPropertiesSet()
throws Exception
- Throws:
Exception
getFilterProcessesUrl
public String getFilterProcessesUrl()
setFilterProcessesUrl
public void setFilterProcessesUrl(String filterProcessesUrl)
getSessionReuseDetectedUrl
public String getSessionReuseDetectedUrl()
setSessionReuseDetectedUrl
public void setSessionReuseDetectedUrl(String sessionReuseDetectedUrl)