Add createSessionAllowed property, which should be set to false to avoid unnecessary session creation.
This commit is contained in:
Ben Alex
parent
84a723d035
commit
f5741962ed
|
|
@ -12,7 +12,6 @@
|
||||||
* See the License for the specific language governing permissions and
|
* See the License for the specific language governing permissions and
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
package net.sf.acegisecurity.intercept.web;
|
package net.sf.acegisecurity.intercept.web;
|
||||||
|
|
||||||
import net.sf.acegisecurity.AccessDeniedException;
|
import net.sf.acegisecurity.AccessDeniedException;
|
||||||
|
|
@ -105,19 +104,13 @@ import javax.servlet.http.HttpServletResponse;
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public class SecurityEnforcementFilter implements Filter, InitializingBean {
|
public class SecurityEnforcementFilter implements Filter, InitializingBean {
|
||||||
//~ Static fields/initializers =============================================
|
|
||||||
|
|
||||||
private static final Log logger = LogFactory.getLog(SecurityEnforcementFilter.class);
|
private static final Log logger = LogFactory.getLog(SecurityEnforcementFilter.class);
|
||||||
public static final String ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY = "ACEGI_SECURITY_403_EXCEPTION";
|
public static final String ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY = "ACEGI_SECURITY_403_EXCEPTION";
|
||||||
|
|
||||||
//~ Instance fields ========================================================
|
|
||||||
|
|
||||||
private AuthenticationEntryPoint authenticationEntryPoint;
|
private AuthenticationEntryPoint authenticationEntryPoint;
|
||||||
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
|
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
|
||||||
private FilterSecurityInterceptor filterSecurityInterceptor;
|
private FilterSecurityInterceptor filterSecurityInterceptor;
|
||||||
private PortResolver portResolver = new PortResolverImpl();
|
private PortResolver portResolver = new PortResolverImpl();
|
||||||
|
private boolean createSessionAllowed = true;
|
||||||
//~ Methods ================================================================
|
|
||||||
|
|
||||||
public void setAuthenticationEntryPoint(
|
public void setAuthenticationEntryPoint(
|
||||||
AuthenticationEntryPoint authenticationEntryPoint) {
|
AuthenticationEntryPoint authenticationEntryPoint) {
|
||||||
|
|
@ -133,6 +126,27 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
|
||||||
this.authenticationTrustResolver = authenticationTrustResolver;
|
this.authenticationTrustResolver = authenticationTrustResolver;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* If <code>true</code>, indicates that <code>SecurityEnforcementFilter</code> is permitted
|
||||||
|
* to store the target URL and exception information in the <code>HttpSession</code> (the
|
||||||
|
* default). In situations where you do not wish to unnecessarily create <code>HttpSession</code>s
|
||||||
|
* - because the user agent will know the failed URL, such as with BASIC or Digest authentication
|
||||||
|
* - you may wish to set this property to <code>false</code>. Remember to also set the
|
||||||
|
* {@link net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter#allowSessionCreation}
|
||||||
|
* to <code>false</code> if you set this property to <code>false</code>.
|
||||||
|
*
|
||||||
|
* @return <code>true</code> if the <code>HttpSession</code> will be used to store information
|
||||||
|
* about the failed request, <code>false</code> if the <code>HttpSession</code> will not be
|
||||||
|
* used
|
||||||
|
*/
|
||||||
|
public boolean isCreateSessionAllowed() {
|
||||||
|
return createSessionAllowed;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setCreateSessionAllowed(boolean createSessionAllowed) {
|
||||||
|
this.createSessionAllowed = createSessionAllowed;
|
||||||
|
}
|
||||||
|
|
||||||
public AuthenticationTrustResolver getAuthenticationTrustResolver() {
|
public AuthenticationTrustResolver getAuthenticationTrustResolver() {
|
||||||
return authenticationTrustResolver;
|
return authenticationTrustResolver;
|
||||||
}
|
}
|
||||||
|
|
@ -164,7 +178,8 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
|
||||||
"authenticationTrustResolver must be specified");
|
"authenticationTrustResolver must be specified");
|
||||||
}
|
}
|
||||||
|
|
||||||
public void destroy() {}
|
public void destroy() {
|
||||||
|
}
|
||||||
|
|
||||||
public void doFilter(ServletRequest request, ServletResponse response,
|
public void doFilter(ServletRequest request, ServletResponse response,
|
||||||
FilterChain chain) throws IOException, ServletException {
|
FilterChain chain) throws IOException, ServletException {
|
||||||
|
|
