public class HttpSessionReuseDetectionFilter extends Object implements javax.servlet.Filter, org.springframework.beans.factory.InitializingBean
request.getRemoteUser()
)
is attempting to authenticate again without logging out. Upon detecting this condition, the session is invalidated,
the security context is cleared, and the user is redirected to sessionReuseDetectedUrl
. This prevents
reuse of an HTTP session which contains potentially sensitive, user-specific data.
To use: Insert after httpSessionContextIntegrationFilter
but before
authenticationProcessingFilter
.
Note: Some code copied from AbstractProcessingFilter
.
Constructor and Description |
---|
HttpSessionReuseDetectionFilter() |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet() |
void |
destroy() |
void |
doFilter(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain) |
String |
getFilterProcessesUrl() |
String |
getSessionReuseDetectedUrl() |
void |
init(javax.servlet.FilterConfig filterConfig) |
protected boolean |
requiresAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Indicates whether this filter should attempt to process a login request for the current invocation.
|
void |
setFilterProcessesUrl(String filterProcessesUrl) |
void |
setSessionReuseDetectedUrl(String sessionReuseDetectedUrl) |
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
init
in interface javax.servlet.Filter
javax.servlet.ServletException
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
doFilter
in interface javax.servlet.Filter
IOException
javax.servlet.ServletException
public void destroy()
destroy
in interface javax.servlet.Filter
public void afterPropertiesSet() throws Exception
afterPropertiesSet
in interface org.springframework.beans.factory.InitializingBean
Exception
protected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Indicates whether this filter should attempt to process a login request for the current invocation.
It strips any parameters from the "path" section of the request URL (such as the jsessionid parameter in
http://host/myapp/index.html;jsessionid=blah) before matching against the filterProcessesUrl
property.
Subclasses may override for special requirements, such as Tapestry integration.
request
- as received from the filter chainresponse
- as received from the filter chaintrue
if the filter should attempt authentication, false
otherwisepublic String getFilterProcessesUrl()
public void setFilterProcessesUrl(String filterProcessesUrl)
public String getSessionReuseDetectedUrl()
public void setSessionReuseDetectedUrl(String sessionReuseDetectedUrl)
Copyright © 2020 Hitachi Vantara. All rights reserved.