OPEN - issue SEC-834: Session fixation attack protection will cause problems with URL rewriting

http://jira.springframework.org/browse/SEC-834. Modified HttpSecurityBDP to add session-fixation parameters to openId and form-login filters. Also added sessionRegistry property to AbstractProcessingFilter so that it doesn't conflict with concurrent session control.
2008-05-15 01:34:14 +00:00 · 2008-05-15 01:34:14 +00:00 · 8b2c0468ff
parent d17a2da9e0
commit 8b2c0468ff
2 changed files with 36 additions and 2 deletions
--- a/core/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java
+++ b/core/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java
@ -1,5 +1,6 @@
 package org.springframework.security.config;

+import org.springframework.beans.PropertyValue;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
@ -54,6 +55,18 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser {
        
        Object source = null;

+        // Copy values from the session fixation protection filter        
+        final Boolean sessionFixationProtectionEnabled = 
+            new Boolean(pc.getRegistry().containsBeanDefinition(BeanIds.SESSION_FIXATION_PROTECTION_FILTER));
+        Boolean migrateSessionAttributes = Boolean.FALSE;
+        
+        if (sessionFixationProtectionEnabled.booleanValue()) {
+            PropertyValue pv = 
+                    pc.getRegistry().getBeanDefinition(BeanIds.SESSION_FIXATION_PROTECTION_FILTER)
+                        .getPropertyValues().getPropertyValue("migrateSessionAttributes");
+            migrateSessionAttributes = (Boolean)pv.getValue(); 
+        }        
+        
        if (elt != null) {
        	source = pc.extractSource(elt);
            loginUrl = elt.getAttribute(ATT_LOGIN_URL);
@ -79,10 +92,20 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser {
        filterBean.getPropertyValues().addPropertyValue("authenticationManager",
                new RuntimeBeanReference(BeanIds.AUTHENTICATION_MANAGER));
        
+        filterBean.getPropertyValues().addPropertyValue("invalidateSessionOnSuccessfulAuthentication", 
+                sessionFixationProtectionEnabled);
+        filterBean.getPropertyValues().addPropertyValue("migrateInvalidatedSessionAttributes", 
+                migrateSessionAttributes);            
+        
        if (pc.getRegistry().containsBeanDefinition(BeanIds.REMEMBER_ME_SERVICES)) {
            filterBean.getPropertyValues().addPropertyValue("rememberMeServices", 
                    new RuntimeBeanReference(BeanIds.REMEMBER_ME_SERVICES) );
        }
+        
+        if (pc.getRegistry().containsBeanDefinition(BeanIds.SESSION_REGISTRY)) {
+            filterBean.getPropertyValues().addPropertyValue("sessionRegistry", 
+                    new RuntimeBeanReference(BeanIds.SESSION_REGISTRY));
+        }

        BeanDefinitionBuilder entryPointBuilder =
                BeanDefinitionBuilder.rootBeanDefinition(AuthenticationProcessingFilterEntryPoint.class);
--- a/core/src/main/java/org/springframework/security/ui/AbstractProcessingFilter.java
+++ b/core/src/main/java/org/springframework/security/ui/AbstractProcessingFilter.java
@ -23,6 +23,7 @@ import org.springframework.security.util.RedirectUtils;
 import org.springframework.security.util.SessionUtils;
 import org.springframework.security.util.UrlUtils;

+import org.springframework.security.concurrent.SessionRegistry;
 import org.springframework.security.context.SecurityContextHolder;

 import org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent;
@ -207,6 +208,8 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
    private boolean allowSessionCreation = true;
    
    private boolean serverSideRedirect = false;
+    
+    private SessionRegistry sessionRegistry;

    //~ Methods ========================================================================================================

@ -355,7 +358,7 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
        }

        if (invalidateSessionOnSuccessfulAuthentication) {
-            SessionUtils.startNewSessionIfRequired(request, migrateInvalidatedSessionAttributes, null);
+            SessionUtils.startNewSessionIfRequired(request, migrateInvalidatedSessionAttributes, sessionRegistry);
        }

        String targetUrl = determineTargetUrl(request);
@ -567,5 +570,13 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
     */	
 	public void setServerSideRedirect(boolean serverSideRedirect) {
 		this.serverSideRedirect = serverSideRedirect;
-	}	
+	}
+
+	/**
+	 * The session registry needs to be set if session fixation attack protection is in use (and concurrent 
+	 * session control is enabled).
+	 */
+    public void setSessionRegistry(SessionRegistry sessionRegistry) {
+        this.sessionRegistry = sessionRegistry;
+    }
 }