HttpSessionContextIntegrationFilter (Acegi Security System for Spring 1.0.0-RC1 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.acegisecurity.context
Class HttpSessionContextIntegrationFilter

java.lang.Object
  org.acegisecurity.context.HttpSessionContextIntegrationFilter

All Implemented Interfaces:: javax.servlet.Filter, InitializingBean

public class HttpSessionContextIntegrationFilter
extends Object
implements InitializingBean, javax.servlet.Filter
extends Object
implements InitializingBean, javax.servlet.Filter

Populates the SecurityContextHolder with information obtained from the HttpSession.

The HttpSession will be queried to retrieve the SecurityContext that should be stored against the SecurityContextHolder for the duration of the web request. At the end of the web request, any updates made to the SecurityContextHolder will be persisted back to the HttpSession by this filter.

If a valid SecurityContext cannot be obtained from the HttpSession for whatever reason, a fresh SecurityContext will be created and used instead. The created object will be of the instance defined by the setContext(Class) method (which defaults to SecurityContextImpl.

No HttpSession will be created by this filter if one does not already exist. If at the end of the web request the HttpSession does not exist, a HttpSession will only be created if the current contents of the SecurityContextHolder are not Object.equals(java.lang.Object) to a new instance of setContext(Class). This avoids needless HttpSession creation, but automates the storage of changes made to the SecurityContextHolder.

This filter will only execute once per request, to resolve servlet container (specifically Weblogic) incompatibilities.

If for whatever reason no HttpSession should ever be created (eg this filter is only being used with Basic authentication or similar clients that will never present the same jsessionid etc), the setAllowSessionCreation(boolean) should be set to false. Only do this if you really need to conserve server memory and ensure all classes using the SecurityContextHolder are designed to have no persistence of the SecurityContext between web requests.

This filter MUST be executed BEFORE any authentication procesing mechanisms. Authentication processing mechanisms (eg BASIC, CAS processing filters etc) expect the SecurityContextHolder to contain a valid SecurityContext by the time they execute.

Version:: $Id: HttpSessionContextIntegrationFilter.java,v 1.12 2005/11/17 00:55:49 benalex Exp $
Author:: Ben Alex, Patrick Burleson

Field Summary
`static String`	`ACEGI_SECURITY_CONTEXT_KEY`
`protected static org.apache.commons.logging.Log`	`logger`

Constructor Summary
`HttpSessionContextIntegrationFilter()`

Method Summary
`void`	`afterPropertiesSet()`
`void`	`destroy()` Does nothing.
`void`	`doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)`
`SecurityContext`	`generateNewContext()`
`Class`	`getContext()`
`void`	`init(javax.servlet.FilterConfig filterConfig)` Does nothing.
`boolean`	`isAllowSessionCreation()`
`void`	`setAllowSessionCreation(boolean allowSessionCreation)`
`void`	`setContext(Class secureContext)`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

logger

protected static final org.apache.commons.logging.Log logger

ACEGI_SECURITY_CONTEXT_KEY

public static final String ACEGI_SECURITY_CONTEXT_KEY

See Also:: Constant Field Values

Constructor Detail