mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-28 23:02:15 +00:00
SEC-2913: Post Process default session fixation AuthenticationStrategy
Before the default session fixation AuthenticationStrategy used a NullEventPublisher when using the Java Configuration. This was due to the fact that it is not exposed as a Bean and is not post processed. We now post process the default session fixation AuthenticationStrategy which initializes the EventPublisher properly.
This commit is contained in:
Rob Winch
parent
7b25b3e40d
commit
6c541468f6
@ -91,7 +91,8 @@ import org.springframework.util.Assert;
|
|||||||
*/
|
*/
|
||||||
public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>> extends
|
public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||||
AbstractHttpConfigurer<SessionManagementConfigurer<H>, H> {
|
AbstractHttpConfigurer<SessionManagementConfigurer<H>, H> {
|
||||||
private SessionAuthenticationStrategy sessionFixationAuthenticationStrategy = createDefaultSessionFixationProtectionStrategy();
|
private final SessionAuthenticationStrategy DEFAULT_SESSION_FIXATION_STRATEGY = createDefaultSessionFixationProtectionStrategy();
|
||||||
|
private SessionAuthenticationStrategy sessionFixationAuthenticationStrategy = DEFAULT_SESSION_FIXATION_STRATEGY;
|
||||||
private SessionAuthenticationStrategy sessionAuthenticationStrategy;
|
private SessionAuthenticationStrategy sessionAuthenticationStrategy;
|
||||||
private InvalidSessionStrategy invalidSessionStrategy;
|
private InvalidSessionStrategy invalidSessionStrategy;
|
||||||
private List<SessionAuthenticationStrategy> sessionAuthenticationStrategies = new ArrayList<SessionAuthenticationStrategy>();
|
private List<SessionAuthenticationStrategy> sessionAuthenticationStrategies = new ArrayList<SessionAuthenticationStrategy>();
|
||||||
@ -475,6 +476,9 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
|
|||||||
return sessionAuthenticationStrategy;
|
return sessionAuthenticationStrategy;
|
||||||
}
|
}
|
||||||
List<SessionAuthenticationStrategy> delegateStrategies = sessionAuthenticationStrategies;
|
List<SessionAuthenticationStrategy> delegateStrategies = sessionAuthenticationStrategies;
|
||||||
|
if(DEFAULT_SESSION_FIXATION_STRATEGY == sessionFixationAuthenticationStrategy) {
|
||||||
|
sessionFixationAuthenticationStrategy = postProcess(sessionFixationAuthenticationStrategy);
|
||||||
|
}
|
||||||
if (isConcurrentSessionControlEnabled()) {
|
if (isConcurrentSessionControlEnabled()) {
|
||||||
SessionRegistry sessionRegistry = getSessionRegistry(http);
|
SessionRegistry sessionRegistry = getSessionRegistry(http);
|
||||||
ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlAuthenticationStrategy(
|
ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlAuthenticationStrategy(
|
||||||
|
|||||||
@ -15,19 +15,19 @@
|
|||||||
*/
|
*/
|
||||||
package org.springframework.security.config.annotation.web.configurers
|
package org.springframework.security.config.annotation.web.configurers
|
||||||
|
|
||||||
import org.springframework.context.annotation.Configuration
|
import org.springframework.context.ApplicationListener
|
||||||
|
import org.springframework.context.annotation.Bean
|
||||||
|
import org.springframework.mock.web.MockHttpSession
|
||||||
|
import org.springframework.security.authentication.TestingAuthenticationToken
|
||||||
import org.springframework.security.config.annotation.BaseSpringSpec
|
import org.springframework.security.config.annotation.BaseSpringSpec
|
||||||
import org.springframework.security.config.annotation.ObjectPostProcessor
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity
|
||||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
|
||||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
||||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
|
||||||
import org.springframework.security.core.session.SessionRegistry
|
import org.springframework.security.core.session.SessionRegistry
|
||||||
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
|
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy
|
||||||
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
|
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
|
||||||
|
import org.springframework.security.web.authentication.session.SessionFixationProtectionEvent
|
||||||
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
|
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
