Package org.pentaho.platform.web.http.security

Class HttpSessionReuseDetectionFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.InitializingBean
    public class HttpSessionReuseDetectionFilter
extends Object
implements javax.servlet.Filter, org.springframework.beans.factory.InitializingBean
    Detects when an HTTP session which contains a logged-in user (as indicated by request.getRemoteUser()) is attempting to authenticate again without logging out. Upon detecting this condition, the session is invalidated, the security context is cleared, and the user is redirected to sessionReuseDetectedUrl. This prevents reuse of an HTTP session which contains potentially sensitive, user-specific data.

    To use: Insert after httpSessionContextIntegrationFilter but before authenticationProcessingFilter.

    Note: Some code copied from AbstractProcessingFilter.

    Author:
    mlowery

    • Constructor Detail

      • HttpSessionReuseDetectionFilter

        public HttpSessionReuseDetectionFilter()

    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException
        Specified by:
        init in interface javax.servlet.Filter
        Throws:
        javax.servlet.ServletException

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        IOException
        javax.servlet.ServletException

      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter

      • afterPropertiesSet

        public void afterPropertiesSet()
                        throws Exception
        Specified by:
        afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
        Throws:
        Exception

      • requiresAuthentication

        protected boolean requiresAuthentication​(javax.servlet.http.HttpServletRequest request,
                                         javax.servlet.http.HttpServletResponse response)

        Indicates whether this filter should attempt to process a login request for the current invocation.

        It strips any parameters from the "path" section of the request URL (such as the jsessionid parameter in http://host/myapp/index.html;jsessionid=blah) before matching against the filterProcessesUrl property.

        Subclasses may override for special requirements, such as Tapestry integration.

        Parameters:
        request - as received from the filter chain
        response - as received from the filter chain
        Returns:
        true if the filter should attempt authentication, false otherwise

      • getFilterProcessesUrl

        public String getFilterProcessesUrl()

      • setFilterProcessesUrl

        public void setFilterProcessesUrl​(String filterProcessesUrl)

      • getSessionReuseDetectedUrl

        public String getSessionReuseDetectedUrl()

      • setSessionReuseDetectedUrl

        public void setSessionReuseDetectedUrl​(String sessionReuseDetectedUrl)