Spring Security
  1. Spring Security
  2. SEC-1391

Migration awareness for SessionListeners

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: 3.1.0.M1
    • Component/s: Web
    • Labels:
      None

      Description

      SessionListeners that act on the destruction of HttpSessions sometimes need to behave differently if the session is being destroyed because its attributes are being migrated to a new session by the SessionFixationProtectionFilter. There needs to be some method that they can call to find out if that is the case. It would also be nice to have a convenience MigrationAwareSessionListener abstract class that calls a different method on migration than on true session end.

        Activity

        Hide
        Luke Taylor added a comment -

        Session listeners are part of the servlet API and are invoked by the container, so I'm not really clear what you mean. As far as I can see, the only way (apart from checking the call stack) that you could determine that a session was being destroyed in order to migrate its attributes is to place some marker object in the session itself.

        In Spring Security 3, you can customize the SessionAuthenticationStrategy in order to alter the behaviour when the session is migrated. At that point you could put an object in the session and check for it in your HttpSessionListener. I don't think there's a need for even more infrastructure classes as the interfaces involved are very simple.

        Show
        Luke Taylor added a comment - Session listeners are part of the servlet API and are invoked by the container, so I'm not really clear what you mean. As far as I can see, the only way (apart from checking the call stack) that you could determine that a session was being destroyed in order to migrate its attributes is to place some marker object in the session itself. In Spring Security 3, you can customize the SessionAuthenticationStrategy in order to alter the behaviour when the session is migrated. At that point you could put an object in the session and check for it in your HttpSessionListener. I don't think there's a need for even more infrastructure classes as the interfaces involved are very simple.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Nathan Summers
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: