Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1229: Redesign Concurrent Session Control implementation. Added ConcurrentSessionControlAuthenticatedSessionStrategy

This commit is contained in:
Luke Taylor 2009-08-27 10:43:01 +00:00
parent ab0d66071a
commit 471206a29d
13 changed files with 377 additions and 198 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
View File

@ -63,6 +63,7 @@ import org.springframework.security.web.context.HttpSessionSecurityContextReposi
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.session.ConcurrentSessionControlAuthenticatedSessionStrategy;
import org.springframework.security.web.session.DefaultAuthenticatedSessionStrategy;
import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.util.AntUrlPathMatcher;
@ -180,8 +181,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
BeanDefinition cpf = null;
BeanReference sessionRegistryRef = null;
BeanReference concurrentSessionControllerRef = null;
BeanDefinition concurrentSessionFilter = createConcurrentSessionFilterAndRelatedBeansIfRequired(element, pc);
// BeanReference concurrentSessionControllerRef = null;
BeanDefinition concurrentSessionFilter = createConcurrentSessionFilter(element, pc);
BeanDefinition scpf = createSecurityContextPersistenceFilter(element, pc);
BeanReference contextRepoRef = (BeanReference) scpf.getPropertyValues().getPropertyValue("securityContextRepository").getValue();
@ -189,13 +190,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
if (concurrentSessionFilter != null) {
sessionRegistryRef = (BeanReference)
concurrentSessionFilter.getPropertyValues().getPropertyValue("sessionRegistry").getValue();
logger.info("Concurrent session filter in use, setting 'forceEagerSessionCreation' to true");
scpf.getPropertyValues().addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
concurrentSessionControllerRef = createConcurrentSessionController(element, concurrentSessionFilter, sessionRegistryRef, pc);
// logger.info("Concurrent session filter in use, setting 'forceEagerSessionCreation' to true");
// scpf.getPropertyValues().addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
// concurrentSessionControllerRef = createConcurrentSessionController(element, concurrentSessionFilter, sessionRegistryRef, pc);
}
ManagedList<BeanReference> authenticationProviders = new ManagedList<BeanReference>();
BeanReference authenticationManager = createAuthenticationManager(element, pc, authenticationProviders, concurrentSessionControllerRef);
BeanReference authenticationManager = createAuthenticationManager(element, pc, authenticationProviders, null);
BeanDefinition servApiFilter = createServletApiFilter(element, pc);
// Register the portMapper. A default will always be created, even if no element exists.
@ -715,7 +716,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
return null;
}
private BeanDefinition createConcurrentSessionFilterAndRelatedBeansIfRequired(Element element, ParserContext parserContext) {
private BeanDefinition createConcurrentSessionFilter(Element element, ParserContext parserContext) {
Element sessionControlElt = DomUtils.getChildElementByTagName(element, Elements.CONCURRENT_SESSIONS);
if (sessionControlElt == null) {
return null;
@ -729,16 +730,16 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
Element sessionCtrlElement = DomUtils.getChildElementByTagName(elt, Elements.CONCURRENT_SESSIONS);
// Check for a custom controller
String sessionControllerRef = sessionCtrlElement.getAttribute(ATT_SESSION_CONTROLLER_REF);
if (StringUtils.hasText(sessionControllerRef)) {
if (!StringUtils.hasText(sessionCtrlElement.getAttribute(ConcurrentSessionsBeanDefinitionParser.ATT_SESSION_REGISTRY_REF))) {
pc.getReaderContext().error("Use of " + ATT_SESSION_CONTROLLER_REF + " requires that " +
ConcurrentSessionsBeanDefinitionParser.ATT_SESSION_REGISTRY_REF + " is also set.",
pc.extractSource(sessionCtrlElement));
}
return new RuntimeBeanReference(sessionControllerRef);
}
// String sessionControllerRef = sessionCtrlElement.getAttribute(ATT_SESSION_CONTROLLER_REF);
//
// if (StringUtils.hasText(sessionControllerRef)) {
