Examples of org.springframework.security.web.context.HttpSessionSecurityContextRepository

• org.springframework.security.web.context.HttpSessionSecurityContextRepository
  A {@code SecurityContextRepository} implementation which stores the security context in the {@code HttpSession}between requests.

  The {@code HttpSession} will be queried to retrieve the {@code SecurityContext} in the loadContextmethod (using the key {@link #SPRING_SECURITY_CONTEXT_KEY} by default). If a valid {@code SecurityContext} cannot beobtained from the {@code HttpSession} for whatever reason, a fresh {@code SecurityContext} will be createdby calling by {@link SecurityContextHolder#createEmptyContext()} and this instance will be returned instead.

  When saveContext is called, the context will be stored under the same key, provided

  1. The value has changed
  2. The configured AuthenticationTrustResolver does not report that the contents represent an anonymous user

  With the standard configuration, no {@code HttpSession} will be created during loadContext if one doesnot already exist. When saveContext is called at the end of the web request, and no session exists, a new {@code HttpSession} will only be created if the supplied {@code SecurityContext} is not equalto an empty {@code SecurityContext} instance. This avoids needless HttpSession creation,but automates the storage of changes made to the context during the request. Note that if {@link SecurityContextPersistenceFilter} is configured to eagerly create sessions, then the session-minimisationlogic applied here will not make any difference. If you are using eager session creation, then you should ensure that the allowSessionCreation property of this class is set to true (the default).

  If for whatever reason no {@code HttpSession} should ever be created (for example, ifBasic authentication is being used or similar clients that will never present the same {@code jsessionid}), then {@link #setAllowSessionCreation(boolean) allowSessionCreation} should be set to false.Only do this if you really need to conserve server memory and ensure all classes using the {@code SecurityContextHolder} are designed to have no persistence of the {@code SecurityContext}between web requests. @author Luke Taylor @since 3.0

        this.context = new InMemoryXmlApplicationContext(context);
        this.springSecurityFilterChain = this.context.getBean("springSecurityFilterChain",Filter.class);
    }

    private void login(Authentication auth) {
        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
        HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response);
        repo.loadContext(requestResponseHolder);

        SecurityContextImpl securityContextImpl = new SecurityContextImpl();
        securityContextImpl.setAuthentication(auth);
        repo.saveContext(securityContextImpl, requestResponseHolder.getRequest(), requestResponseHolder.getResponse());
    }

                    .withUser("user").password("password").roles("USER");
        }

        @Bean
        public SecurityContextRepository securityContextRepository() {
            HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
            repo.setSpringSecurityContextKey("CUSTOM");
            return repo;
        }

        if(securityContextRepository == null) {
            if(stateless) {
                http.setSharedObject(SecurityContextRepository.class, new NullSecurityContextRepository());
            } else {
                HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository();
                httpSecurityRepository.setDisableUrlRewriting(!enableSessionUrlRewriting);
                httpSecurityRepository.setAllowSessionCreation(isAllowSessionCreation());
                AuthenticationTrustResolver trustResolver = http.getSharedObject(AuthenticationTrustResolver.class);
                if(trustResolver != null) {
                    httpSecurityRepository.setTrustResolver(trustResolver);
                }
                http.setSharedObject(SecurityContextRepository.class, httpSecurityRepository);
            }
        }

        this.context = context;
        this.springSecurityFilterChain = this.context.getBean("springSecurityFilterChain",Filter.class);
    }

    private void login(Authentication auth) {
        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
        HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response);
        repo.loadContext(requestResponseHolder);

        SecurityContextImpl securityContextImpl = new SecurityContextImpl();
        securityContextImpl.setAuthentication(auth);
        repo.saveContext(securityContextImpl, requestResponseHolder.getRequest(), requestResponseHolder.getResponse());
    }

  /**
   * Creates a new AjaxSessionFilter instance with a default HttpSessionSecurityContextRepository set
   */
  public AjaxSessionFilter() {
    super(new HttpSessionSecurityContextRepository());
  }

        if(securityContextRepository == null) {
            if(stateless) {
                builder.setSharedObject(SecurityContextRepository.class, new NullSecurityContextRepository());
            } else {
                HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository();
                httpSecurityRepository.setDisableUrlRewriting(!enableSessionUrlRewriting);
                httpSecurityRepository.setAllowSessionCreation(isAllowSessionCreation());
                builder.setSharedObject(SecurityContextRepository.class, httpSecurityRepository);
            }
        }

        RequestCache requestCache = builder.getSharedObject(RequestCache.class);

        SecurityContextPersistenceFilterConfig pConfig =
                (SecurityContextPersistenceFilterConfig) config;

        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
        SecurityContextPersistenceFilter filter = new SecurityContextPersistenceFilter(repo) {
          @Override
        public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
                throws IOException, ServletException {
                 // set the hint for authentcation servlets
                 req.setAttribute(ALLOWSESSIONCREATION_ATTR, isAllowSessionCreation);
                 if (isAllowSessionCreation)
                     ((HttpServletRequest)req).getSession(); // create session if allowed
                 // set the hint for other components
                 req.setAttribute(GeoServerSecurityFilterChainProxy.SECURITY_ENABLED_ATTRIBUTE,Boolean.TRUE);
                 super.doFilter(req, res, chain);
        }
        };
        isAllowSessionCreation=pConfig.isAllowSessionCreation();
        repo.setAllowSessionCreation(pConfig.isAllowSessionCreation());
        filter.setForceEagerSessionCreation(false);

        try {
            filter.afterPropertiesSet();
        } catch (ServletException e) {

        return logoutFilter;
    }

    @Bean
    public Filter securityContextPersistenceFilter() {
        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
        repo.setSpringSecurityContextKey(keyWithNamespace(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY));
        return new SecurityContextPersistenceFilter(repo);
    }