Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Issue #3627 Only renew session id when spnego authentication is fully complete (#3629) 

* Issue #3627 Only renew session id when spnego authentication is fully complete.

Signed-off-by: Jan Bartel <janb@webtide.com>
This commit is contained in:
Jan Bartel 2019-05-08 10:20:42 +02:00 committed by GitHub
parent bfcf8f8b2a
commit 5dd35ee706
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ConfigurableSpnegoAuthenticator.java
View File

@ -37,6 +37,7 @@ import org.eclipse.jetty.security.SpnegoUserPrincipal;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.Authentication.User;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
@ -99,6 +100,23 @@ public class ConfigurableSpnegoAuthenticator extends LoginAuthenticator
_authenticationDuration = authenticationDuration;
}
/**
* Only renew the session id if the user has been fully authenticated, don't
* renew the session for any of the intermediate request/response handshakes.
*/
@Override
public UserIdentity login(String username, Object password, ServletRequest servletRequest)
{
SpnegoUserIdentity user = (SpnegoUserIdentity)_loginService.login(username, password, servletRequest);
if (user != null && user.isEstablished())
{
Request request = Request.getBaseRequest(servletRequest);
renewSession(request, request == null ? null : request.getResponse());
}
return user;
}
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException
{

13
jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
View File

@ -33,6 +33,7 @@ import org.eclipse.jetty.server.session.Session;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
public abstract class LoginAuthenticator implements Authenticator
{
private static final Logger LOG = Log.getLogger(LoginAuthenticator.class);
@ -53,6 +54,18 @@ public abstract class LoginAuthenticator implements Authenticator
//empty implementation as the default
}
/**
* If the UserIdentity is not null after this method calls {@link LoginService#login(String,Object,ServletRequest)}, it
* is assumed that the user is fully authenticated and we need to change the session id to prevent
* session fixation vulnerability. If the UserIdentity is not necessarily fully
* authenticated, then subclasses must override this method and
* determine when the UserIdentity IS fully authenticated and renew the session id.
*
* @param username the username of the client to be authenticated
* @param password the user's credential
* @param servletRequest the inbound request that needs authentication
* @return
*/
public UserIdentity login(String username, Object password, ServletRequest servletRequest)
{
UserIdentity user = _loginService.login(username, password, servletRequest);