org.pentaho.platform.web.http.security
Class HttpSessionReuseDetectionFilter
java.lang.Object
org.pentaho.platform.web.http.security.HttpSessionReuseDetectionFilter
- All Implemented Interfaces:
- javax.servlet.Filter, org.springframework.beans.factory.InitializingBean
public class HttpSessionReuseDetectionFilter
- extends Object
- implements javax.servlet.Filter, org.springframework.beans.factory.InitializingBean
Detects when an HTTP session which contains a logged-in user (as indicated by
request.getRemoteUser()
) is attempting to authenticate again
without logging out. Upon detecting this condition, the session is
invalidated, the security context is cleared, and the user is redirected to
sessionReuseDetectedUrl
. This prevents reuse of an HTTP
session which contains potentially sensitive, user-specific data.
To use: Insert after httpSessionContextIntegrationFilter
but
before authenticationProcessingFilter
.
Note: Some code copied from AbstractProcessingFilter
.
- Author:
- mlowery
HttpSessionReuseDetectionFilter
public HttpSessionReuseDetectionFilter()
init
public void init(javax.servlet.FilterConfig filterConfig)
throws javax.servlet.ServletException
- Specified by:
init
in interface javax.servlet.Filter
- Throws:
javax.servlet.ServletException
doFilter
public void doFilter(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
- Specified by:
doFilter
in interface javax.servlet.Filter
- Throws:
IOException
javax.servlet.ServletException
destroy
public void destroy()
- Specified by:
destroy
in interface javax.servlet.Filter
afterPropertiesSet
public void afterPropertiesSet()
throws Exception
- Specified by:
afterPropertiesSet
in interface org.springframework.beans.factory.InitializingBean
- Throws:
Exception
getFilterProcessesUrl
public String getFilterProcessesUrl()
setFilterProcessesUrl
public void setFilterProcessesUrl(String filterProcessesUrl)
getSessionReuseDetectedUrl
public String getSessionReuseDetectedUrl()
setSessionReuseDetectedUrl
public void setSessionReuseDetectedUrl(String sessionReuseDetectedUrl)