org.acegisecurity.context
Class HttpSessionContextIntegrationFilter
java.lang.Object
org.acegisecurity.context.HttpSessionContextIntegrationFilter
- All Implemented Interfaces:
- javax.servlet.Filter, org.springframework.beans.factory.InitializingBean
public class HttpSessionContextIntegrationFilter
- extends Object
- implements org.springframework.beans.factory.InitializingBean, javax.servlet.Filter
Populates the SecurityContextHolder
with information obtained from
the HttpSession
.
The HttpSession
will be queried to retrieve the
SecurityContext
that should be stored against the
SecurityContextHolder
for the duration of the web request. At
the end of the web request, any updates made to the
SecurityContextHolder
will be persisted back to the
HttpSession
by this filter.
If a valid SecurityContext
cannot be obtained from the
HttpSession
for whatever reason, a fresh
SecurityContext
will be created and used instead. The created
object will be of the instance defined by the setContext(Class)
method (which defaults to SecurityContextImpl
.
No HttpSession
will be created by this filter if one does not
already exist. If at the end of the web request the HttpSession
does not exist, a HttpSession
will only be created if
the current contents of the SecurityContextHolder
are not
Object.equals(java.lang.Object)
to a new
instance of setContext(Class)
. This avoids needless
HttpSession
creation, but automates the storage of changes
made to the SecurityContextHolder
. There is one exception to
this rule, that is if the forceEagerSessionCreation
property is
true
, in which case sessions will always be created
irrespective of normal session-minimisation logic (the default is
false
, as this is resource intensive and not recommended).
This filter will only execute once per request, to resolve servlet container
(specifically Weblogic) incompatibilities.
If for whatever reason no HttpSession
should ever be
created (eg this filter is only being used with Basic authentication or
similar clients that will never present the same jsessionid
etc), the setAllowSessionCreation(boolean)
should be set to
false
. Only do this if you really need to conserve server
memory and ensure all classes using the SecurityContextHolder
are designed to have no persistence of the SecurityContext
between web requests. Please note that if forceEagerSessionCreation
is true
, the allowSessionCreation
must also be
true
(setting it to false
will cause a startup
time error).
This filter MUST be executed BEFORE any authentication processing mechanisms.
Authentication processing mechanisms (eg BASIC, CAS processing filters etc)
expect the SecurityContextHolder
to contain a valid
SecurityContext
by the time they execute.
- Version:
- $Id: HttpSessionContextIntegrationFilter.java 2004 2007-09-01 14:43:09Z raykrueger $
- Author:
- Ben Alex, Patrick Burleson, Luke Taylor, Martin Algesten
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
logger
protected static final org.apache.commons.logging.Log logger
ACEGI_SECURITY_CONTEXT_KEY
public static final String ACEGI_SECURITY_CONTEXT_KEY
- See Also:
- Constant Field Values
HttpSessionContextIntegrationFilter
public HttpSessionContextIntegrationFilter()
throws javax.servlet.ServletException
- Throws:
javax.servlet.ServletException
isCloneFromHttpSession
public boolean isCloneFromHttpSession()
setCloneFromHttpSession
public void setCloneFromHttpSession(boolean cloneFromHttpSession)
afterPropertiesSet
public void afterPropertiesSet()
throws Exception
- Specified by:
afterPropertiesSet
in interface org.springframework.beans.factory.InitializingBean
- Throws:
Exception
doFilter
public void doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
- Specified by:
doFilter
in interface javax.servlet.Filter
- Throws:
IOException
javax.servlet.ServletException
generateNewContext
public SecurityContext generateNewContext()
throws javax.servlet.ServletException
- Throws:
javax.servlet.ServletException
init
public void init(javax.servlet.FilterConfig filterConfig)
throws javax.servlet.ServletException
- Does nothing. We use IoC container lifecycle services instead.
- Specified by:
init
in interface javax.servlet.Filter
- Parameters:
filterConfig
- ignored
- Throws:
javax.servlet.ServletException
- ignored
destroy
public void destroy()
- Does nothing. We use IoC container lifecycle services instead.
- Specified by:
destroy
in interface javax.servlet.Filter
isAllowSessionCreation
public boolean isAllowSessionCreation()
setAllowSessionCreation
public void setAllowSessionCreation(boolean allowSessionCreation)
getContext
public Class getContext()
setContext
public void setContext(Class secureContext)
isForceEagerSessionCreation
public boolean isForceEagerSessionCreation()
setForceEagerSessionCreation
public void setForceEagerSessionCreation(boolean forceEagerSessionCreation)
Copyright © 2004-2011 Interface21, Inc. All Rights Reserved.