Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-27 14:22:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

OPEN - issue SEC-834: Session fixation attack protection will cause problems with URL rewriting

Browse Source 
http://jira.springframework.org/browse/SEC-834. Modified HttpSecurityBDP to add session-fixation parameters to openId and form-login filters. Also added sessionRegistry property to AbstractProcessingFilter so that it doesn't conflict with concurrent session control.
This commit is contained in:
Luke Taylor 2008-05-15 01:34:14 +00:00
parent d17a2da9e0
commit 8b2c0468ff
2 changed files with 36 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
core/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java
View File

@ -1,5 +1,6 @@
package org.springframework.security.config; package org.springframework.security.config;
import org.springframework.beans.PropertyValue;
import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.config.RuntimeBeanReference; import org.springframework.beans.factory.config.RuntimeBeanReference;
import org.springframework.beans.factory.support.BeanDefinitionBuilder; import org.springframework.beans.factory.support.BeanDefinitionBuilder;
@ -54,6 +55,18 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser {
Object source = null; Object source = null;
// Copy values from the session fixation protection filter
final Boolean sessionFixationProtectionEnabled =
new Boolean(pc.getRegistry().containsBeanDefinition(BeanIds.SESSION_FIXATION_PROTECTION_FILTER));
Boolean migrateSessionAttributes = Boolean.FALSE;
if (sessionFixationProtectionEnabled.booleanValue()) {
PropertyValue pv =
pc.getRegistry().getBeanDefinition(BeanIds.SESSION_FIXATION_PROTECTION_FILTER)
.getPropertyValues().getPropertyValue("migrateSessionAttributes");
migrateSessionAttributes = (Boolean)pv.getValue();
}
if (elt != null) { if (elt != null) {
source = pc.extractSource(elt); source = pc.extractSource(elt);
loginUrl = elt.getAttribute(ATT_LOGIN_URL); loginUrl = elt.getAttribute(ATT_LOGIN_URL);
@ -79,10 +92,20 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser {
filterBean.getPropertyValues().addPropertyValue("authenticationManager", filterBean.getPropertyValues().addPropertyValue("authenticationManager",
new RuntimeBeanReference(BeanIds.AUTHENTICATION_MANAGER)); new RuntimeBeanReference(BeanIds.AUTHENTICATION_MANAGER));
filterBean.getPropertyValues().addPropertyValue("invalidateSessionOnSuccessfulAuthentication",
sessionFixationProtectionEnabled);
filterBean.getPropertyValues().addPropertyValue("migrateInvalidatedSessionAttributes",
migrateSessionAttributes);
if (pc.getRegistry().containsBeanDefinition(BeanIds.REMEMBER_ME_SERVICES)) { if (pc.getRegistry().containsBeanDefinition(BeanIds.REMEMBER_ME_SERVICES)) {
filterBean.getPropertyValues().addPropertyValue("rememberMeServices", filterBean.getPropertyValues().addPropertyValue("rememberMeServices",
new RuntimeBeanReference(BeanIds.REMEMBER_ME_SERVICES) ); new RuntimeBeanReference(BeanIds.REMEMBER_ME_SERVICES) );
} }
if (pc.getRegistry().containsBeanDefinition(BeanIds.SESSION_REGISTRY)) {
filterBean.getPropertyValues().addPropertyValue("sessionRegistry",
new RuntimeBeanReference(BeanIds.SESSION_REGISTRY));
}
BeanDefinitionBuilder entryPointBuilder = BeanDefinitionBuilder entryPointBuilder =
BeanDefinitionBuilder.rootBeanDefinition(AuthenticationProcessingFilterEntryPoint.class); BeanDefinitionBuilder.rootBeanDefinition(AuthenticationProcessingFilterEntryPoint.class);

15
core/src/main/java/org/springframework/security/ui/AbstractProcessingFilter.java
View File

@ -23,6 +23,7 @@ import org.springframework.security.util.RedirectUtils;
import org.springframework.security.util.SessionUtils; import org.springframework.security.util.SessionUtils;
import org.springframework.security.util.UrlUtils; import org.springframework.security.util.UrlUtils;
import org.springframework.security.concurrent.SessionRegistry;
import org.springframework.security.context.SecurityContextHolder; import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent; import org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent;
@ -207,6 +208,8 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
private boolean allowSessionCreation = true; private boolean allowSessionCreation = true;
private boolean serverSideRedirect = false; private boolean serverSideRedirect = false;
private SessionRegistry sessionRegistry;
//~ Methods ======================================================================================================== //~ Methods ========================================================================================================
@ -355,7 +358,7 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
} }
if (invalidateSessionOnSuccessfulAuthentication) { if (invalidateSessionOnSuccessfulAuthentication) {
SessionUtils.startNewSessionIfRequired(request, migrateInvalidatedSessionAttributes, null); SessionUtils.startNewSessionIfRequired(request, migrateInvalidatedSessionAttributes, sessionRegistry);
} }
String targetUrl = determineTargetUrl(request); String targetUrl = determineTargetUrl(request);
@ -567,5 +570,13 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
*/ */
public void setServerSideRedirect(boolean serverSideRedirect) { public void setServerSideRedirect(boolean serverSideRedirect) {
this.serverSideRedirect = serverSideRedirect; this.serverSideRedirect = serverSideRedirect;
} }
/**
* The session registry needs to be set if session fixation attack protection is in use (and concurrent
* session control is enabled).
*/
public void setSessionRegistry(SessionRegistry sessionRegistry) {
this.sessionRegistry = sessionRegistry;
}
} }