当前位置: 动力学知识库 > 问答 > 编程问答 >

java - Spring Security with CAS skips session fixation protection

问题描述:

I have an application which uses spring security and CAS (spring 3.0.5, cas 3.4.5) but when I log in the session id isn't changing.

When I log in the CasAuthenticationFilter performs authentication and if the auth is successful it doesn't continue the filter chain, instead it sets the authentication on the SecurityContextHolder and calls the successHandler. This redirects to the original URL I requested which required authentication. The SessionManagementFilter never gets a crack calling the session strategy to create a new session.

It appears that the AbstractAuthenticationFilter that CasAuthenticationFilter extends has its own session strategy but the default is NullAuthenticatedSessionStrategy which is vulnerable to session fixation. Question is why is the default strategy vulnerable, when spring claims to prevent session fixation by default?

What is the best resolution to fix this?

网友答案:

The session-fixation strategy is only automatically set when you are using the namespace. If you are using an explicit filter then you can just inject a SessionFixationProtectionStrategy into the filter yourself. Alternatively, if there's an obvious post-authentication starting point in your application, you can just recreate the session there.

The session fixation version probably isn't set by default for historical reasons, since the filters predate the introduction of the session authentication strategy and changes are usually introduced in a conservative fashion. You could open a change request to suggest that it might be better on by default.

网友答案:

I had the same problem. I solved it by explicitly injecting a SessionFixationProtectionStrategy (the namespace-based configuration does not seem to work with my CAS custom filter). This is my current configuration:

<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>

<bean id="sessionControlStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <constructor-arg ref="sessionRegistry"/>
    <property name="maximumSessions" value="2"/>
</bean>

<bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="sessionAuthenticationStrategy" ref="sessionControlStrategy"/>
</bean>
分享给朋友:
您可能感兴趣的文章:
随机阅读: