Examples of SessionFixationProtectionStrategy

• org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
  The default implementation of {@link SessionAuthenticationStrategy} when using < Servlet 3.1.

  Creates a new session for the newly authenticated user if they already have a session (as a defence against session-fixation protection attacks), and copies their session attributes across to the new session. The copying of the attributes can be disabled by setting {@code migrateSessionAttributes} to {@code false}(note that even in this case, internal Spring Security attributes will still be migrated to the new session).

  This approach will only be effective if your servlet container always assigns a new session Id when a session is invalidated and a new session created by calling {@link HttpServletRequest#getSession()}.

  Issues with {@code HttpSessionBindingListener}

  The migration of existing attributes to the newly-created session may cause problems if any of the objects implement the {@code HttpSessionBindingListener} interface in a way which makes assumptions about the life-cycle ofthe object. An example is the use of Spring session-scoped beans, where the initial removal of the bean from the session will cause the {@code DisposableBean} interface to be invoked, in the assumption that the bean is no longerrequired.

  We'd recommend that you take account of this when designing your application and do not store attributes which may not function correctly when they are removed and then placed back in the session. Alternatively, you should customize the {@code SessionAuthenticationStrategy} to deal with the issue in an application-specific way. @author Luke Taylor @since 3.0

Examples of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

     */
    private static SessionAuthenticationStrategy createDefaultSessionFixationProtectionStrategy() {
        try {
            return new ChangeSessionIdAuthenticationStrategy();
        } catch(IllegalStateException e) {
            return new SessionFixationProtectionStrategy();
        }
    }

Examples of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

         * retained.
         *
         * @return the {@link SessionManagementConfigurer} for further customizations
         */
        public SessionManagementConfigurer<H> newSession() {
            SessionFixationProtectionStrategy sessionFixationProtectionStrategy = new SessionFixationProtectionStrategy();
            sessionFixationProtectionStrategy.setMigrateSessionAttributes(false);
            setSessionFixationAuthenticationStrategy(sessionFixationProtectionStrategy);
            return SessionManagementConfigurer.this;
        }

Examples of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

         * retained.
         *
         * @return the {@link SessionManagementConfigurer} for further customizations
         */
        public SessionManagementConfigurer<H> migrateSession() {
            setSessionFixationAuthenticationStrategy(new SessionFixationProtectionStrategy());
            return SessionManagementConfigurer.this;
        }

Examples of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

    private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
    private InvalidSessionStrategy invalidSessionStrategy = null;
    private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();

    public SessionManagementFilter(SecurityContextRepository securityContextRepository) {
        this(securityContextRepository, new SessionFixationProtectionStrategy());
    }

Examples of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

 */
public class DefaultSessionAuthenticationStrategyTests {

    @Test
    public void newSessionShouldNotBeCreatedIfNoSessionExistsAndAlwaysCreateIsFalse() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        HttpServletRequest request = new MockHttpServletRequest();

        strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());

        assertNull(request.getSession(false));
    }

Examples of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

        assertNull(request.getSession(false));
    }

    @Test
    public void newSessionIsCreatedIfSessionAlreadyExists() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        HttpServletRequest request = new MockHttpServletRequest();
        String sessionId = request.getSession().getId();

        strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());

        assertFalse(sessionId.equals(request.getSession().getId()));
    }

Examples of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

    }

    // SEC-2002
    @Test
    public void newSessionIsCreatedIfSessionAlreadyExistsWithEventPublisher() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        HttpServletRequest request = new MockHttpServletRequest();
        HttpSession session = request.getSession();
        session.setAttribute("blah", "blah");
        session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", "DefaultSavedRequest");
        String oldSessionId = session.getId();

        ApplicationEventPublisher eventPublisher = mock(ApplicationEventPublisher.class);
        strategy.setApplicationEventPublisher(eventPublisher);

        Authentication mockAuthentication = mock(Authentication.class);

        strategy.onAuthentication(mockAuthentication, request, new MockHttpServletResponse());

        ArgumentCaptor<ApplicationEvent> eventArgumentCaptor = ArgumentCaptor.forClass(ApplicationEvent.class);
        verify(eventPublisher).publishEvent(eventArgumentCaptor.capture());

        assertFalse(oldSessionId.equals(request.getSession().getId()));

Examples of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

    }

    // See SEC-1077
    @Test
    public void onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalse() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        strategy.setMigrateSessionAttributes(false);
        HttpServletRequest request = new MockHttpServletRequest();
        HttpSession session = request.getSession();
        session.setAttribute("blah", "blah");
        session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", "DefaultSavedRequest");

        strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());

        assertNull(request.getSession().getAttribute("blah"));
        assertNotNull(request.getSession().getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY"));
    }

Examples of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

    }

    // SEC-2002
    @Test
    public void onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalseWithEventPublisher() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        strategy.setMigrateSessionAttributes(false);
        HttpServletRequest request = new MockHttpServletRequest();
        HttpSession session = request.getSession();
        session.setAttribute("blah", "blah");
        session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", "DefaultSavedRequest");
        String oldSessionId = session.getId();

        ApplicationEventPublisher eventPublisher = mock(ApplicationEventPublisher.class);
        strategy.setApplicationEventPublisher(eventPublisher);

        Authentication mockAuthentication = mock(Authentication.class);

        strategy.onAuthentication(mockAuthentication, request, new MockHttpServletResponse());

        ArgumentCaptor<ApplicationEvent> eventArgumentCaptor = ArgumentCaptor.forClass(ApplicationEvent.class);
        verify(eventPublisher).publishEvent(eventArgumentCaptor.capture());

        assertNull(request.getSession().getAttribute("blah"));

Examples of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

        assertSame(mockAuthentication, event.getAuthentication());
    }

    @Test
    public void sessionIsCreatedIfAlwaysCreateTrue() throws Exception {
        SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
        strategy.setAlwaysCreateSession(true);
        HttpServletRequest request = new MockHttpServletRequest();
        strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
        assertNotNull(request.getSession(false));
    }