// if (!StringUtils.hasText(sessionCtrlElement.getAttribute(ConcurrentSessionsBeanDefinitionParser.ATT_SESSION_REGISTRY_REF))) {
// pc.getReaderContext().error("Use of " + ATT_SESSION_CONTROLLER_REF + " requires that " +
// ConcurrentSessionsBeanDefinitionParser.ATT_SESSION_REGISTRY_REF + " is also set.",
// pc.extractSource(sessionCtrlElement));
// }
// return new RuntimeBeanReference(sessionControllerRef);
// }
BeanDefinitionBuilder controllerBuilder = BeanDefinitionBuilder.rootBeanDefinition(ConcurrentSessionControllerImpl.class);
controllerBuilder.getRawBeanDefinition().setSource(filter.getSource());
@ -918,6 +919,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
private RootBeanDefinition createSessionManagementFilter(Element elt, ParserContext pc,
BeanReference sessionRegistryRef, BeanReference contextRepoRef) {
Element sessionCtrlElement = DomUtils.getChildElementByTagName(elt, Elements.CONCURRENT_SESSIONS);
String sessionFixationAttribute = elt.getAttribute(ATT_SESSION_FIXATION_PROTECTION);
String invalidSessionUrl = elt.getAttribute(ATT_INVALID_SESSION_URL);
@ -927,35 +929,48 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
boolean sessionFixationProtectionRequired = !sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION);
if (sessionFixationProtectionRequired || StringUtils.hasText(invalidSessionUrl)) {
BeanDefinitionBuilder sessionFixationFilter =
BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
sessionFixationFilter.addConstructorArgValue(contextRepoRef);
BeanDefinitionBuilder sessionStrategy;
if (sessionFixationProtectionRequired) {
BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);
if (sessionCtrlElement != null) {
assert sessionRegistryRef != null;
sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(ConcurrentSessionControlAuthenticatedSessionStrategy.class);
sessionStrategy.addConstructorArgValue(sessionRegistryRef);
sessionStrategy.addPropertyValue("migrateSessionAttributes",
Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
if (sessionRegistryRef != null) {
sessionStrategy.addPropertyValue("sessionRegistry", sessionRegistryRef);
}
BeanDefinition strategyBean = sessionStrategy.getBeanDefinition();
String id = pc.getReaderContext().registerWithGeneratedName(strategyBean);
pc.registerBeanComponent(new BeanComponentDefinition(strategyBean, id));
sessionFixationFilter.addPropertyReference("authenticatedSessionStrategy", id);
String maxSessions = sessionCtrlElement.getAttribute("max-sessions");
if (StringUtils.hasText(maxSessions)) {
sessionStrategy.addPropertyValue("maximumSessions", maxSessions);
}
if (StringUtils.hasText(invalidSessionUrl)) {
sessionFixationFilter.addPropertyValue("invalidSessionUrl", invalidSessionUrl);
}
String exceptionIfMaximumExceeded = sessionCtrlElement.getAttribute("exception-if-maximum-exceeded");
return (RootBeanDefinition) sessionFixationFilter.getBeanDefinition();
if (StringUtils.hasText(exceptionIfMaximumExceeded)) {
sessionStrategy.addPropertyValue("exceptionIfMaximumExceeded", exceptionIfMaximumExceeded);
}
} else if (sessionFixationProtectionRequired || StringUtils.hasText(invalidSessionUrl)) {
sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);
} else {
return null;
}
return null;
BeanDefinitionBuilder sessionMgmtFilter = BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
sessionMgmtFilter.addConstructorArgValue(contextRepoRef);
BeanDefinition strategyBean = sessionStrategy.getBeanDefinition();
String id = pc.getReaderContext().registerWithGeneratedName(strategyBean);
pc.registerBeanComponent(new BeanComponentDefinition(strategyBean, id));
sessionMgmtFilter.addPropertyReference("authenticatedSessionStrategy", id);
if (sessionFixationProtectionRequired) {
sessionStrategy.addPropertyValue("migrateSessionAttributes",
Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
}
if (StringUtils.hasText(invalidSessionUrl)) {
sessionMgmtFilter.addPropertyValue("invalidSessionUrl", invalidSessionUrl);
}
return (RootBeanDefinition) sessionMgmtFilter.getBeanDefinition();
}
private FilterAndEntryPoint createFormLoginFilter(Element element, ParserContext pc, boolean autoConfig,

