I have an application which uses spring security and CAS (spring 3.0.5, cas 3.4.5) but when I log in the session id isn't changing.
When I log in the
CasAuthenticationFilter performs authentication and if the auth is successful it doesn't continue the filter chain, instead it sets the authentication on the
SecurityContextHolder and calls the successHandler. This redirects to the original URL I requested which required authentication. The
SessionManagementFilter never gets a crack calling the session strategy to create a new session.
It appears that the
CasAuthenticationFilter extends has its own session strategy but the default is
NullAuthenticatedSessionStrategy which is vulnerable to session fixation. Question is why is the default strategy vulnerable, when spring claims to prevent session fixation by default?
What is the best resolution to fix this?
The session-fixation strategy is only automatically set when you are using the namespace. If you are using an explicit filter then you can just inject a
SessionFixationProtectionStrategy into the filter yourself. Alternatively, if there's an obvious post-authentication starting point in your application, you can just recreate the session there.
The session fixation version probably isn't set by default for historical reasons, since the filters predate the introduction of the session authentication strategy and changes are usually introduced in a conservative fashion. You could open a change request to suggest that it might be better on by default.
I had the same problem. I solved it by explicitly injecting a SessionFixationProtectionStrategy (the namespace-based configuration does not seem to work with my CAS custom filter). This is my current configuration:
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/> <bean id="sessionControlStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <constructor-arg ref="sessionRegistry"/> <property name="maximumSessions" value="2"/> </bean> <bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="sessionAuthenticationStrategy" ref="sessionControlStrategy"/> </bean>