org.acegisecurity.context
Class HttpSessionContextIntegrationFilter

java.lang.Object
  extended by org.acegisecurity.context.HttpSessionContextIntegrationFilter
All Implemented Interfaces:
javax.servlet.Filter, org.springframework.beans.factory.InitializingBean

public class HttpSessionContextIntegrationFilter
extends Object
implements org.springframework.beans.factory.InitializingBean, javax.servlet.Filter

Populates the SecurityContextHolder with information obtained from the HttpSession.

The HttpSession will be queried to retrieve the SecurityContext that should be stored against the SecurityContextHolder for the duration of the web request. At the end of the web request, any updates made to the SecurityContextHolder will be persisted back to the HttpSession by this filter.

If a valid SecurityContext cannot be obtained from the HttpSession for whatever reason, a fresh SecurityContext will be created and used instead. The created object will be of the instance defined by the setContext(Class) method (which defaults to SecurityContextImpl.

No HttpSession will be created by this filter if one does not already exist. If at the end of the web request the HttpSession does not exist, a HttpSession will only be created if the current contents of the SecurityContextHolder are not Object.equals(java.lang.Object) to a new instance of setContext(Class). This avoids needless HttpSession creation, but automates the storage of changes made to the SecurityContextHolder. There is one exception to this rule, that is if the forceEagerSessionCreation property is true, in which case sessions will always be created irrespective of normal session-minimisation logic (the default is false, as this is resource intensive and not recommended).

This filter will only execute once per request, to resolve servlet container (specifically Weblogic) incompatibilities.

If for whatever reason no HttpSession should ever be created (eg this filter is only being used with Basic authentication or similar clients that will never present the same jsessionid etc), the setAllowSessionCreation(boolean) should be set to false. Only do this if you really need to conserve server memory and ensure all classes using the SecurityContextHolder are designed to have no persistence of the SecurityContext between web requests. Please note that if forceEagerSessionCreation is true, the allowSessionCreation must also be true (setting it to false will cause a startup time error).

This filter MUST be executed BEFORE any authentication processing mechanisms. Authentication processing mechanisms (eg BASIC, CAS processing filters etc) expect the SecurityContextHolder to contain a valid SecurityContext by the time they execute.

Version:
$Id: HttpSessionContextIntegrationFilter.java 2004 2007-09-01 14:43:09Z raykrueger $
Author:
Ben Alex, Patrick Burleson, Luke Taylor, Martin Algesten

Field Summary
static String ACEGI_SECURITY_CONTEXT_KEY
           
protected static org.apache.commons.logging.Log logger
           
 
Constructor Summary
HttpSessionContextIntegrationFilter()
           
 
Method Summary
 void afterPropertiesSet()
           
 void destroy()
          Does nothing.
 void doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain)
           
 SecurityContext generateNewContext()
           
 Class getContext()
           
 void init(javax.servlet.FilterConfig filterConfig)
          Does nothing.
 boolean isAllowSessionCreation()
           
 boolean isCloneFromHttpSession()
           
 boolean isForceEagerSessionCreation()
           
 void setAllowSessionCreation(boolean allowSessionCreation)
           
 void setCloneFromHttpSession(boolean cloneFromHttpSession)
           
 void setContext(Class secureContext)
           
 void setForceEagerSessionCreation(boolean forceEagerSessionCreation)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

logger

protected static final org.apache.commons.logging.Log logger

ACEGI_SECURITY_CONTEXT_KEY

public static final String ACEGI_SECURITY_CONTEXT_KEY
See Also:
Constant Field Values
Constructor Detail

HttpSessionContextIntegrationFilter

public HttpSessionContextIntegrationFilter()
                                    throws javax.servlet.ServletException
Throws:
javax.servlet.ServletException
Method Detail

isCloneFromHttpSession

public boolean isCloneFromHttpSession()

setCloneFromHttpSession

public void setCloneFromHttpSession(boolean cloneFromHttpSession)

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception
Specified by:
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
Throws:
Exception

doFilter

public void doFilter(javax.servlet.ServletRequest req,
                     javax.servlet.ServletResponse res,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
Specified by:
doFilter in interface javax.servlet.Filter
Throws:
IOException
javax.servlet.ServletException

generateNewContext

public SecurityContext generateNewContext()
                                   throws javax.servlet.ServletException
Throws:
javax.servlet.ServletException

init

public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException
Does nothing. We use IoC container lifecycle services instead.

Specified by:
init in interface javax.servlet.Filter
Parameters:
filterConfig - ignored
Throws:
javax.servlet.ServletException - ignored

destroy

public void destroy()
Does nothing. We use IoC container lifecycle services instead.

Specified by:
destroy in interface javax.servlet.Filter

isAllowSessionCreation

public boolean isAllowSessionCreation()

setAllowSessionCreation

public void setAllowSessionCreation(boolean allowSessionCreation)

getContext

public Class getContext()

setContext

public void setContext(Class secureContext)

isForceEagerSessionCreation

public boolean isForceEagerSessionCreation()

setForceEagerSessionCreation

public void setForceEagerSessionCreation(boolean forceEagerSessionCreation)


Copyright © 2004-2011 Interface21, Inc. All Rights Reserved.