Class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<SessionManagementConfigurer<H>,H>
org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer<H>
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,
H>
public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<SessionManagementConfigurer<H>,H>
Allows configuring session management.
Security Filters
The following Filters are populatedSessionManagementFilter
ConcurrentSessionFilter
if there are restrictions on how many concurrent sessions a user can have
Shared Objects Created
The following shared objects are created:Shared Objects Used
SecurityContextRepository
AuthenticationTrustResolver
is optionally used to populate theHttpSessionSecurityContextRepository
andSessionManagementFilter
- Since:
- 3.2
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionfinal class
Allows configuring controlling of multiple sessions.final class
Allows configuring SessionFixation protection -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.enableSessionUrlRewriting
(boolean enableSessionUrlRewriting) If set to true, allows HTTP sessions to be rewritten in the URLs when usingHttpServletResponse.encodeRedirectURL(String)
orHttpServletResponse.encodeURL(String)
, otherwise disallows HTTP sessions to be included in the URL.void
Initialize theSecurityBuilder
.invalidSessionStrategy
(InvalidSessionStrategy invalidSessionStrategy) Setting this attribute will inject the provided invalidSessionStrategy into theSessionManagementFilter
.invalidSessionUrl
(String invalidSessionUrl) Setting this attribute will inject theSessionManagementFilter
with aSimpleRedirectInvalidSessionStrategy
configured with the attribute value.maximumSessions
(int maximumSessions) Controls the maximum number of sessions for a user.requireExplicitAuthenticationStrategy
(boolean requireExplicitAuthenticationStrategy) Setting this means that explicit invocation ofSessionAuthenticationStrategy
is required.sessionAuthenticationErrorUrl
(String sessionAuthenticationErrorUrl) Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception.sessionAuthenticationFailureHandler
(AuthenticationFailureHandler sessionAuthenticationFailureHandler) Defines theAuthenticationFailureHandler
which will be used when the SessionAuthenticationStrategy raises an exception.sessionAuthenticationStrategy
(SessionAuthenticationStrategy sessionAuthenticationStrategy) Allows explicitly specifying theSessionAuthenticationStrategy
.sessionConcurrency
(Customizer<SessionManagementConfigurer<H>.ConcurrencyControlConfigurer> sessionConcurrencyCustomizer) Controls the maximum number of sessions for a user.sessionCreationPolicy
(SessionCreationPolicy sessionCreationPolicy) Allows specifying theSessionCreationPolicy
Allows changing the defaultSessionFixationProtectionStrategy
.sessionFixation
(Customizer<SessionManagementConfigurer<H>.SessionFixationConfigurer> sessionFixationCustomizer) Allows configuring session fixation protection.Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessor
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, postProcess, setBuilder
-
Constructor Details
-
SessionManagementConfigurer
public SessionManagementConfigurer()Creates a new instance- See Also:
-
-
Method Details
-
invalidSessionUrl
Setting this attribute will inject theSessionManagementFilter
with aSimpleRedirectInvalidSessionStrategy
configured with the attribute value. When an invalid session ID is submitted, the strategy will be invoked, redirecting to the configured URL.- Parameters:
invalidSessionUrl
- the URL to redirect to when an invalid session is detected- Returns:
- the
SessionManagementConfigurer
for further customization
-
requireExplicitAuthenticationStrategy
public SessionManagementConfigurer<H> requireExplicitAuthenticationStrategy(boolean requireExplicitAuthenticationStrategy) Setting this means that explicit invocation ofSessionAuthenticationStrategy
is required.- Parameters:
requireExplicitAuthenticationStrategy
- require explicit invocation ofSessionAuthenticationStrategy
- Returns:
- the
SessionManagementConfigurer
for further customization
-
invalidSessionStrategy
public SessionManagementConfigurer<H> invalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy) Setting this attribute will inject the provided invalidSessionStrategy into theSessionManagementFilter
. When an invalid session ID is submitted, the strategy will be invoked, redirecting to the configured URL.- Parameters:
invalidSessionStrategy
- the strategy to use when an invalid session ID is submitted.- Returns:
- the
SessionManagementConfigurer
for further customization
-
sessionAuthenticationErrorUrl
public SessionManagementConfigurer<H> sessionAuthenticationErrorUrl(String sessionAuthenticationErrorUrl) Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.- Parameters:
sessionAuthenticationErrorUrl
