Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

ForceEagerSessionCreationFilter

Browse Source 
Closes gh-11109
This commit is contained in:
Rob Winch
2022-04-15 13:55:54 -05:00
parent 7fea639a43
commit aaf78330b1
14 changed files with 181 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/modules/ROOT/pages/servlet/architecture.adoc
+1
View File
@@ -165,6 +165,7 @@ However, there are times that it is beneficial to know the ordering
Below is a comprehensive list of Spring Security Filter ordering:
* xref:servlet/authentication/session-management.adoc#session-mgmt-force-session-creation[`ForceEagerSessionCreationFilter`]
* ChannelProcessingFilter
* WebAsyncManagerIntegrationFilter
* SecurityContextPersistenceFilter
docs/modules/ROOT/pages/servlet/authentication/session-management.adoc
+29
View File
@@ -3,6 +3,35 @@
HTTP session related functionality is handled by a combination of the `SessionManagementFilter` and the `SessionAuthenticationStrategy` interface, which the filter delegates to.
Typical usage includes session-fixation protection attack prevention, detection of session timeouts and restrictions on how many sessions an authenticated user may have open concurrently.
[[session-mgmt-force-session-creation]]
== Force Eager Session Creation
At times it can be valuable to eagerly create sessions.
This can be done by using the {security-api-url}org/springframework/security/web/session/ForceEagerSessionCreationFilter.html[`ForceEagerSessionCreationFilter`] which can be configured using:
====
.Java
[source,java,role="primary"]
----
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
);
return http.build();
}
----
.XML
[source,xml,role="secondary"]
----
<http create-session="ALWAYS">
</http>
----
====
== Detecting Timeouts
You can configure Spring Security to detect the submission of an invalid session ID and redirect the user to an appropriate URL.
This is achieved through the `session-management` element:
docs/modules/ROOT/pages/servlet/configuration/xml-namespace.adoc
+4
View File
@@ -257,6 +257,10 @@ The filters are listed in the order in which they occur in the filter chain.
| `DisableEncodeUrlFilter`
| `http@disable-url-rewriting`
| FORCE_EAGER_SESSION_FILTER
| `ForceEagerSessionCreationFilter`
| `http@create-session="ALWAYS"`
| CHANNEL_FILTER
| `ChannelProcessingFilter`
| `http/intercept-url@requires-channel`