SEC-2156: Only configures COOKIE instead of SSL

Configuring SSL is only allowed for SSL enabled applications and should be configured on its own (not in conjuction with other modes).
2013-07-20 10:29:54 -05:00 · 2013-07-20 10:29:54 -05:00 · 04b7d5ca08
parent cf0fdc2d66
commit 04b7d5ca08
2 changed files with 7 additions and 12 deletions
--- a/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java
+++ b/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java
@ -212,19 +212,15 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
    }

    /**
-     * Determines how a session should be tracked. By default, the following
-     * modes are used:
-     *
-     * <ul>
-     * <li> {@link SessionTrackingMode#COOKIE}</li>
-     * <li> {@link SessionTrackingMode#SSL}</li>
-     * </ul>
+     * Determines how a session should be tracked. By default,
+     * {@link SessionTrackingMode#COOKIE} is used.
     *
     * <p>
     * Note that {@link SessionTrackingMode#URL} is intentionally omitted to
     * help protected against <a
     * href="http://en.wikipedia.org/wiki/Session_fixation">session fixation
-     * attacks</a>.
+     * attacks</a>. {@link SessionTrackingMode#SSL} is omitted because SSL
+     * configuration is required for this to work.
     * </p>
     *
     * <p>
@ -236,7 +232,6 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
    protected Set<SessionTrackingMode> getSessionTrackingModes() {
        Set<SessionTrackingMode> modes = new HashSet<SessionTrackingMode>();
        modes.add(SessionTrackingMode.COOKIE);
-        modes.add(SessionTrackingMode.SSL);
        return modes;
    }

--- a/web/src/test/groovy/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.groovy
+++ b/web/src/test/groovy/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.groovy
@ -248,7 +248,7 @@ class AbstractSecurityWebApplicationInitializerTests extends Specification {
            new AbstractSecurityWebApplicationInitializer(){ }.onStartup(context)
        then:
            1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-            1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 2 && modes.containsAll([SessionTrackingMode.COOKIE, SessionTrackingMode.SSL]) })
+            1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.COOKIE]) })
    }

    def "sessionTrackingModes override"() {
@ -259,12 +259,12 @@ class AbstractSecurityWebApplicationInitializerTests extends Specification {
            new AbstractSecurityWebApplicationInitializer(){
                @Override
                public Set<SessionTrackingMode> getSessionTrackingModes() {
-                    return [SessionTrackingMode.COOKIE]
+                    return [SessionTrackingMode.SSL]
                }
            }.onStartup(context)
        then:
            1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-            1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.COOKIE]) })
+            1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.SSL]) })
    }

    def "appendFilters filters with null"() {