public class SessionFixationProtectionStrategy
extends java.lang.Object
HttpServletRequest.invalidate()
to protect against session fixation
attacks.
Creates a new session for the newly authenticated user if they already have a session
(as a defence against session-fixation protection attacks), and copies their session
attributes across to the new session. The copying of the attributes can be disabled by
setting migrateSessionAttributes
to false
(note that even in this case,
internal Spring Security attributes will still be migrated to the new session).
This approach will only be effective if your servlet container always assigns a new
session Id when a session is invalidated and a new session created by calling
HttpServletRequest.getSession()
.
HttpSessionBindingListener
The migration of existing attributes to the newly-created session may cause problems if
any of the objects implement the HttpSessionBindingListener
interface in a way
which makes assumptions about the life-cycle of the object. An example is the use of
Spring session-scoped beans, where the initial removal of the bean from the session
will cause the DisposableBean
interface to be invoked, in the assumption that
the bean is no longer required.
We'd recommend that you take account of this when designing your application and do not
store attributes which may not function correctly when they are removed and then placed
back in the session. Alternatively, you should customize the
SessionAuthenticationStrategy
to deal with the issue in an application-specific
way.
Modifier and Type | Class and Description |
---|---|
protected static class |
org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy.NullEventPublisher |
Modifier and Type | Field and Description |
---|---|
protected org.apache.commons.logging.Log |
logger |
Constructor and Description |
---|
SessionFixationProtectionStrategy() |
Modifier and Type | Method and Description |
---|---|
protected java.util.Map<java.lang.String,java.lang.Object> |
extractAttributes(javax.servlet.http.HttpSession session)
Called to extract the existing attributes from the session, prior to invalidating
it.
|
void |
onAuthentication(Authentication authentication,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Called when a user is newly authenticated.
|
protected void |
onSessionChange(java.lang.String originalSessionId,
javax.servlet.http.HttpSession newSession,
Authentication auth)
Called when the session has been changed and the old attributes have been migrated
to the new session.
|
void |
setAlwaysCreateSession(boolean alwaysCreateSession) |
void |
setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
Sets the
ApplicationEventPublisher to use for submitting
SessionFixationProtectionEvent . |
void |
setMigrateSessionAttributes(boolean migrateSessionAttributes)
Defines whether attributes should be migrated to a new session or not.
|
protected java.util.Map<java.lang.String,java.lang.Object> extractAttributes(javax.servlet.http.HttpSession session)
migrateAttributes
is set to false
, only Spring Security
attributes will be retained. All application attributes will be discarded.
You can override this method to control exactly what is transferred to the new session.
session
- the session from which the attributes should be extractedpublic void setMigrateSessionAttributes(boolean migrateSessionAttributes)
extractAttributes
method.
Attributes used by Spring Security (to store cached requests, for example) will
still be retained by default, even if you set this value to false
.
migrateSessionAttributes
- whether the attributes from the session should be
transferred to the new, authenticated session.public void onAuthentication(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
If a session already exists, and matches the session Id from the client, a new
session will be created, and the session attributes copied to it (if
migrateSessionAttributes
is set). If the client's requested session Id is
invalid, nothing will be done, since there is no need to change the session Id if
it doesn't match the current session.
If there is no session, no action is taken unless the alwaysCreateSession
property is set, in which case a session will be created if one doesn't already
exist.
onAuthentication
in interface SessionAuthenticationStrategy
protected void onSessionChange(java.lang.String originalSessionId, javax.servlet.http.HttpSession newSession, Authentication auth)
The default implementation of this method publishes a
SessionFixationProtectionEvent
to notify the application that the session
ID has changed. If you override this method and still wish these events to be
published, you should call super.onSessionChange()
within your overriding
method.
originalSessionId
- the original session identifiernewSession
- the newly created sessionauth
- the token for the newly authenticated principalpublic void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
ApplicationEventPublisher
to use for submitting
SessionFixationProtectionEvent
. The default is to not submit the
SessionFixationProtectionEvent
.setApplicationEventPublisher
in interface org.springframework.context.ApplicationEventPublisherAware
applicationEventPublisher
- the ApplicationEventPublisher
. Cannot be
null.public void setAlwaysCreateSession(boolean alwaysCreateSession)