86
config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
View File

@ -22,14 +22,12 @@ import org.springframework.context.support.AbstractXmlApplicationContext;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockHttpSession;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.concurrent.ConcurrentLoginException;
import org.springframework.security.authentication.concurrent.ConcurrentSessionController;
import org.springframework.security.authentication.concurrent.ConcurrentSessionControllerImpl;
import org.springframework.security.authentication.concurrent.SessionRegistryImpl;
import org.springframework.security.config.BeanIds;
@ -59,7 +57,6 @@ import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.WebAuthenticationDetails;
import org.springframework.security.web.authentication.concurrent.ConcurrentSessionFilter;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
@ -74,6 +71,7 @@ import org.springframework.security.web.authentication.www.BasicProcessingFilter
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.session.AuthenticatedSessionStrategy;
import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
import org.springframework.util.ReflectionUtils;
@ -655,13 +653,15 @@ public class HttpSecurityBeanDefinitionParserTests {
public void concurrentSessionSupportAddsFilterAndExpectedBeans() throws Exception {
setContext(
"<http auto-config='true'>" +
" <concurrent-session-control session-registry-alias='seshRegistry' expired-url='/expired'/>" +
" <concurrent-session-control session-registry-alias='sr' expired-url='/expired'/>" +
"</http>" + AUTH_PROVIDER_XML);
List<Filter> filters = getFilters("/someurl");
assertTrue(filters.get(0) instanceof ConcurrentSessionFilter);
assertNotNull(appContext.getBean("seshRegistry"));
assertNotNull(getConcurrentSessionController());
assertNotNull(appContext.getBean("sr"));
SessionManagementFilter smf = (SessionManagementFilter) getFilter(SessionManagementFilter.class);
assertNotNull(smf);
checkSessionRegistry();
}
@Test
@ -675,18 +675,18 @@ public class HttpSecurityBeanDefinitionParserTests {
checkSessionRegistry();
}
@Test(expected=BeanDefinitionParsingException.class)
public void useOfExternalConcurrentSessionControllerRequiresSessionRegistryToBeSet() throws Exception {
setContext(
"<http auto-config='true'>" +
" <concurrent-session-control session-controller-ref='sc' expired-url='/expired'/>" +
"</http>" +
"<b:bean id='sc' class='" + ConcurrentSessionControllerImpl.class.getName() +"'>" +
" <b:property name='sessionRegistry'>" +
" <b:bean class='"+ SessionRegistryImpl.class.getName() + "'/>" +
" </b:property>" +
"</b:bean>" + AUTH_PROVIDER_XML);
}
// @Test(expected=BeanDefinitionParsingException.class)
// public void useOfExternalConcurrentSessionControllerRequiresSessionRegistryToBeSet() throws Exception {
// setContext(
// "<http auto-config='true'>" +
// " <concurrent-session-control session-controller-ref='sc' expired-url='/expired'/>" +
// "</http>" +
// "<b:bean id='sc' class='" + ConcurrentSessionControllerImpl.class.getName() +"'>" +
// " <b:property name='sessionRegistry'>" +
// " <b:bean class='"+ SessionRegistryImpl.class.getName() + "'/>" +
// " </b:property>" +
// "</b:bean>" + AUTH_PROVIDER_XML);
// }
@Test
public void useOfExternalSessionControllerAndRegistryIsWiredCorrectly() throws Exception {
@ -705,16 +705,16 @@ public class HttpSecurityBeanDefinitionParserTests {
private void checkSessionRegistry() throws Exception {
Object sessionRegistry = appContext.getBean("sr");
Object sessionRegistryFromConcurrencyFilter = FieldUtils.getFieldValue(
getFilter(ConcurrentSessionFilter.class),"sessionRegistry");
getFilter(ConcurrentSessionFilter.class), "sessionRegistry");
Object sessionRegistryFromFormLoginFilter = FieldUtils.getFieldValue(
getFilter(UsernamePasswordAuthenticationProcessingFilter.class),"sessionStrategy.sessionRegistry");
Object sessionRegistryFromController = FieldUtils.getFieldValue(getConcurrentSessionController(),"sessionRegistry");
Object sessionRegistryFromFixationFilter = FieldUtils.getFieldValue(
// Object sessionRegistryFromController = FieldUtils.getFieldValue(getConcurrentSessionController(),"sessionRegistry");
Object sessionRegistryFromMgmtFilter = FieldUtils.getFieldValue(
getFilter(SessionManagementFilter.class),"sessionStrategy.sessionRegistry");
assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter);
assertSame(sessionRegistry, sessionRegistryFromController);
assertSame(sessionRegistry, sessionRegistryFromFixationFilter);
// assertSame(sessionRegistry, sessionRegistryFromController);
assertSame(sessionRegistry, sessionRegistryFromMgmtFilter);
// SEC-1143
assertSame(sessionRegistry, sessionRegistryFromFormLoginFilter);
}
@ -755,29 +755,25 @@ public class HttpSecurityBeanDefinitionParserTests {
"<http auto-config='true'>" +
" <concurrent-session-control max-sessions='2' exception-if-maximum-exceeded='true' />" +
"</http>" + AUTH_PROVIDER_XML);
ConcurrentSessionControllerImpl seshController = (ConcurrentSessionControllerImpl) getConcurrentSessionController();
AuthenticatedSessionStrategy seshStrategy = (AuthenticatedSessionStrategy) FieldUtils.getFieldValue(
getFilter(SessionManagementFilter.class), "sessionStrategy");
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("bob", "pass");
// Register 2 sessions and then check a third
MockHttpServletRequest req = new MockHttpServletRequest();
req.setSession(new MockHttpSession());
auth.setDetails(new WebAuthenticationDetails(req));
// req.setSession(new MockHttpSession());
// auth.setDetails(new WebAuthenticationDetails(req));
try {
seshController.checkAuthenticationAllowed(auth);
seshStrategy.onAuthentication(auth, new MockHttpServletRequest(), new MockHttpServletResponse());
} catch (ConcurrentLoginException e) {
fail("First login should be allowed");
}
seshController.registerSuccessfulAuthentication(auth);
req.setSession(new MockHttpSession());
try {
seshController.checkAuthenticationAllowed(auth);
seshStrategy.onAuthentication(auth, new MockHttpServletRequest(), new MockHttpServletResponse());
} catch (ConcurrentLoginException e) {
fail("Second login should be allowed");
}
auth.setDetails(new WebAuthenticationDetails(req));
seshController.registerSuccessfulAuthentication(auth);
req.setSession(new MockHttpSession());
auth.setDetails(new WebAuthenticationDetails(req));
seshController.checkAuthenticationAllowed(auth);
seshStrategy.onAuthentication(auth, new MockHttpServletRequest(), new MockHttpServletResponse());
}
@Test
@ -1096,14 +1092,14 @@ public class HttpSecurityBeanDefinitionParserTests {
return ((RememberMeProcessingFilter)getFilter(RememberMeProcessingFilter.class)).getRememberMeServices();
}
@SuppressWarnings("unchecked")
private ConcurrentSessionController getConcurrentSessionController() {
Map beans = appContext.getBeansOfType(ConcurrentSessionController.class);
if (beans.size() == 0) {
return null;
}
return (ConcurrentSessionController) new ArrayList(beans.values()).get(0);
}
// @SuppressWarnings("unchecked")
// private ConcurrentSessionController getConcurrentSessionController() {
// Map beans = appContext.getBeansOfType(ConcurrentSessionController.class);
//
// if (beans.size() == 0) {
// return null;
// }
// return (ConcurrentSessionController) new ArrayList(beans.values()).get(0);
// }
}

