Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Configuration of session management strategies 

This commit adds the possibility to configure the AuthenticationFailureHandler
of the SessionManagementFilter.

Fixes gh-3794
This commit is contained in:
Marten Deinum 2016-04-20 10:01:03 +02:00 committed by Rob Winch
parent b88418b94a
commit 67c9f12964
1 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
View File

@ -33,6 +33,7 @@ import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.context.DelegatingApplicationListener; import org.springframework.security.context.DelegatingApplicationListener;
import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl; import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy; import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
@ -108,6 +109,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
private boolean enableSessionUrlRewriting; private boolean enableSessionUrlRewriting;
private String invalidSessionUrl; private String invalidSessionUrl;
private String sessionAuthenticationErrorUrl; private String sessionAuthenticationErrorUrl;
private AuthenticationFailureHandler sessionAuthenticationFailureHandler;
/** /**
* Creates a new instance * Creates a new instance
@ -161,6 +163,22 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
return this; return this;
} }
/**
* Defines the {@code AuthenticationFailureHandler} which will be used when the
* SessionAuthenticationStrategy raises an exception. If not set, an unauthorized
* (402) error code will be returned to the client. Note that this attribute doesn't
* apply if the error occurs during a form-based login, where the URL for
* authentication failure will take precedence.
*
* @param sessionAuthenticationFailureHandler the handler to use
* @return the {@link SessionManagementConfigurer} for further customization
*/
public SessionManagementConfigurer<H> sessionAuthenticationFailureHandler(
AuthenticationFailureHandler sessionAuthenticationFailureHandler) {
this.sessionAuthenticationFailureHandler = sessionAuthenticationFailureHandler;
return this;
}
/** /**
* If set to true, allows HTTP sessions to be rewritten in the URLs when using * If set to true, allows HTTP sessions to be rewritten in the URLs when using
* {@link HttpServletResponse#encodeRedirectURL(String)} or * {@link HttpServletResponse#encodeRedirectURL(String)} or
@ -439,6 +457,10 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
if (strategy != null) { if (strategy != null) {
sessionManagementFilter.setInvalidSessionStrategy(strategy); sessionManagementFilter.setInvalidSessionStrategy(strategy);
} }
AuthenticationFailureHandler failureHandler = getSessionAuthenticationFailureHandler();
if (failureHandler != null) {
sessionManagementFilter.setAuthenticationFailureHandler(failureHandler);
}
AuthenticationTrustResolver trustResolver = http AuthenticationTrustResolver trustResolver = http
.getSharedObject(AuthenticationTrustResolver.class); .getSharedObject(AuthenticationTrustResolver.class);
if (trustResolver != null) { if (trustResolver != null) {
@ -473,6 +495,13 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
this.invalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy( this.invalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy(
this.invalidSessionUrl); this.invalidSessionUrl);
} }
if (this.invalidSessionUrl == null) {
return null;
}
if (this.invalidSessionStrategy == null) {
this.invalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy(
this.invalidSessionUrl);
}
return this.invalidSessionStrategy; return this.invalidSessionStrategy;
} }
@ -492,6 +521,22 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
return this.expiredSessionStrategy; return this.expiredSessionStrategy;
} }
AuthenticationFailureHandler getSessionAuthenticationFailureHandler() {
if (this.sessionAuthenticationFailureHandler != null) {
return this.sessionAuthenticationFailureHandler;
}
if (this.sessionAuthenticationErrorUrl == null) {
return null;
}
if (this.sessionAuthenticationFailureHandler == null) {
this.sessionAuthenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler(
this.sessionAuthenticationErrorUrl);
}
return this.sessionAuthenticationFailureHandler;
}
/** /**
* Gets the {@link SessionCreationPolicy}. Can not be null. * Gets the {@link SessionCreationPolicy}. Can not be null.
* @return the {@link SessionCreationPolicy} * @return the {@link SessionCreationPolicy}