Acasă Explorează Ajutor
Înregistrare Autentificare
github
/
spring-security
oglindă de https://github.com/spring-projects/spring-security
2
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Răsfoiți Sursa

Configuration of session management strategies

This commit adds the possibility to configure the AuthenticationFailureHandler
of the SessionManagementFilter.

Fixes gh-3794
Marten Deinum 9 ani în urmă
părinte
b88418b94a
comite
67c9f12964
1 a modificat fișierele cu 45 adăugiri și 0 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 45 0
      config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java

+ 45 - 0
config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
Vizualizați fișierul 

@@ -33,6 +33,7 @@ import org.springframework.security.config.http.SessionCreationPolicy;
 
 import org.springframework.security.context.DelegatingApplicationListener;
 
 import org.springframework.security.core.session.SessionRegistry;
 
 import org.springframework.security.core.session.SessionRegistryImpl;
 
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 
 import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
 
 import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
 
@@ -108,6 +109,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private boolean enableSessionUrlRewriting;
 
 	private String invalidSessionUrl;
 
 	private String sessionAuthenticationErrorUrl;
 
+	private AuthenticationFailureHandler sessionAuthenticationFailureHandler;
 
 
 	/**
 
 	 * Creates a new instance
 
@@ -161,6 +163,22 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
 		return this;
 
 	}
 
 
+	/**
 
+	 * Defines the {@code AuthenticationFailureHandler} which will be used when the
 
+	 * SessionAuthenticationStrategy raises an exception. If not set, an unauthorized
 
+	 * (402) error code will be returned to the client. Note that this attribute doesn't
 
+	 * apply if the error occurs during a form-based login, where the URL for
 
+	 * authentication failure will take precedence.
 
+	 *
 
+	 * @param sessionAuthenticationFailureHandler the handler to use
 
+	 * @return the {@link SessionManagementConfigurer} for further customization
 
+	 */
 
+	public SessionManagementConfigurer<H> sessionAuthenticationFailureHandler(
 
+			AuthenticationFailureHandler sessionAuthenticationFailureHandler) {
 
+		this.sessionAuthenticationFailureHandler = sessionAuthenticationFailureHandler;
 
+		return this;
 
+	}
 
+
 
 	/**
 
 	 * If set to true, allows HTTP sessions to be rewritten in the URLs when using
 
 	 * {@link HttpServletResponse#encodeRedirectURL(String)} or
 
@@ -439,6 +457,10 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
 		if (strategy != null) {
 
 			sessionManagementFilter.setInvalidSessionStrategy(strategy);
 
 		}
 
+		AuthenticationFailureHandler failureHandler = getSessionAuthenticationFailureHandler();
 
+		if (failureHandler != null) {
 
+			sessionManagementFilter.setAuthenticationFailureHandler(failureHandler);
 
+		}
 
 		AuthenticationTrustResolver trustResolver = http
 
 				.getSharedObject(AuthenticationTrustResolver.class);
 
 		if (trustResolver != null) {
 
@@ -473,6 +495,13 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
 			this.invalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy(
 
 					this.invalidSessionUrl);
 
 		}
 
+		if (this.invalidSessionUrl == null) {
 
+			return null;
 
+		}
 
+		if (this.invalidSessionStrategy == null) {
 
+			this.invalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy(
 
+					this.invalidSessionUrl);
 
+		}
 
 		return this.invalidSessionStrategy;
 
 	}
 
 
@@ -492,6 +521,22 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
 		return this.expiredSessionStrategy;
 
 	}
 
 
+	AuthenticationFailureHandler getSessionAuthenticationFailureHandler() {
 
+		if (this.sessionAuthenticationFailureHandler != null) {
 
+			return this.sessionAuthenticationFailureHandler;
 
+		}
 
+
 
+		if (this.sessionAuthenticationErrorUrl == null) {
 
+			return null;
 
+		}
 
+
 
+		if (this.sessionAuthenticationFailureHandler == null) {
 
+			this.sessionAuthenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler(
 
+					this.sessionAuthenticationErrorUrl);
 
+		}
 
+		return this.sessionAuthenticationFailureHandler;
 
+	}
 
+
 
 	/**
 
 	 * Gets the {@link SessionCreationPolicy}. Can not be null.
 
 	 * @return the {@link SessionCreationPolicy}