java.lang.Object | |
↳ | org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy |
Known Direct Subclasses |
The default implementation of SessionAuthenticationStrategy
.
Creates a new session for the newly authenticated user if they already have a session (as a defence against
session-fixation protection attacks), and copies their session attributes across to the new session.
The copying of the attributes can be disabled by setting migrateSessionAttributes
to false
(note that even in this case, internal Spring Security attributes will still be migrated to the new session).
This approach will only be effective if your servlet container always assigns a new session Id when a session is
invalidated and a new session created by calling getSession()
.
If concurrent session control is in use, then a SessionRegistry
must be injected.
HttpSessionBindingListener
The migration of existing attributes to the newly-created session may cause problems if any of the objects
implement the HttpSessionBindingListener
interface in a way which makes assumptions about the life-cycle of
the object. An example is the use of Spring session-scoped beans, where the initial removal of the bean from the
session will cause the DisposableBean
interface to be invoked, in the assumption that the bean is no longer
required.
We'd recommend that you take account of this when designing your application and do not store attributes which
may not function correctly when they are removed and then placed back in the session. Alternatively, you should
customize the SessionAuthenticationStrategy
to deal with the issue in an application-specific way.
Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
logger |
Public Constructors | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Called when a user is newly authenticated.
| |||||||||||
Defines whether attributes should be migrated to a new session or not.
| |||||||||||
This method is deprecated.
Override the
extractAttributes method instead
|
Protected Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Called to extract the existing attributes from the session, prior to invalidating it.
| |||||||||||
Called when the session has been changed and the old attributes have been migrated to the new session.
|
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
java.lang.Object
| |||||||||||
From interface
org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
|
Called when a user is newly authenticated.
If a session already exists, and matches the session Id from the client, a new session will be created, and the
session attributes copied to it (if migrateSessionAttributes
is set).
The sessionRegistry will be updated with the new session information. If the client's requested session Id is
invalid, nothing will be done, since there is no need to change the session Id if it doesn't match the current
session.
If there is no session, no action is taken unless the alwaysCreateSession
property is set, in which
case a session will be created if one doesn't already exist.
Defines whether attributes should be migrated to a new session or not. Has no effect if you
override the extractAttributes
method.
Attributes used by Spring Security (to store cached requests, for example) will still be retained by default,
even if you set this value to false
.
migrateSessionAttributes | whether the attributes from the session should be transferred to the new, authenticated session. |
---|
This method is deprecated.
Override the extractAttributes
method instead
Called to extract the existing attributes from the session, prior to invalidating it. If
migrateAttributes
is set to false
, only Spring Security attributes will be retained.
All application attributes will be discarded.
You can override this method to control exactly what is transferred to the new session.
session | the session from which the attributes should be extracted |
---|
Called when the session has been changed and the old attributes have been migrated to the new session. Only called if a session existed to start with. Allows subclasses to plug in additional behaviour.
originalSessionId | the original session identifier |
---|---|
newSession | the newly created session |
auth | the token for the newly authenticated principal |