74
core/src/main/java/org/springframework/security/authentication/concurrent/ConcurrentSessionControllerImpl.java
View File

@ -54,37 +54,6 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
Assert.notNull(this.messages, "A message source must be set");
}
/**
* Allows subclasses to customise behaviour when too many sessions are detected.
*
* @param sessionId the session ID of the present request
* @param sessions either <code>null</code> or all unexpired sessions associated with the principal
* @param allowableSessions the number of concurrent sessions the user is allowed to have
* @param registry an instance of the <code>SessionRegistry</code> for subclass use
*
* @throws ConcurrentLoginException if the
*/
protected void allowableSessionsExceeded(String sessionId, List<SessionInformation> sessions, int allowableSessions,
SessionRegistry registry) {
if (exceptionIfMaximumExceeded || (sessions == null)) {
throw new ConcurrentLoginException(messages.getMessage("ConcurrentSessionControllerImpl.exceededAllowed",
new Object[] {new Integer(allowableSessions)},
"Maximum sessions of {0} for this principal exceeded"));
}
// Determine least recently used session, and mark it for invalidation
SessionInformation leastRecentlyUsed = null;
for (int i = 0; i < sessions.size(); i++) {
if ((leastRecentlyUsed == null)
|| sessions.get(i).getLastRequest().before(leastRecentlyUsed.getLastRequest())) {
leastRecentlyUsed = sessions.get(i);
}
}
leastRecentlyUsed.expireNow();
}
public void checkAuthenticationAllowed(Authentication request) throws AuthenticationException {
Assert.notNull(request, "Authentication request cannot be null (violation of interface contract)");
@ -120,6 +89,43 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
allowableSessionsExceeded(sessionId, sessions, allowableSessions, sessionRegistry);
}
/**
* Allows subclasses to customise behaviour when too many sessions are detected.
*
* @param sessionId the session ID of the present request
* @param sessions either <code>null</code> or all unexpired sessions associated with the principal
* @param allowableSessions the number of concurrent sessions the user is allowed to have
* @param registry an instance of the <code>SessionRegistry</code> for subclass use
*
* @throws ConcurrentLoginException if the
*/
protected void allowableSessionsExceeded(String sessionId, List<SessionInformation> sessions, int allowableSessions,
SessionRegistry registry) {
if (exceptionIfMaximumExceeded || (sessions == null)) {
throw new ConcurrentLoginException(messages.getMessage("ConcurrentSessionControllerImpl.exceededAllowed",
new Object[] {new Integer(allowableSessions)},
"Maximum sessions of {0} for this principal exceeded"));
}
// Determine least recently used session, and mark it for invalidation
SessionInformation leastRecentlyUsed = null;
for (int i = 0; i < sessions.size(); i++) {
if ((leastRecentlyUsed == null)
|| sessions.get(i).getLastRequest().before(leastRecentlyUsed.getLastRequest())) {
leastRecentlyUsed = sessions.get(i);
}
}
leastRecentlyUsed.expireNow();
}
public void registerSuccessfulAuthentication(Authentication authentication) {
Assert.notNull(authentication, "Authentication cannot be null (violation of interface contract)");
sessionRegistry.registerNewSession(obtainSessionId(authentication), authentication.getPrincipal());
}
/**
* Method intended for use by subclasses to override the maximum number of sessions that are permitted for
* a particular authentication. The default implementation simply returns the <code>maximumSessions</code> value
@ -133,12 +139,6 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
return maximumSessions;
}
public void registerSuccessfulAuthentication(Authentication authentication) {
Assert.notNull(authentication, "Authentication cannot be null (violation of interface contract)");
sessionRegistry.registerNewSession(obtainSessionId(authentication), authentication.getPrincipal());
}
public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded) {
this.exceptionIfMaximumExceeded = exceptionIfMaximumExceeded;
}

