SEC-1077: Added DefaultAuthenticatedSessionStrategy test to check that saved request attribute is retained when migrateAttributes is false.

2025-07-08 19:42:48 +00:00 · 2009-07-28 23:47:26 +00:00 · 2009-07-28 23:47:26 +00:00 · 609a68b12a
commit 609a68b12a
parent db90122179
3 changed files with 44 additions and 17 deletions
--- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
@ -578,17 +578,6 @@ public class HttpSecurityBeanDefinitionParserTests {
        assertEquals("uid=(.*),", p.pattern());
    }

-    @Test
-    public void x() throws Exception {
-        setContext(
-                "<http auto-config='true'>" +
-                "    <x509 />" +
-                "</http>"  + AUTH_PROVIDER_XML);
-        List<Filter> filters = getFilters("/someurl");
-
-        assertTrue(filters.get(2) instanceof X509PreAuthenticatedProcessingFilter);
-    }
-
    @Test
    public void concurrentSessionSupportAddsFilterAndExpectedBeans() throws Exception {
        setContext(
@ -754,8 +743,8 @@ public class HttpSecurityBeanDefinitionParserTests {
        setContext(
                "<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
        List<Filter> filters = getFilters("/someurl");
-
-        assertFalse(filters.get(1) instanceof SessionFixationProtectionFilter);
+        assertTrue(filters.get(8) instanceof ExceptionTranslationFilter);
+        assertFalse(filters.get(9) instanceof SessionFixationProtectionFilter);
    }

    /**
--- a/web/src/main/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategy.java
@ -14,16 +14,19 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.authentication.concurrent.SessionRegistry;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.savedrequest.SavedRequest;

 /**
 * The default implementation of {@link AuthenticatedSessionStrategy}.
 * <p>
- * Creates a new session for the newly authenticated user if they already have a session, and copies their
+ * Creates a new session for the newly authenticated user if they already have a session (as a defence against
+ * session-fixation protection attacks), and copies their
 * session attributes across to the new session (can be disabled by setting <tt>migrateSessionAttributes</tt> to
 * <tt>false</tt>).
 * <p>
+ * This approach will only be effective if your servlet container always assigns a new session Id when a session is
+ * invalidated and a new session created by calling {@link HttpServletRequest#getSession()}.
+ * <p>
 * If concurrent session control is in use, then a <tt>SessionRegistry</tt> must be injected.
 *
 * @author Luke Taylor
@ -91,6 +94,11 @@ public class DefaultAuthenticatedSessionStrategy implements AuthenticatedSession
            logger.debug("Started new session: " + session.getId());
        }

+        if (originalSessionId.equals(session.getId())) {
+            logger.warn("Your servlet container did not change the session ID when a new session was created. You will" +
+                    " not be adequately protected against session-fixation attacks");
+        }
+
        // Copy attributes to new session
        if (attributesToMigrate != null) {
            for (Map.Entry<String, Object> entry : attributesToMigrate.entrySet()) {
@ -101,8 +109,7 @@ public class DefaultAuthenticatedSessionStrategy implements AuthenticatedSession
        // Update the session registry
        if (sessionRegistry != null) {
            sessionRegistry.removeSessionInformation(originalSessionId);
-            sessionRegistry.registerNewSession(session.getId(),
-                    SecurityContextHolder.getContext().getAuthentication().getPrincipal());
+            sessionRegistry.registerNewSession(session.getId(), authentication.getPrincipal());
        }
    }

@ -152,4 +159,8 @@ public class DefaultAuthenticatedSessionStrategy implements AuthenticatedSession
    public void setRetainedAttributes(List<String> retainedAttributes) {
        this.retainedAttributes = retainedAttributes;
    }
+
+    public void setAlwaysCreateSession(boolean alwaysCreateSession) {
+        this.alwaysCreateSession = alwaysCreateSession;
+    }
 }
--- a/web/src/test/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategyTests.java
+++ b/web/src/test/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategyTests.java
@ -4,11 +4,14 @@ import static org.junit.Assert.*;
 import static org.mockito.Mockito.mock;

 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;

 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.authentication.concurrent.SessionRegistry;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.web.savedrequest.SavedRequest;

 /**
 *
@ -30,6 +33,7 @@ public class DefaultAuthenticatedSessionStrategyTests {
    @Test
    public void newSessionIsCreatedIfSessionAlreadyExists() throws Exception {
        DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
+        strategy.setSessionRegistry(mock(SessionRegistry.class));
        HttpServletRequest request = new MockHttpServletRequest();
        String sessionId = request.getSession().getId();

@ -38,4 +42,27 @@ public class DefaultAuthenticatedSessionStrategyTests {
        assertFalse(sessionId.equals(request.getSession().getId()));
    }

+    // See SEC-1077
+    @Test
+    public void onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalse() throws Exception {
+        DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
+        strategy.setMigrateSessionAttributes(false);
+        HttpServletRequest request = new MockHttpServletRequest();
+        HttpSession session = request.getSession();
+        session.setAttribute("blah", "blah");
+        session.setAttribute(SavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY, "SavedRequest");
+
+        strategy.onAuthenticationSuccess(mock(Authentication.class), request, new MockHttpServletResponse());
+
+        assertNull(request.getSession().getAttribute("blah"));
+        assertNotNull(request.getSession().getAttribute(SavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY));
+    }
+
+    @Test
+    public void sessionIsCreatedIfAlwaysCreateTrue() throws Exception {
+        DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
+        strategy.setAlwaysCreateSession(true);
+
+    }
+
 }