|
||||||
import org.springframework.security.web.context.SecurityContextPersistenceFilter
|
|
||||||
import org.springframework.security.web.context.SecurityContextRepository
|
|
||||||
import org.springframework.security.web.session.ConcurrentSessionFilter
|
import org.springframework.security.web.session.ConcurrentSessionFilter
|
||||||
import org.springframework.security.web.session.SessionManagementFilter
|
import org.springframework.security.web.session.SessionManagementFilter
|
||||||
|
|
||||||
@ -136,6 +136,29 @@ class NamespaceSessionManagementTests extends BaseSpringSpec {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
def "http/session-management@session-fixation-protection=changeSessionId"() {
|
||||||
|
setup:
|
||||||
|
loadConfig(SFPPostProcessedConfig)
|
||||||
|
when:
|
||||||
|
findSessionAuthenticationStrategy(SessionFixationProtectionStrategy).onSessionChange("id", new MockHttpSession(), new TestingAuthenticationToken("u","p","ROLE_USER"))
|
||||||
|
then:
|
||||||
|
context.getBean(MockEventListener).events
|
||||||
|
}
|
||||||
|
|
||||||
|
@EnableWebSecurity
|
||||||
|
static class SFPPostProcessedConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
http
|
||||||
|
.sessionManagement()
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
public MockEventListener eventListener() {
|
||||||
|
new MockEventListener()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
def "http/session-management@session-fixation-protection=newSession"() {
|
def "http/session-management@session-fixation-protection=newSession"() {
|
||||||
when:
|
when:
|
||||||
loadConfig(SFPNewSessionSessionManagementConfig)
|
loadConfig(SFPNewSessionSessionManagementConfig)
|
||||||
@ -157,4 +180,13 @@ class NamespaceSessionManagementTests extends BaseSpringSpec {
|
|||||||
.newSession()
|
.newSession()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static class MockEventListener implements ApplicationListener<SessionFixationProtectionEvent> {
|
||||||
|
List<SessionFixationProtectionEvent> events = []
|
||||||
|
|
||||||
|
public void onApplicationEvent(SessionFixationProtectionEvent event) {
|
||||||
|
events.add(event)
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -34,6 +34,7 @@ import org.springframework.security.web.access.ExceptionTranslationFilter
|
|||||||
import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy
|
import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy
|
||||||
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy
|
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy
|
||||||
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy
|
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy
|
||||||
|
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
|
||||||
import org.springframework.security.web.context.NullSecurityContextRepository
|
import org.springframework.security.web.context.NullSecurityContextRepository
|
||||||
import org.springframework.security.web.context.SecurityContextPersistenceFilter
|
import org.springframework.security.web.context.SecurityContextPersistenceFilter
|
||||||
import org.springframework.security.web.context.SecurityContextRepository
|
import org.springframework.security.web.context.SecurityContextRepository
|
||||||
@ -227,6 +228,8 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
|
|||||||
1 * opp.postProcess(_ as CompositeSessionAuthenticationStrategy) >> {CompositeSessionAuthenticationStrategy o -> o}
|
1 * opp.postProcess(_ as CompositeSessionAuthenticationStrategy) >> {CompositeSessionAuthenticationStrategy o -> o}
|
||||||
and: "RegisterSessionAuthenticationStrategy is registered with ObjectPostProcessor"
|
and: "RegisterSessionAuthenticationStrategy is registered with ObjectPostProcessor"
|
||||||
1 * opp.postProcess(_ as RegisterSessionAuthenticationStrategy) >> {RegisterSessionAuthenticationStrategy o -> o}
|
1 * opp.postProcess(_ as RegisterSessionAuthenticationStrategy) >> {RegisterSessionAuthenticationStrategy o -> o}
|
||||||
|
and: "SessionFixationProtectionStrategy is registered with ObjectPostProcessor"
|
||||||
|
1 * opp.postProcess(_ as SessionFixationProtectionStrategy) >> {SessionFixationProtectionStrategy o -> o}
|
||||||
}
|
}
|
||||||
|
|
||||||
def "use sharedObject trustResolver"() {
|
def "use sharedObject trustResolver"() {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user