2
core/src/main/java/org/springframework/security/authentication/concurrent/SessionRegistry.java
View File

@ -41,7 +41,7 @@ public interface SessionRegistry {
* @param includeExpiredSessions if <code>true</code>, the returned sessions will also include those that have
* expired for the principal
*
* @return the matching sessions for this principal, or <code>null</code> if none were found
* @return the matching sessions for this principal (should not return null).
*/
List<SessionInformation> getAllSessions(Object principal, boolean includeExpiredSessions);

9
web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
View File

@ -202,6 +202,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt
// return immediately as subclass has indicated that it hasn't completed authentication
return;
}
sessionStrategy.onAuthentication(authResult, request, response);
}
catch (AuthenticationException failed) {
// Authentication failed
@ -291,8 +292,6 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt
SecurityContextHolder.getContext().setAuthentication(authResult);
sessionStrategy.onAuthenticationSuccess(authResult, request, response);
rememberMeServices.loginSuccess(request, response, authResult);
// Fire event
@ -394,9 +393,9 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt
}
/**
* The session handling strategy which will be invoked when an authentication request is
* successfully processed. Used, for example, to handle changing of the session identifier to prevent session
* fixation attacks.
* The session handling strategy which will be invoked immediately after an authentication request is
* successfully processed by the <tt>AuthenticationManager</tt>. Used, for example, to handle changing of the
* session identifier to prevent session fixation attacks.
*
* @param sessionStrategy the implementation to use. If not set a null implementation is
* used.

10
web/src/main/java/org/springframework/security/web/authentication/concurrent/ConcurrentSessionFilter.java
View File

@ -29,6 +29,8 @@ import org.springframework.security.authentication.concurrent.SessionInformation
import org.springframework.security.authentication.concurrent.SessionRegistry;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.security.web.util.UrlUtils;
@ -59,6 +61,7 @@ public class ConcurrentSessionFilter extends GenericFilterBean {
private SessionRegistry sessionRegistry;
private String expiredUrl;
private LogoutHandler[] handlers = new LogoutHandler[] {new SecurityContextLogoutHandler()};
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
//~ Methods ========================================================================================================
@ -87,8 +90,7 @@ public class ConcurrentSessionFilter extends GenericFilterBean {
String targetUrl = determineExpiredUrl(request, info);
if (targetUrl != null) {
targetUrl = request.getContextPath() + targetUrl;
response.sendRedirect(response.encodeRedirectURL(targetUrl));
redirectStrategy.sendRedirect(request, response, targetUrl);
} else {
response.getWriter().print("This session has been expired (possibly due to multiple concurrent " +
"logins being attempted as the same user).");
@ -130,4 +132,8 @@ public class ConcurrentSessionFilter extends GenericFilterBean {
Assert.notNull(handlers);
this.handlers = handlers;
}
public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
this.redirectStrategy = redirectStrategy;
}
}

12
web/src/main/java/org/springframework/security/web/session/AuthenticatedSessionStrategy.java
View File

@ -4,22 +4,26 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
/**
* Allows pluggable support for Http session-related behaviour when an authentication occurs.
* <p>
* Typical use would be to make sure a session exists or to change the session Id to guard against session-fixation
* Typical use would be to make sure a session exists or to change the session Id to guard against session-fixation
* attacks.
*
*
* @author Luke Taylor
* @version $Id$
* @since
*/
public interface AuthenticatedSessionStrategy {
/**
* Performs Http session-related functionality when a new authentication occurs.
*
* @throws AuthenticationException if it is decided that the authentication is not allowed for the session.
*/
void onAuthenticationSuccess(Authentication authentication, HttpServletRequest request, HttpServletResponse response);
void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException;
}

