SEC-2156: AbstractSecurityWebApplicationInitializer configures SessionTrackingMode

It also allows customization by overriding a method.
2013-07-19 17:07:18 -05:00 · 2013-07-19 17:07:18 -05:00 · ac053dbda7
parent 90bd241ce2
commit ac053dbda7
2 changed files with 61 additions and 0 deletions
--- a/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java
+++ b/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java
@ -17,12 +17,15 @@ package org.springframework.security.web.context;

 import java.util.Arrays;
 import java.util.EnumSet;
+import java.util.HashSet;
+import java.util.Set;

 import javax.servlet.DispatcherType;
 import javax.servlet.Filter;
 import javax.servlet.FilterRegistration.Dynamic;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
+import javax.servlet.SessionTrackingMode;

 import org.springframework.context.ApplicationContext;
 import org.springframework.core.Conventions;
@ -83,6 +86,7 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
        if(enableHttpSessionEventPublisher()) {
            servletContext.addListener("org.springframework.security.web.session.HttpSessionEventPublisher");
        }
+        servletContext.setSessionTrackingModes(getSessionTrackingModes());
        insertSpringSecurityFilterChain(servletContext);
        afterSpringSecurityFilterChain(servletContext);
    }
@ -207,6 +211,35 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
        return SERVLET_CONTEXT_PREFIX + dispatcherServletName;
    }

+    /**
+     * Determines how a session should be tracked. By default, the following
+     * modes are used:
+     *
+     * <ul>
+     * <li> {@link SessionTrackingMode#COOKIE}</li>
+     * <li> {@link SessionTrackingMode#SSL}</li>
+     * </ul>
+     *
+     * <p>
+     * Note that {@link SessionTrackingMode#URL} is intentionally omitted to
+     * help protected against <a
+     * href="http://en.wikipedia.org/wiki/Session_fixation">session fixation
+     * attacks</a>.
+     * </p>
+     *
+     * <p>
+     * Subclasses can override this method to make customizations.
+     * </p>
+     *
+     * @return
+     */
+    protected Set<SessionTrackingMode> getSessionTrackingModes() {
+        Set<SessionTrackingMode> modes = new HashSet<SessionTrackingMode>();
+        modes.add(SessionTrackingMode.COOKIE);
+        modes.add(SessionTrackingMode.SSL);
+        return modes;
+    }
+
    /**
     * Return the <servlet-name> to use the DispatcherServlet's
     * {@link WebApplicationContext} to find the {@link DelegatingFilterProxy}
--- a/web/src/test/groovy/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.groovy
+++ b/web/src/test/groovy/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.groovy
@ -21,6 +21,7 @@ import javax.servlet.DispatcherType;
 import javax.servlet.Filter;
 import javax.servlet.FilterRegistration;
 import javax.servlet.ServletContext;
+import javax.servlet.SessionTrackingMode;

 import org.springframework.security.web.session.HttpSessionEventPublisher;
 import org.springframework.web.filter.DelegatingFilterProxy;
@ -239,6 +240,33 @@ class AbstractSecurityWebApplicationInitializerTests extends Specification {
            success.message == "filters cannot be null or empty"
    }

+    def "sessionTrackingModes defaults"() {
+        setup:
+            ServletContext context = Mock()
+            FilterRegistration.Dynamic registration = Mock()
+        when:
+            new AbstractSecurityWebApplicationInitializer(){ }.onStartup(context)
+        then:
+            1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
+            1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 2 && modes.containsAll([SessionTrackingMode.COOKIE, SessionTrackingMode.SSL]) })
+    }
+
+    def "sessionTrackingModes override"() {
+        setup:
+            ServletContext context = Mock()
+            FilterRegistration.Dynamic registration = Mock()
+        when:
+            new AbstractSecurityWebApplicationInitializer(){
+                @Override
+                public Set<SessionTrackingMode> getSessionTrackingModes() {
+                    return [SessionTrackingMode.COOKIE]
+                }
+            }.onStartup(context)
+        then:
+            1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
+            1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.COOKIE]) })
+    }
+
    def "appendFilters filters with null"() {
        setup:
            Filter filter1 = Mock()