public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>> extends SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>
SessionManagementFilterConcurrentSessionFilter if there are restrictions on how many concurrent sessions a user can haveRequestCacheSecurityContextRepositorySessionManagementConfigurerInvalidSessionStrategySecurityContextRepositoryAuthenticationTrustResolver is optionally used to populate the HttpSessionSecurityContextRepository and SessionManagementFilterSessionManagementFilter,
ConcurrentSessionFilter| Modifier and Type | Class and Description |
|---|---|
class |
SessionManagementConfigurer.ConcurrencyControlConfigurer
Allows configuring controlling of multiple sessions.
|
class |
SessionManagementConfigurer.SessionFixationConfigurer
Allows configuring SessionFixation protection
|
| Constructor and Description |
|---|
SessionManagementConfigurer()
Creates a new instance
|
| Modifier and Type | Method and Description |
|---|---|
void |
configure(H http)
Configure the
SecurityBuilder by setting the necessary properties
on the SecurityBuilder. |
B |
disable()
Disables the
AbstractHttpConfigurer by removing it. |
SessionManagementConfigurer<H> |
enableSessionUrlRewriting(boolean enableSessionUrlRewriting)
If set to true, allows HTTP sessions to be rewritten in the URLs when
using
HttpServletResponse.encodeRedirectURL(String) or
HttpServletResponse.encodeURL(String), otherwise disallows HTTP
sessions to be included in the URL. |
void |
init(H http)
Initialize the
SecurityBuilder. |
SessionManagementConfigurer<H> |
invalidSessionUrl(String invalidSessionUrl)
Setting this attribute will inject the
SessionManagementFilter with a
SimpleRedirectInvalidSessionStrategy configured with the attribute value. |
SessionManagementConfigurer.ConcurrencyControlConfigurer |
maximumSessions(int maximumSessions)
Controls the maximum number of sessions for a user.
|
SessionManagementConfigurer<H> |
sessionAuthenticationErrorUrl(String sessionAuthenticationErrorUrl)
Defines the URL of the error page which should be shown when the
SessionAuthenticationStrategy raises an exception.
|
SessionManagementConfigurer<H> |
sessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy)
Allows explicitly specifying the
SessionAuthenticationStrategy. |
SessionManagementConfigurer<H> |
sessionCreationPolicy(SessionCreationPolicy sessionCreationPolicy)
Allows specifying the
SessionCreationPolicy |
SessionManagementConfigurer.SessionFixationConfigurer |
sessionFixation() |
T |
withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor) |
addObjectPostProcessor, and, getBuilder, postProcess, setBuilderpublic SessionManagementConfigurer()
HttpSecurity.sessionManagement()public SessionManagementConfigurer<H> invalidSessionUrl(String invalidSessionUrl)
SessionManagementFilter with a
SimpleRedirectInvalidSessionStrategy configured with the attribute value.
When an invalid session ID is submitted, the strategy will be invoked,
redirecting to the configured URL.invalidSessionUrl - the URL to redirect to when an invalid session is detectedSessionManagementConfigurer for further customizationpublic SessionManagementConfigurer<H> sessionAuthenticationErrorUrl(String sessionAuthenticationErrorUrl)
sessionAuthenticationErrorUrl - the URL to redirect toSessionManagementConfigurer for further customizationpublic SessionManagementConfigurer<H> enableSessionUrlRewriting(boolean enableSessionUrlRewriting)
HttpServletResponse.encodeRedirectURL(String) or
HttpServletResponse.encodeURL(String), otherwise disallows HTTP
sessions to be included in the URL. This prevents leaking information to
external domains.enableSessionUrlRewriting - true if should allow the JSESSIONID to be rewritten into the URLs, else false (default)SessionManagementConfigurer for further customizationHttpSessionSecurityContextRepository.setDisableUrlRewriting(boolean)public SessionManagementConfigurer<H> sessionCreationPolicy(SessionCreationPolicy sessionCreationPolicy)
SessionCreationPolicysessionCreationPolicy - the SessionCreationPolicy to use. Cannot be null.SessionManagementConfigurer for further customizationsIllegalArgumentException - if SessionCreationPolicy is null.SessionCreationPolicypublic SessionManagementConfigurer<H> sessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy)
SessionAuthenticationStrategy.
The default is to use SessionFixationProtectionStrategy. If
restricting the maximum number of sessions is configured, then
CompositeSessionAuthenticationStrategy delegating to
ConcurrentSessionControlAuthenticationStrategy,
SessionFixationProtectionStrategy (optional), and
RegisterSessionAuthenticationStrategy will be used.sessionAuthenticationStrategy - SessionManagementConfigurer for further
customizationspublic SessionManagementConfigurer.SessionFixationConfigurer sessionFixation()
public SessionManagementConfigurer.ConcurrencyControlConfigurer maximumSessions(int maximumSessions)
maximumSessions - the maximum number of sessions for a userSessionManagementConfigurer for further customizationspublic void init(H http) throws Exception
SecurityConfigurerSecurityBuilder. Here only shared state should be
created and modified, but not properties on the SecurityBuilder
used for building the object. This ensures that the
SecurityConfigurer.configure(SecurityBuilder) method uses the correct shared
objects when building.init in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>init in class SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>Exceptionpublic void configure(H http) throws Exception
SecurityConfigurerSecurityBuilder by setting the necessary properties
on the SecurityBuilder.configure in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>configure in class SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>Exceptionpublic B disable()
AbstractHttpConfigurer by removing it. After doing
so a fresh version of the configuration can be applied.HttpSecurityBuilder for additional customizationspublic T withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor)