org.acegisecurity.context
Class HttpSessionContextIntegrationFilter

java.lang.Object
  org.acegisecurity.context.HttpSessionContextIntegrationFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.InitializingBean

public class HttpSessionContextIntegrationFilter
extends java.lang.Object
implements org.springframework.beans.factory.InitializingBean, javax.servlet.Filter

Populates the SecurityContextHolder with information obtained from the HttpSession.

The HttpSession will be queried to retrieve the SecurityContext that should be stored against the SecurityContextHolder for the duration of the web request. At the end of the web request, any updates made to the SecurityContextHolder will be persisted back to the HttpSession by this filter.

If a valid SecurityContext cannot be obtained from the HttpSession for whatever reason, a fresh SecurityContext will be created and used instead. The created object will be of the instance defined by the setContext(Class) method (which defaults to SecurityContextImpl.

No HttpSession will be created by this filter if one does not already exist. If at the end of the web request the HttpSession does not exist, a HttpSession will only be created if the current contents of the SecurityContextHolder are not Object.equals(java.lang.Object) to a new instance of setContext(Class). This avoids needless HttpSession creation, but automates the storage of changes made to the SecurityContextHolder. There is one exception to this rule, that is if the forceEagerSessionCreation property is true, in which case sessions will always be created irrespective of normal session-minimisation logic (the default is false, as this is resource intensive and not recommended).

This filter will only execute once per request, to resolve servlet container (specifically Weblogic) incompatibilities.

If for whatever reason no HttpSession should ever be created (eg this filter is only being used with Basic authentication or similar clients that will never present the same jsessionid etc), the setAllowSessionCreation(boolean) should be set to false. Only do this if you really need to conserve server memory and ensure all classes using the SecurityContextHolder are designed to have no persistence of the SecurityContext between web requests. Please note that if forceEagerSessionCreation is true, the allowSessionCreation must also be true (setting it to false will cause a startup time error).

This filter MUST be executed BEFORE any authentication processing mechanisms. Authentication processing mechanisms (eg BASIC, CAS processing filters etc) expect the SecurityContextHolder to contain a valid SecurityContext by the time they execute.

Version:

$Id: HttpSessionContextIntegrationFilter.java 1496 2006-05-23 13:38:33Z benalex $

Author:

Ben Alex, Patrick Burleson

Field Summary

static java.lang.String	ACEGI_SECURITY_CONTEXT_KEY
protected static org.apache.commons.logging.Log	logger

Constructor Summary

HttpSessionContextIntegrationFilter()

Method Summary

void	afterPropertiesSet()
void	destroy() Does nothing.
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
SecurityContext	generateNewContext()
java.lang.Class	getContext()
void	init(javax.servlet.FilterConfig filterConfig) Does nothing.
boolean	isAllowSessionCreation()
boolean	isForceEagerSessionCreation()
void	setAllowSessionCreation(boolean allowSessionCreation)
void	setContext(java.lang.Class secureContext)
void	setForceEagerSessionCreation(boolean forceEagerSessionCreation)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

protected static final org.apache.commons.logging.Log logger

ACEGI_SECURITY_CONTEXT_KEY

public static final java.lang.String ACEGI_SECURITY_CONTEXT_KEY

See Also:

Constant Field Values

Constructor Detail

HttpSessionContextIntegrationFilter

public HttpSessionContextIntegrationFilter()

Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws java.lang.Exception

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Throws:

java.lang.Exception

destroy

public void destroy()

Does nothing. We use IoC container lifecycle services instead.

Specified by:

destroy in interface javax.servlet.Filter

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException

Specified by:

doFilter in interface javax.servlet.Filter

Throws:

java.io.IOException

javax.servlet.ServletException

generateNewContext

public SecurityContext generateNewContext()
                                   throws javax.servlet.ServletException

Throws:

javax.servlet.ServletException

getContext

public java.lang.Class getContext()

init

public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException

Does nothing. We use IoC container lifecycle services instead.

Specified by:

init in interface javax.servlet.Filter

Parameters:

filterConfig - ignored

Throws:

javax.servlet.ServletException - ignored

isAllowSessionCreation

public boolean isAllowSessionCreation()

isForceEagerSessionCreation

public boolean isForceEagerSessionCreation()

setAllowSessionCreation

public void setAllowSessionCreation(boolean allowSessionCreation)

setContext

public void setContext(java.lang.Class secureContext)

setForceEagerSessionCreation

public void setForceEagerSessionCreation(boolean forceEagerSessionCreation)