@ -219,13 +234,17 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void init(FilterConfig filterConfig) throws ServletException {}
|
public void init(FilterConfig filterConfig) throws ServletException {
|
||||||
|
}
|
||||||
|
|
||||||
protected void sendAccessDeniedError(FilterInvocation fi,
|
protected void sendAccessDeniedError(FilterInvocation fi,
|
||||||
AccessDeniedException accessDenied)
|
AccessDeniedException accessDenied)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if (createSessionAllowed) {
|
||||||
((HttpServletRequest) fi.getRequest()).getSession().setAttribute(ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY,
|
((HttpServletRequest) fi.getRequest()).getSession().setAttribute(ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY,
|
||||||
accessDenied);
|
accessDenied);
|
||||||
|
}
|
||||||
|
|
||||||
((HttpServletResponse) fi.getResponse()).sendError(HttpServletResponse.SC_FORBIDDEN,
|
((HttpServletResponse) fi.getResponse()).sendError(HttpServletResponse.SC_FORBIDDEN,
|
||||||
accessDenied.getMessage()); // 403
|
accessDenied.getMessage()); // 403
|
||||||
}
|
}
|
||||||
|
|
@ -245,18 +264,21 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
|
||||||
includePort = false;
|
includePort = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
String targetUrl = request.getScheme() + "://"
|
String targetUrl = request.getScheme() + "://" +
|
||||||
+ request.getServerName() + ((includePort) ? (":" + port) : "")
|
request.getServerName() + ((includePort) ? (":" + port) : "") +
|
||||||
+ request.getContextPath() + fi.getRequestUrl();
|
request.getContextPath() + fi.getRequestUrl();
|
||||||
|
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug(
|
logger.debug(
|
||||||
"Authentication entry point being called; target URL added to Session: "
|
"Authentication entry point being called; target URL added to Session: " +
|
||||||
+ targetUrl);
|
targetUrl);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (createSessionAllowed) {
|
||||||
((HttpServletRequest) request).getSession().setAttribute(AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY,
|
((HttpServletRequest) request).getSession().setAttribute(AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY,
|
||||||
targetUrl);
|
targetUrl);
|
||||||
|
}
|
||||||
|
|
||||||
authenticationEntryPoint.commence(request,
|
authenticationEntryPoint.commence(request,
|
||||||
(HttpServletResponse) fi.getResponse(), reason);
|
(HttpServletResponse) fi.getResponse(), reason);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -49,6 +49,7 @@
|
||||||
<action dev="benalex" type="update">Form, CAS, X509 and Remember-Me authentication mechanisms now publish an InteractiveAuthenticationSuccessEvent (see http://opensource.atlassian.com/projects/spring/browse/SEC-5)</action>
|
<action dev="benalex" type="update">Form, CAS, X509 and Remember-Me authentication mechanisms now publish an InteractiveAuthenticationSuccessEvent (see http://opensource.atlassian.com/projects/spring/browse/SEC-5)</action>
|
||||||
<action dev="benalex" type="update">FilterSecurityInterceptor now has an observeOncePerRequest boolean property, allowing multiple fragments of the HTTP request to be individually authorized (see http://opensource.atlassian.com/projects/spring/browse/SEC-14)</action>
|
<action dev="benalex" type="update">FilterSecurityInterceptor now has an observeOncePerRequest boolean property, allowing multiple fragments of the HTTP request to be individually authorized (see http://opensource.atlassian.com/projects/spring/browse/SEC-14)</action>
|
||||||
<action dev="benalex" type="update">AnonymousProcessingFilter cleans up the Authentication object, avoiding HttpSession creation overhead</action>
|
<action dev="benalex" type="update">AnonymousProcessingFilter cleans up the Authentication object, avoiding HttpSession creation overhead</action>
|
||||||
|
<action dev="benalex" type="update">SecurityEnforcementFilter now has a createSessionAllowed property, which should be set to false to avoid unnecessary session creation</action>
|
||||||
<action dev="luke_t" type="fix">UserAttributeEditor now removes trailing spaces</action>
|
<action dev="luke_t" type="fix">UserAttributeEditor now removes trailing spaces</action>
|
||||||
<action dev="raykrueger" type="update">SecureContextLoginModule now provides ignoreMissingAuthentication property</action>
|
<action dev="raykrueger" type="update">SecureContextLoginModule now provides ignoreMissingAuthentication property</action>
|
||||||
<action dev="raykrueger" type="fix">SecureContextLoginModuleTests fixes (see http://opensource.atlassian.com/projects/spring/browse/SEC-36)</action>
|
<action dev="raykrueger" type="fix">SecureContextLoginModuleTests fixes (see http://opensource.atlassian.com/projects/spring/browse/SEC-36)</action>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue