Examples of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

• org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
  The default implementation of {@link SessionAuthenticationStrategy} when using < Servlet 3.1.

  Creates a new session for the newly authenticated user if they already have a session (as a defence against session-fixation protection attacks), and copies their session attributes across to the new session. The copying of the attributes can be disabled by setting {@code migrateSessionAttributes} to {@code false}(note that even in this case, internal Spring Security attributes will still be migrated to the new session).

  This approach will only be effective if your servlet container always assigns a new session Id when a session is invalidated and a new session created by calling {@link HttpServletRequest#getSession()}.

  Issues with {@code HttpSessionBindingListener}

  The migration of existing attributes to the newly-created session may cause problems if any of the objects implement the {@code HttpSessionBindingListener} interface in a way which makes assumptions about the life-cycle ofthe object. An example is the use of Spring session-scoped beans, where the initial removal of the bean from the session will cause the {@code DisposableBean} interface to be invoked, in the assumption that the bean is no longerrequired.

  We'd recommend that you take account of this when designing your application and do not store attributes which may not function correctly when they are removed and then placed back in the session. Alternatively, you should customize the {@code SessionAuthenticationStrategy} to deal with the issue in an application-specific way. @author Luke Taylor @since 3.0

     */
    private static SessionAuthenticationStrategy createDefaultSessionFixationProtectionStrategy() {
        try {
            return new ChangeSessionIdAuthenticationStrategy();
        } catch(IllegalStateException e) {
            return new SessionFixationProtectionStrategy();
        }
    }

         * retained.
         *
         * @return the {@link SessionManagementConfigurer} for further customizations
         */
        public SessionManagementConfigurer<H> newSession() {
            SessionFixationProtectionStrategy sessionFixationProtectionStrategy = new SessionFixationProtectionStrategy();
            sessionFixationProtectionStrategy.setMigrateSessionAttributes(false);
            setSessionFixationAuthenticationStrategy(sessionFixationProtectionStrategy);
            return SessionManagementConfigurer.this;
        }

         * retained.
         *
         * @return the {@link SessionManagementConfigurer} for further customizations
         */
        public SessionManagementConfigurer<H> migrateSession() {
            setSessionFixationAuthenticationStrategy(new SessionFixationProtectionStrategy());
            return SessionManagementConfigurer.this;
        }

    private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
    private InvalidSessionStrategy invalidSessionStrategy = null;
    private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();

    public SessionManagementFilter(SecurityContextRepository securityContextRepository) {
        this(securityContextRepository, new SessionFixationProtectionStrategy());
    }

 */
public class DefaultSessionAuthenticationStrategyTests {

    @Test
    public void newSessionShouldNotBeCreatedIfNoSessionExistsAndAlwaysCreateIsFalse() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        HttpServletRequest request = new MockHttpServletRequest();

        strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());

        assertNull(request.getSession(false));
    }

        assertNull(request.getSession(false));
    }

    @Test
    public void newSessionIsCreatedIfSessionAlreadyExists() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        HttpServletRequest request = new MockHttpServletRequest();
        String sessionId = request.getSession().getId();

        strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());

        assertFalse(sessionId.equals(request.getSession().getId()));
    }

    }

    // SEC-2002
    @Test
    public void newSessionIsCreatedIfSessionAlreadyExistsWithEventPublisher() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        HttpServletRequest request = new MockHttpServletRequest();
        HttpSession session = request.getSession();
        session.setAttribute("blah", "blah");
        session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", "DefaultSavedRequest");
        String oldSessionId = session.getId();

        ApplicationEventPublisher eventPublisher = mock(ApplicationEventPublisher.class);
        strategy.setApplicationEventPublisher(eventPublisher);

        Authentication mockAuthentication = mock(Authentication.class);

        strategy.onAuthentication(mockAuthentication, request, new MockHttpServletResponse());

        ArgumentCaptor<ApplicationEvent> eventArgumentCaptor = ArgumentCaptor.forClass(ApplicationEvent.class);
        verify(eventPublisher).publishEvent(eventArgumentCaptor.capture());

        assertFalse(oldSessionId.equals(request.getSession().getId()));

    }

    // See SEC-1077
    @Test
    public void onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalse() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        strategy.setMigrateSessionAttributes(false);
        HttpServletRequest request = new MockHttpServletRequest();
        HttpSession session = request.getSession();
        session.setAttribute("blah", "blah");
        session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", "DefaultSavedRequest");

        strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());

        assertNull(request.getSession().getAttribute("blah"));
        assertNotNull(request.getSession().getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY"));
    }

    }

    // SEC-2002
    @Test
    public void onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalseWithEventPublisher() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        strategy.setMigrateSessionAttributes(false);
        HttpServletRequest request = new MockHttpServletRequest();
        HttpSession session = request.getSession();
        session.setAttribute("blah", "blah");
        session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", "DefaultSavedRequest");
        String oldSessionId = session.getId();

        ApplicationEventPublisher eventPublisher = mock(ApplicationEventPublisher.class);
        strategy.setApplicationEventPublisher(eventPublisher);

        Authentication mockAuthentication = mock(Authentication.class);

        strategy.onAuthentication(mockAuthentication, request, new MockHttpServletResponse());

        ArgumentCaptor<ApplicationEvent> eventArgumentCaptor = ArgumentCaptor.forClass(ApplicationEvent.class);
        verify(eventPublisher).publishEvent(eventArgumentCaptor.capture());

        assertNull(request.getSession().getAttribute("blah"));

        assertSame(mockAuthentication, event.getAuthentication());
    }

    @Test
    public void sessionIsCreatedIfAlwaysCreateTrue() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        strategy.setAlwaysCreateSession(true);
        HttpServletRequest request = new MockHttpServletRequest();
        strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
        assertNotNull(request.getSession(false));
    }