159
web/src/main/java/org/springframework/security/web/session/ConcurrentSessionControlAuthenticatedSessionStrategy.java Normal file
View File

@ -0,0 +1,159 @@
package org.springframework.security.web.session;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.security.authentication.concurrent.ConcurrentLoginException;
import org.springframework.security.authentication.concurrent.SessionInformation;
import org.springframework.security.authentication.concurrent.SessionRegistry;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.util.Assert;
/**
*
* @author Luke Taylor
* @version $Id$
* @since 3.0
*/
public class ConcurrentSessionControlAuthenticatedSessionStrategy extends DefaultAuthenticatedSessionStrategy
implements MessageSourceAware {
protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
private final SessionRegistry sessionRegistry;
private boolean exceptionIfMaximumExceeded = false;
private int maximumSessions = 1;
/**
* @param sessionRegistry the session registry which should be updated when the authenticated session is changed.
*/
public ConcurrentSessionControlAuthenticatedSessionStrategy(SessionRegistry sessionRegistry) {
Assert.notNull(sessionRegistry, "The sessionRegistry cannot be null");
super.setAlwaysCreateSession(true);
this.sessionRegistry = sessionRegistry;
}
@Override
public void onAuthentication(Authentication authentication, HttpServletRequest request,
HttpServletResponse response) {
checkAuthenticationAllowed(authentication, request);
// Allow the parent to create a new session if necessary
super.onAuthentication(authentication, request, response);
sessionRegistry.registerNewSession(request.getSession().getId(), authentication.getPrincipal());
}
private void checkAuthenticationAllowed(Authentication authentication, HttpServletRequest request)
throws AuthenticationException {
final List<SessionInformation> sessions = sessionRegistry.getAllSessions(authentication.getPrincipal(), false);
int sessionCount = sessions == null ? 0 : sessions.size();
int allowedSessions = getMaximumSessionsForThisUser(authentication);
if (sessionCount < allowedSessions) {
// They haven't got too many login sessions running at present
return;
}
if (allowedSessions == -1) {
// We permit unlimited logins
return;
}
if (sessionCount == allowedSessions) {
HttpSession session = request.getSession(false);
if (session != null) {
// Only permit it though if this request is associated with one of the already registered sessions
for (SessionInformation si : sessions) {
if (si.getSessionId().equals(session.getId())) {
return;
}
}
}
// If the session is null, a new one will be created by the parent class, exceeding the allowed number
}
allowableSessionsExceeded(sessions, allowedSessions, sessionRegistry);
}
/**
* Method intended for use by subclasses to override the maximum number of sessions that are permitted for
* a particular authentication. The default implementation simply returns the <code>maximumSessions</code> value
* for the bean.
*
* @param authentication to determine the maximum sessions for
*
* @return either -1 meaning unlimited, or a positive integer to limit (never zero)
*/
protected int getMaximumSessionsForThisUser(Authentication authentication) {
return maximumSessions;
}
/**
* Allows subclasses to customise behaviour when too many sessions are detected.
*
* @param sessionId the session ID of the present request
* @param sessions either <code>null</code> or all unexpired sessions associated with the principal
* @param allowableSessions the number of concurrent sessions the user is allowed to have
* @param registry an instance of the <code>SessionRegistry</code> for subclass use
*
* @throws ConcurrentLoginException if the
*/
protected void allowableSessionsExceeded(List<SessionInformation> sessions, int allowableSessions,
SessionRegistry registry) {
if (exceptionIfMaximumExceeded || (sessions == null)) {
throw new ConcurrentLoginException(messages.getMessage("ConcurrentSessionControllerImpl.exceededAllowed",
new Object[] {new Integer(allowableSessions)},
"Maximum sessions of {0} for this principal exceeded"));
}
// Determine least recently used session, and mark it for invalidation
SessionInformation leastRecentlyUsed = null;
for (int i = 0; i < sessions.size(); i++) {
if ((leastRecentlyUsed == null)
|| sessions.get(i).getLastRequest().before(leastRecentlyUsed.getLastRequest())) {
leastRecentlyUsed = sessions.get(i);
}
}
leastRecentlyUsed.expireNow();
}
@Override
protected void onSessionChange(String originalSessionId, HttpSession newSession, Authentication auth) {
// Update the session registry
sessionRegistry.removeSessionInformation(originalSessionId);
sessionRegistry.registerNewSession(newSession.getId(), auth.getPrincipal());
}
public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded) {
this.exceptionIfMaximumExceeded = exceptionIfMaximumExceeded;
}
public void setMaximumSessions(int maximumSessions) {
Assert.isTrue(maximumSessions != 0,
"MaximumLogins must be either -1 to allow unlimited logins, or a positive integer to specify a maximum");
this.maximumSessions = maximumSessions;
}
public void setMessageSource(MessageSource messageSource) {
this.messages = new MessageSourceAccessor(messageSource);
}
@Override
public final void setAlwaysCreateSession(boolean alwaysCreateSession) {
if (!alwaysCreateSession) {
throw new IllegalArgumentException("Cannot set alwaysCreateSession to false when concurrent session " +
"control is required");
}
}
}

