org.springframework.security.web.authentication.session
Class SessionFixationProtectionStrategy

java.lang.Object
  extended by org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
All Implemented Interfaces:
Aware, ApplicationEventPublisherAware, SessionAuthenticationStrategy
Direct Known Subclasses:
ConcurrentSessionControlStrategy

public class SessionFixationProtectionStrategy
extends Object

The default implementation of SessionAuthenticationStrategy when using < Servlet 3.1.

Creates a new session for the newly authenticated user if they already have a session (as a defence against session-fixation protection attacks), and copies their session attributes across to the new session. The copying of the attributes can be disabled by setting migrateSessionAttributes to false (note that even in this case, internal Spring Security attributes will still be migrated to the new session).

This approach will only be effective if your servlet container always assigns a new session Id when a session is invalidated and a new session created by calling HttpServletRequest.getSession().

Issues with HttpSessionBindingListener

The migration of existing attributes to the newly-created session may cause problems if any of the objects implement the HttpSessionBindingListener interface in a way which makes assumptions about the life-cycle of the object. An example is the use of Spring session-scoped beans, where the initial removal of the bean from the session will cause the DisposableBean interface to be invoked, in the assumption that the bean is no longer required.

We'd recommend that you take account of this when designing your application and do not store attributes which may not function correctly when they are removed and then placed back in the session. Alternatively, you should customize the SessionAuthenticationStrategy to deal with the issue in an application-specific way.

Since:
3.0

Nested Class Summary
protected static class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy.NullEventPublisher
           
 
Field Summary
protected  org.apache.commons.logging.Log logger
           
 
Constructor Summary
SessionFixationProtectionStrategy()
           
 
Method Summary
protected  Map<String,Object> extractAttributes(javax.servlet.http.HttpSession session)
          Called to extract the existing attributes from the session, prior to invalidating it.
 void onAuthentication(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Called when a user is newly authenticated.
protected  void onSessionChange(String originalSessionId, javax.servlet.http.HttpSession newSession, Authentication auth)
          Called when the session has been changed and the old attributes have been migrated to the new session.
 void setAlwaysCreateSession(boolean alwaysCreateSession)
           
 void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
          Sets the ApplicationEventPublisher to use for submitting SessionFixationProtectionEvent.
 void setMigrateSessionAttributes(boolean migrateSessionAttributes)
          Defines whether attributes should be migrated to a new session or not.
 void setRetainedAttributes(List<String> retainedAttributes)
          Deprecated. Override the extractAttributes method instead
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

logger

protected final org.apache.commons.logging.Log logger
Constructor Detail

SessionFixationProtectionStrategy

public SessionFixationProtectionStrategy()
Method Detail

extractAttributes

protected Map<String,Object> extractAttributes(javax.servlet.http.HttpSession session)
Called to extract the existing attributes from the session, prior to invalidating it. If migrateAttributes is set to false, only Spring Security attributes will be retained. All application attributes will be discarded.

You can override this method to control exactly what is transferred to the new session.

Parameters:
session - the session from which the attributes should be extracted
Returns:
the map of session attributes which should be transferred to the new session

setMigrateSessionAttributes

public void setMigrateSessionAttributes(boolean migrateSessionAttributes)
Defines whether attributes should be migrated to a new session or not. Has no effect if you override the extractAttributes method.

Attributes used by Spring Security (to store cached requests, for example) will still be retained by default, even if you set this value to false.

Parameters:
migrateSessionAttributes - whether the attributes from the session should be transferred to the new, authenticated session.

setRetainedAttributes

@Deprecated
public void setRetainedAttributes(List<String> retainedAttributes)
Deprecated. Override the extractAttributes method instead


onAuthentication

public void onAuthentication(Authentication authentication,
                             javax.servlet.http.HttpServletRequest request,
                             javax.servlet.http.HttpServletResponse response)
Called when a user is newly authenticated.

If a session already exists, and matches the session Id from the client, a new session will be created, and the session attributes copied to it (if migrateSessionAttributes is set). If the client's requested session Id is invalid, nothing will be done, since there is no need to change the session Id if it doesn't match the current session.

If there is no session, no action is taken unless the alwaysCreateSession property is set, in which case a session will be created if one doesn't already exist.

Specified by:
onAuthentication in interface SessionAuthenticationStrategy

onSessionChange

protected void onSessionChange(String originalSessionId,
                               javax.servlet.http.HttpSession newSession,
                               Authentication auth)
Called when the session has been changed and the old attributes have been migrated to the new session. Only called if a session existed to start with. Allows subclasses to plug in additional behaviour. *

The default implementation of this method publishes a SessionFixationProtectionEvent to notify the application that the session ID has changed. If you override this method and still wish these events to be published, you should call super.onSessionChange() within your overriding method.

Parameters:
originalSessionId - the original session identifier
newSession - the newly created session
auth - the token for the newly authenticated principal

setApplicationEventPublisher

public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
Sets the ApplicationEventPublisher to use for submitting SessionFixationProtectionEvent. The default is to not submit the SessionFixationProtectionEvent.

Specified by:
setApplicationEventPublisher in interface ApplicationEventPublisherAware
Parameters:
applicationEventPublisher - the ApplicationEventPublisher. Cannot be null.

setAlwaysCreateSession

public void setAlwaysCreateSession(boolean alwaysCreateSession)