Class SessionFixationProtectionStrategy
- java.lang.Object
-
- org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
-
- org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
-
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.context.ApplicationEventPublisherAware
,SessionAuthenticationStrategy
public class SessionFixationProtectionStrategy extends AbstractSessionFixationProtectionStrategy
UsesHttpServletRequest.invalidate()
to protect against session fixation attacks.Creates a new session for the newly authenticated user if they already have a session (as a defence against session-fixation protection attacks), and copies their session attributes across to the new session. The copying of the attributes can be disabled by setting
migrateSessionAttributes
tofalse
(note that even in this case, internal Spring Security attributes will still be migrated to the new session).This approach will only be effective if your servlet container always assigns a new session Id when a session is invalidated and a new session created by calling
HttpServletRequest.getSession()
.Issues with
HttpSessionBindingListener
The migration of existing attributes to the newly-created session may cause problems if any of the objects implement the
HttpSessionBindingListener
interface in a way which makes assumptions about the life-cycle of the object. An example is the use of Spring session-scoped beans, where the initial removal of the bean from the session will cause theDisposableBean
interface to be invoked, in the assumption that the bean is no longer required.We'd recommend that you take account of this when designing your application and do not store attributes which may not function correctly when they are removed and then placed back in the session. Alternatively, you should customize the
SessionAuthenticationStrategy
to deal with the issue in an application-specific way.- Since:
- 3.0
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
AbstractSessionFixationProtectionStrategy.NullEventPublisher
-
-
Field Summary
-
Fields inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
logger
-
-
Constructor Summary
Constructors Constructor Description SessionFixationProtectionStrategy()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected java.util.Map<java.lang.String,java.lang.Object>
extractAttributes(javax.servlet.http.HttpSession session)
Called to extract the existing attributes from the session, prior to invalidating it.void
setMigrateSessionAttributes(boolean migrateSessionAttributes)
Defines whether attributes should be migrated to a new session or not.-
Methods inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
onAuthentication, onSessionChange, setAlwaysCreateSession, setApplicationEventPublisher
-
-
-
-
Method Detail
-
extractAttributes
protected java.util.Map<java.lang.String,java.lang.Object> extractAttributes(javax.servlet.http.HttpSession session)
Called to extract the existing attributes from the session, prior to invalidating it. IfmigrateAttributes
is set tofalse
, only Spring Security attributes will be retained. All application attributes will be discarded.You can override this method to control exactly what is transferred to the new session.
- Parameters:
session
- the session from which the attributes should be extracted- Returns:
- the map of session attributes which should be transferred to the new session
-
setMigrateSessionAttributes
public void setMigrateSessionAttributes(boolean migrateSessionAttributes)
Defines whether attributes should be migrated to a new session or not. Has no effect if you override theextractAttributes
method.Attributes used by Spring Security (to store cached requests, for example) will still be retained by default, even if you set this value to
false
.- Parameters:
migrateSessionAttributes
- whether the attributes from the session should be transferred to the new, authenticated session.
-
-