Class HttpSessionReuseDetectionFilter
- java.lang.Object
-
- org.pentaho.platform.web.http.security.HttpSessionReuseDetectionFilter
-
- All Implemented Interfaces:
javax.servlet.Filter
,org.springframework.beans.factory.InitializingBean
public class HttpSessionReuseDetectionFilter extends Object implements javax.servlet.Filter, org.springframework.beans.factory.InitializingBean
Detects when an HTTP session which contains a logged-in user (as indicated byrequest.getRemoteUser()
) is attempting to authenticate again without logging out. Upon detecting this condition, the session is invalidated, the security context is cleared, and the user is redirected tosessionReuseDetectedUrl
. This prevents reuse of an HTTP session which contains potentially sensitive, user-specific data.To use: Insert after
httpSessionContextIntegrationFilter
but beforeauthenticationProcessingFilter
.Note: Some code copied from
AbstractProcessingFilter
.- Author:
- mlowery
-
-
Constructor Summary
Constructors Constructor Description HttpSessionReuseDetectionFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
afterPropertiesSet()
void
destroy()
void
doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
String
getFilterProcessesUrl()
String
getSessionReuseDetectedUrl()
void
init(javax.servlet.FilterConfig filterConfig)
protected boolean
requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Indicates whether this filter should attempt to process a login request for the current invocation.void
setFilterProcessesUrl(String filterProcessesUrl)
void
setSessionReuseDetectedUrl(String sessionReuseDetectedUrl)
-
-
-
Method Detail
-
init
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
- Specified by:
init
in interfacejavax.servlet.Filter
- Throws:
javax.servlet.ServletException
-
doFilter
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
- Specified by:
doFilter
in interfacejavax.servlet.Filter
- Throws:
IOException
javax.servlet.ServletException
-
destroy
public void destroy()
- Specified by:
destroy
in interfacejavax.servlet.Filter
-
afterPropertiesSet
public void afterPropertiesSet() throws Exception
- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
- Throws:
Exception
-
requiresAuthentication
protected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Indicates whether this filter should attempt to process a login request for the current invocation.
It strips any parameters from the "path" section of the request URL (such as the jsessionid parameter in http://host/myapp/index.html;jsessionid=blah) before matching against the
filterProcessesUrl
property.Subclasses may override for special requirements, such as Tapestry integration.
- Parameters:
request
- as received from the filter chainresponse
- as received from the filter chain- Returns:
true
if the filter should attempt authentication,false
otherwise
-
getFilterProcessesUrl
public String getFilterProcessesUrl()
-
setFilterProcessesUrl
public void setFilterProcessesUrl(String filterProcessesUrl)
-
getSessionReuseDetectedUrl
public String getSessionReuseDetectedUrl()
-
setSessionReuseDetectedUrl
public void setSessionReuseDetectedUrl(String sessionReuseDetectedUrl)
-
-