- the URL to redirect to- Returns:
- the
SessionManagementConfigurer
for further customization
-
sessionAuthenticationFailureHandler
public SessionManagementConfigurer<H> sessionAuthenticationFailureHandler(AuthenticationFailureHandler sessionAuthenticationFailureHandler) Defines theAuthenticationFailureHandler
which will be used when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.- Parameters:
sessionAuthenticationFailureHandler
- the handler to use- Returns:
- the
SessionManagementConfigurer
for further customization
-
enableSessionUrlRewriting
If set to true, allows HTTP sessions to be rewritten in the URLs when usingHttpServletResponse.encodeRedirectURL(String)
orHttpServletResponse.encodeURL(String)
, otherwise disallows HTTP sessions to be included in the URL. This prevents leaking information to external domains.This is achieved by guarding
HttpServletResponse.encodeURL(java.lang.String)
andHttpServletResponse.encodeRedirectURL(java.lang.String)
invocations. Any code that also overrides either of these two methods, likeResourceUrlEncodingFilter
, needs to come after the security filter chain or risk being skipped.- Parameters:
enableSessionUrlRewriting
- true if should allow the JSESSIONID to be rewritten into the URLs, else false (default)- Returns:
- the
SessionManagementConfigurer
for further customization - See Also:
-
sessionCreationPolicy
public SessionManagementConfigurer<H> sessionCreationPolicy(SessionCreationPolicy sessionCreationPolicy) Allows specifying theSessionCreationPolicy
- Parameters:
sessionCreationPolicy
- theSessionCreationPolicy
to use. Cannot be null.- Returns:
- the
SessionManagementConfigurer
for further customizations - Throws:
IllegalArgumentException
- ifSessionCreationPolicy
is null.- See Also:
-
sessionAuthenticationStrategy
public SessionManagementConfigurer<H> sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy) Allows explicitly specifying theSessionAuthenticationStrategy
. The default is to useChangeSessionIdAuthenticationStrategy
. If restricting the maximum number of sessions is configured, thenCompositeSessionAuthenticationStrategy
delegating toConcurrentSessionControlAuthenticationStrategy
, the default OR suppliedSessionAuthenticationStrategy
andRegisterSessionAuthenticationStrategy
.NOTE: Supplying a custom
SessionAuthenticationStrategy
will override the default session fixation strategy.- Parameters:
sessionAuthenticationStrategy
-- Returns:
- the
SessionManagementConfigurer
for further customizations
-
sessionFixation
Allows changing the defaultSessionFixationProtectionStrategy
.- Returns:
- the
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.SessionFixationConfigurer
for further customizations
-
sessionFixation
public SessionManagementConfigurer<H> sessionFixation(Customizer<SessionManagementConfigurer<H>.SessionFixationConfigurer> sessionFixationCustomizer) Allows configuring session fixation protection.- Parameters:
sessionFixationCustomizer
- theCustomizer
to provide more options for theSessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.SessionFixationConfigurer
- Returns:
- the
SessionManagementConfigurer
for further customizations
-
maximumSessions
public SessionManagementConfigurer<H>.ConcurrencyControlConfigurer maximumSessions(int maximumSessions) Controls the maximum number of sessions for a user. The default is to allow any number of sessions.- Parameters:
maximumSessions
- the maximum number of sessions for a user- Returns:
- the
SessionManagementConfigurer
for further customizations
-
sessionConcurrency
public SessionManagementConfigurer<H> sessionConcurrency(Customizer<SessionManagementConfigurer<H>.ConcurrencyControlConfigurer> sessionConcurrencyCustomizer) Controls the maximum number of sessions for a user. The default is to allow any number of users.- Parameters:
sessionConcurrencyCustomizer
- theCustomizer
to provide more options for theSessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.ConcurrencyControlConfigurer
- Returns:
- the
SessionManagementConfigurer
for further customizations
-
init
Description copied from interface:SecurityConfigurer
Initialize theSecurityBuilder
. Here only shared state should be created and modified, but not properties on theSecurityBuilder
used for building the object. This ensures that theSecurityConfigurer.configure(SecurityBuilder)
method uses the correct shared objects when building. Configurers should be applied here.- Specified by:
init
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>> - Overrides:
init
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>>
-
configure
Description copied from interface:SecurityConfigurer
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.- Specified by:
configure
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>> - Overrides:
configure
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>>
-