82
web/src/main/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategy.java
View File

@ -12,7 +12,6 @@ import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.concurrent.SessionRegistry;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.savedrequest.SavedRequest;
@ -33,11 +32,9 @@ import org.springframework.security.web.savedrequest.SavedRequest;
* @version $Id$
* @since 3.0
*/
public class DefaultAuthenticatedSessionStrategy implements AuthenticatedSessionStrategy{
public class DefaultAuthenticatedSessionStrategy implements AuthenticatedSessionStrategy {
protected final Log logger = LogFactory.getLog(this.getClass());
private SessionRegistry sessionRegistry;
/**
* Indicates that the session attributes of an existing session
* should be migrated to the new session. Defaults to <code>true</code>.
@ -65,52 +62,59 @@ public class DefaultAuthenticatedSessionStrategy implements AuthenticatedSession
* If there is no session, no action is taken unless the <tt>alwaysCreateSession</tt> property is set, in which
* case a session will be created if one doesn't already exist.
*/
public void onAuthenticationSuccess(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
if (request.getSession(false) == null) {
public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
boolean hadSessionAlready = request.getSession(false) != null;
if (!hadSessionAlready && !alwaysCreateSession) {
// Session fixation isn't a problem if there's no session
if (alwaysCreateSession) {
request.getSession();
}
return;
}
// Create new session
// Create new session if necessary
HttpSession session = request.getSession();
String originalSessionId = session.getId();
if (hadSessionAlready) {
// We need to migrate to a new session
String originalSessionId = session.getId();
if (logger.isDebugEnabled()) {
logger.debug("Invalidating session with Id '" + originalSessionId +"' " + (migrateSessionAttributes ?
"and" : "without") + " migrating attributes.");
}
if (logger.isDebugEnabled()) {
logger.debug("Invalidating session with Id '" + originalSessionId +"' " + (migrateSessionAttributes ?
"and" : "without") + " migrating attributes.");
}
HashMap<String, Object> attributesToMigrate = createMigratedAttributeMap(session);
HashMap<String, Object> attributesToMigrate = createMigratedAttributeMap(session);
session.invalidate();
session = request.getSession(true); // we now have a new session
session.invalidate();
session = request.getSession(true); // we now have a new session
if (logger.isDebugEnabled()) {
logger.debug("Started new session: " + session.getId());
}
if (logger.isDebugEnabled()) {
logger.debug("Started new session: " + session.getId());
}
if (originalSessionId.equals(session.getId())) {
logger.warn("Your servlet container did not change the session ID when a new session was created. You will" +
" not be adequately protected against session-fixation attacks");
}
if (originalSessionId.equals(session.getId())) {
logger.warn("Your servlet container did not change the session ID when a new session was created. You will" +
" not be adequately protected against session-fixation attacks");
}
// Copy attributes to new session
if (attributesToMigrate != null) {
for (Map.Entry<String, Object> entry : attributesToMigrate.entrySet()) {
session.setAttribute(entry.getKey(), entry.getValue());
// Copy attributes to new session
if (attributesToMigrate != null) {
for (Map.Entry<String, Object> entry : attributesToMigrate.entrySet()) {
session.setAttribute(entry.getKey(), entry.getValue());
}
}
}
}
// Update the session registry
if (sessionRegistry != null) {
sessionRegistry.removeSessionInformation(originalSessionId);
sessionRegistry.registerNewSession(session.getId(), authentication.getPrincipal());
}
/**
* Called when the session has been changed and the old attributes have been migrated to the new session.
* Only called if a session existed to start with. Allows subclasses to plug in additional behaviour.
*
* @param originalSessionId the original session identifier
* @param newSession the newly created session
* @param auth the token for the newly authenticated principal
*/
protected void onSessionChange(String originalSessionId, HttpSession newSession, Authentication auth) {
}
@SuppressWarnings("unchecked")
@ -146,16 +150,6 @@ public class DefaultAuthenticatedSessionStrategy implements AuthenticatedSession
this.migrateSessionAttributes = migrateSessionAttributes;
}
/**
* Sets the session registry which should be updated when the authenticated session is changed.
* This must be set if you are using concurrent session control.
*
* @param sessionRegistry
*/
public void setSessionRegistry(SessionRegistry sessionRegistry) {
this.sessionRegistry = sessionRegistry;
}
public void setRetainedAttributes(List<String> retainedAttributes) {
this.retainedAttributes = retainedAttributes;
}

