Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-06 10:42:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-299: Change ConcurrentSessionFilter to delegate to an array of LogoutHandlers rather than invalidating an expired session directly.

Browse Source
This commit is contained in:
Luke Taylor 2007-12-06 17:39:04 +00:00
parent cb980f12d5
commit 382dc50f3c
1 changed files with 27 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
core/src/main/java/org/springframework/security/concurrent/ConcurrentSessionFilter.java
View File

@ -15,9 +15,13 @@
package org.springframework.security.concurrent; package org.springframework.security.concurrent;
import org.springframework.beans.factory.InitializingBean; import org.springframework.security.Authentication;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.ui.FilterChainOrderUtils; import org.springframework.security.ui.FilterChainOrderUtils;
import org.springframework.security.ui.SpringSecurityFilter; import org.springframework.security.ui.SpringSecurityFilter;
import org.springframework.security.ui.logout.LogoutHandler;
import org.springframework.security.ui.logout.SecurityContextLogoutHandler;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
@ -30,13 +34,15 @@ import java.io.IOException;
/** /**
* Filter required by concurrent session handling package. * Filter required by concurrent session handling package.
* <p>This filter performs two functions. First, it calls * <p>
* {@link org.springframework.security.concurrent.SessionRegistry#refreshLastRequest(String)} for each request. * This filter performs two functions. First, it calls
* That way, registered sessions always have a correct "last update" date/time. Second, it retrieves * {@link org.springframework.security.concurrent.SessionRegistry#refreshLastRequest(String)} for each request
* so that registered sessions always have a correct "last update" date/time. Second, it retrieves a
* {@link org.springframework.security.concurrent.SessionInformation} from the <code>SessionRegistry</code> * {@link org.springframework.security.concurrent.SessionInformation} from the <code>SessionRegistry</code>
* for each request and checks if the session has been marked as expired. * for each request and checks if the session has been marked as expired.
* If it has been marked as expired, the session is invalidated. The invalidation of the session will also cause the * If it has been marked as expired, the configured logout handlers will be called (as happens with
* request to redirect to the URL specified, and a * {@link org.springframework.security.ui.logout.LogoutFilter}), typically to invalidate the session.
* A redirect to the expiredURL specified will be performed, and the session invalidation will cause an
* {@link org.springframework.security.ui.session.HttpSessionDestroyedEvent} to be published via the * {@link org.springframework.security.ui.session.HttpSessionDestroyedEvent} to be published via the
* {@link org.springframework.security.ui.session.HttpSessionEventPublisher} registered in <code>web.xml</code>.</p> * {@link org.springframework.security.ui.session.HttpSessionEventPublisher} registered in <code>web.xml</code>.</p>
* *
@ -48,6 +54,7 @@ public class ConcurrentSessionFilter extends SpringSecurityFilter implements Ini
private SessionRegistry sessionRegistry; private SessionRegistry sessionRegistry;
private String expiredUrl; private String expiredUrl;
private LogoutHandler[] handlers = new LogoutHandler[] {new SecurityContextLogoutHandler()};
//~ Methods ======================================================================================================== //~ Methods ========================================================================================================
@ -66,7 +73,7 @@ public class ConcurrentSessionFilter extends SpringSecurityFilter implements Ini
if (info != null) { if (info != null) {
if (info.isExpired()) { if (info.isExpired()) {
// Expired - abort processing // Expired - abort processing
session.invalidate(); doLogout(request, response);
if (expiredUrl != null) { if (expiredUrl != null) {
String targetUrl = request.getContextPath() + expiredUrl; String targetUrl = request.getContextPath() + expiredUrl;
@ -88,6 +95,14 @@ public class ConcurrentSessionFilter extends SpringSecurityFilter implements Ini
chain.doFilter(request, response); chain.doFilter(request, response);
} }
private void doLogout(HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
for (int i = 0; i < handlers.length; i++) {
handlers[i].logout(request, response, auth);
}
}
public void setExpiredUrl(String expiredUrl) { public void setExpiredUrl(String expiredUrl) {
this.expiredUrl = expiredUrl; this.expiredUrl = expiredUrl;
} }
@ -96,6 +111,11 @@ public class ConcurrentSessionFilter extends SpringSecurityFilter implements Ini
this.sessionRegistry = sessionRegistry; this.sessionRegistry = sessionRegistry;
} }
public void setLogoutHandlers(LogoutHandler[] handlers) {
Assert.notNull(handlers);
this.handlers = handlers;
}
public int getOrder() { public int getOrder() {
return FilterChainOrderUtils.CONCURRENT_SESSION_FILTER_ORDER; return FilterChainOrderUtils.CONCURRENT_SESSION_FILTER_ORDER;
} }