Class SessionManagementConfigurer.SessionFixationConfigurer
java.lang.Object
org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer.SessionFixationConfigurer
- Enclosing class:
- SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
Allows configuring SessionFixation protection
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionSpecifies that the Servlet container-provided session fixation protection should be used.Specifies that a new session should be created and the session attributes from the originalHttpSession
should be retained.Specifies that a new session should be created, but the session attributes from the originalHttpSession
should not be retained.none()
Specifies that no session fixation protection should be enabled.
-
Constructor Details
-
SessionFixationConfigurer
public SessionFixationConfigurer()
-
-
Method Details
-
newSession
Specifies that a new session should be created, but the session attributes from the originalHttpSession
should not be retained.- Returns:
- the
SessionManagementConfigurer
for further customizations
-
migrateSession
Specifies that a new session should be created and the session attributes from the originalHttpSession
should be retained.- Returns:
- the
SessionManagementConfigurer
for further customizations
-
changeSessionId
Specifies that the Servlet container-provided session fixation protection should be used. When a session authenticates, the Servlet methodHttpServletRequest#changeSessionId()
is called to change the session ID and retain all session attributes.- Returns:
- the
SessionManagementConfigurer
for further customizations
-
none
Specifies that no session fixation protection should be enabled. This may be useful when utilizing other mechanisms for protecting against session fixation. For example, if application container session fixation protection is already in use. Otherwise, this option is not recommended.- Returns:
- the
SessionManagementConfigurer
for further customizations
-