Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

AuthenticationFilter Session Fixation Protection 

Fixes gh-7446
This commit is contained in:
Josh Cummings 2019-09-17 08:15:52 -06:00
parent 496a2cdc60
commit 7576dc44d7
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 37 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java
View File

@ -16,12 +16,12 @@
package org.springframework.security.web.authentication; package org.springframework.security.web.authentication;
import java.io.IOException; import java.io.IOException;
import javax.servlet.Filter; import javax.servlet.Filter;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
@ -146,6 +146,11 @@ public class AuthenticationFilter extends OncePerRequestFilter {
return; return;
} }
HttpSession session = request.getSession(false);
if (session != null) {
request.changeSessionId();
}
successfulAuthentication(request, response, filterChain, authenticationResult); successfulAuthentication(request, response, filterChain, authenticationResult);
} catch (AuthenticationException e) { } catch (AuthenticationException e) {
unsuccessfulAuthentication(request, response, e); unsuccessfulAuthentication(request, response, e);

39
web/src/test/java/org/springframework/security/web/authentication/AuthenticationFilterTests.java
View File

@ -15,14 +15,6 @@
*/ */
package org.springframework.security.web.authentication; package org.springframework.security.web.authentication;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.ServletRequest; import javax.servlet.ServletRequest;
@ -35,9 +27,12 @@ import org.junit.Test;
import org.junit.runner.RunWith; import org.junit.runner.RunWith;
import org.mockito.Mock; import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner; import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockHttpSession;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationManagerResolver; import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.BadCredentialsException;
@ -46,6 +41,14 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;
/** /**
* @author Sergey Bespalov * @author Sergey Bespalov
* @since 5.2.0 * @since 5.2.0
@ -246,4 +249,24 @@ public class AuthenticationFilterTests {
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull(); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
} }
// gh-7446
@Test
public void filterWhenSuccessfulAuthenticationThenSessionIdChanges() throws Exception {
Authentication authentication = new TestingAuthenticationToken("test", "this", "ROLE_USER");
when(this.authenticationConverter.convert(any())).thenReturn(authentication);
when(this.authenticationManager.authenticate(any())).thenReturn(authentication);
MockHttpSession session = new MockHttpSession();
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
request.setSession(session);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain chain = new MockFilterChain();
String sessionId = session.getId();
AuthenticationFilter filter = new AuthenticationFilter(this.authenticationManager, this.authenticationConverter);
filter.doFilter(request, response, chain);
assertThat(session.getId()).isNotEqualTo(sessionId);
}
} }