2
web/src/main/java/org/springframework/security/web/session/NullAuthenticatedSessionStrategy.java
View File

@ -13,7 +13,7 @@ import org.springframework.security.core.Authentication;
*/
public final class NullAuthenticatedSessionStrategy implements AuthenticatedSessionStrategy {
public void onAuthenticationSuccess(Authentication authentication, HttpServletRequest request,
public void onAuthentication(Authentication authentication, HttpServletRequest request,
HttpServletResponse response) {
}
}

16
web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java
View File

@ -13,6 +13,8 @@ import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean;
@ -32,17 +34,15 @@ import org.springframework.web.filter.GenericFilterBean;
public class SessionManagementFilter extends GenericFilterBean {
//~ Static fields/initializers =====================================================================================
static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied";
static final String FILTER_APPLIED = "__spring_security_session_mgmt_filter_applied";
//~ Instance fields ================================================================================================
private final SecurityContextRepository securityContextRepository;
private AuthenticatedSessionStrategy sessionStrategy = new DefaultAuthenticatedSessionStrategy();
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
private String invalidSessionUrl;
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
public SessionManagementFilter(SecurityContextRepository securityContextRepository) {
this.securityContextRepository = securityContextRepository;
@ -65,12 +65,12 @@ public class SessionManagementFilter extends GenericFilterBean {
if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) {
// The user has been authenticated during the current request, so call the session strategy
sessionStrategy.onAuthenticationSuccess(authentication, request, response);
sessionStrategy.onAuthentication(authentication, request, response);
} else {
// No security context or authentication present. Check for a session timeout
if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
if (invalidSessionUrl != null) {
response.sendRedirect(invalidSessionUrl);
redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
}
}
}
@ -99,4 +99,8 @@ public class SessionManagementFilter extends GenericFilterBean {
public void setInvalidSessionUrl(String invalidSessionUrl) {
this.invalidSessionUrl = invalidSessionUrl;
}
public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
this.redirectStrategy = redirectStrategy;
}
}

30
web/src/test/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategyTests.java
View File

@ -25,22 +25,22 @@ public class DefaultAuthenticatedSessionStrategyTests {
DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
HttpServletRequest request = new MockHttpServletRequest();
strategy.onAuthenticationSuccess(mock(Authentication.class), request, new MockHttpServletResponse());
strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
assertNull(request.getSession(false));
}
@Test
public void newSessionIsCreatedIfSessionAlreadyExists() throws Exception {
DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
strategy.setSessionRegistry(mock(SessionRegistry.class));
HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId();
strategy.onAuthenticationSuccess(mock(Authentication.class), request, new MockHttpServletResponse());
assertFalse(sessionId.equals(request.getSession().getId()));
}
// @Test
// public void newSessionIsCreatedIfSessionAlreadyExists() throws Exception {
// DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
// strategy.setSessionRegistry(mock(SessionRegistry.class));
// HttpServletRequest request = new MockHttpServletRequest();
// String sessionId = request.getSession().getId();
//
// strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
//
// assertFalse(sessionId.equals(request.getSession().getId()));
// }
// See SEC-1077
@Test
@ -52,7 +52,7 @@ public class DefaultAuthenticatedSessionStrategyTests {
session.setAttribute("blah", "blah");
session.setAttribute(SavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY, "SavedRequest");
strategy.onAuthenticationSuccess(mock(Authentication.class), request, new MockHttpServletResponse());
strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
assertNull(request.getSession().getAttribute("blah"));
assertNotNull(request.getSession().getAttribute(SavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY));
@ -62,7 +62,9 @@ public class DefaultAuthenticatedSessionStrategyTests {
public void sessionIsCreatedIfAlwaysCreateTrue() throws Exception {
DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
strategy.setAlwaysCreateSession(true);
HttpServletRequest request = new MockHttpServletRequest();
strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
assertNotNull(request.getSession(false));
}
}

2
web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java
View File

@ -82,7 +82,7 @@ public class SessionManagementFilterTests {
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
verify(strategy).onAuthenticationSuccess(any(Authentication.class), any(HttpServletRequest.class), any(HttpServletResponse.class));
verify(strategy).onAuthentication(any(Authentication.class), any(HttpServletRequest.class), any(HttpServletResponse.class));
// Check that it is only applied once to the request
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
verifyNoMoreInteractions(strategy);