AuthenticationStrategyUsingSession

Checks that an already-present InteractionContext (obtained from the HttpSession ) is still org.apache.causeway.core.security.authentication.manager.AuthenticationManager#isSessionValid(InteractionContext) valid , and re-binds the InteractionContext onto the HttpSession .

Note that this implementation is not particularly "restful"; normally REST APIs are expected to be stateless whereas this implementation requires a session to obtain the InteractionContext . Typically it would be combined with Shiro, whose default behaviour (not suppressed by this filter) is indeed to store the InteractionContext on the session.

The session is looked-up from the HttpSession using the value AuthenticationStrategyUsingSession#HTTP_SESSION_AUTHENTICATION_SESSION_KEY

API

AuthenticationStrategyUsingSession.java

class AuthenticationStrategyUsingSession {
  public static final String HTTP_SESSION_AUTHENTICATION_SESSION_KEY;
  InteractionContext lookupValid(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse)
  void bind(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, InteractionContext authentication)
}