Spring Security

Session fixation attack protection will cause problems with URL rewriting

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 2.0.2
  • Component/s: Core
  • Description:
    Hide
    The current filter-based approach won't work since it makes a decision after the request has been completed, at which point the jsessionid prior to the request may have been used in a URL. Possible options are

    1. Move the filter to a position after the authentication filters and create the new session prior to proceeding to make sure the change takes place before any pages are rendered.
    2. Use a strategy which will be called from the authentication filters.

    Workaround is to disable session fixation protection (use session-fixation-protection='none' in the <http> namespace element).
    Show
    The current filter-based approach won't work since it makes a decision after the request has been completed, at which point the jsessionid prior to the request may have been used in a URL. Possible options are 1. Move the filter to a position after the authentication filters and create the new session prior to proceeding to make sure the change takes place before any pages are rendered. 2. Use a strategy which will be called from the authentication filters. Workaround is to disable session fixation protection (use session-fixation-protection='none' in the <http> namespace element).

Attachments

  1. Zip Archive
    mylyn-context.zip
    (5 kB)
    Luke Taylor
    14/May/08 8:32 PM

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Luke Taylor added a comment - 14/May/08 7:20 PM
Option 1 above will actually be much simpler than the previous approach - if the user is currently authenticated, but no security context is stored in the session then the user has been authenticated during the current request and a new session should be created. However, this won't work for situations where a redirect is performed after authentication, such as AuthenticationProcessingFilter because the session fixation filter won't be called during that request. When next request comes in, the context will already be stored in the session. Classes which extend AbstractProcessingFilter already have support for session fixation protection following the changes for SEC-399, so a combined approach will cover both options. HttpSecurityBeanDefinitionParser can set the appropriate properties on these classes and insert the new filter.

This should also remove the problem dealt with in SEC-767, as the new session will be created before the request has passed through the security filter chain.
Show
Luke Taylor added a comment - 14/May/08 7:20 PM Option 1 above will actually be much simpler than the previous approach - if the user is currently authenticated, but no security context is stored in the session then the user has been authenticated during the current request and a new session should be created. However, this won't work for situations where a redirect is performed after authentication, such as AuthenticationProcessingFilter because the session fixation filter won't be called during that request. When next request comes in, the context will already be stored in the session. Classes which extend AbstractProcessingFilter already have support for session fixation protection following the changes for SEC-399, so a combined approach will cover both options. HttpSecurityBeanDefinitionParser can set the appropriate properties on these classes and insert the new filter. This should also remove the problem dealt with in SEC-767, as the new session will be created before the request has passed through the security filter chain.
Hide
Permalink
Luke Taylor added a comment - 14/May/08 8:37 PM
I've basically gone with the option suggested in the previous comment. The namespace now also sets the necessary properties on AbstractProcessingFilter (openid or form login, basically). Other authentication mechanisms which don't involved a redirect will be handled by the filter which is now placed before FilterSecurityInterceptor in the stack. Needs some testing, but should be resolved.
Show
Luke Taylor added a comment - 14/May/08 8:37 PM I've basically gone with the option suggested in the previous comment. The namespace now also sets the necessary properties on AbstractProcessingFilter (openid or form login, basically). Other authentication mechanisms which don't involved a redirect will be handled by the filter which is now placed before FilterSecurityInterceptor in the stack. Needs some testing, but should be resolved.
Hide
Permalink
David Erickson added a comment - 28/Jun/08 9:47 PM
As of 2.0.2 I am still seeing this issue when using session-fixation-protection="migrateSession". If I set it to "none" the problem disappears.
Show
David Erickson added a comment - 28/Jun/08 9:47 PM As of 2.0.2 I am still seeing this issue when using session-fixation-protection="migrateSession". If I set it to "none" the problem disappears.

People

Dates

  • Created:
    14/May/08 4:48 PM
    Updated:
    28/Jun/08 9:47 PM
    Resolved:
    21/May/08 10:07 AM
Atlassian JIRA (v4.1.2#531) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Spring Framework. Try JIRA - bug tracking software for your team.