Announcement Announcement Module
Collapse
No announcement yet.
Spring Security and Session Fixation Protection Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security and Session Fixation Protection

    All,

    I am currently working on a project using Spring-Flex-BlazeDS integration and up until now, the the integration has been working fantastically. We have Spring Security well integrated with URL's and channels locked down with role-based access and all has goon smoothly.

    Today I tried to add session management because our application needs to have protection against the same user logging into the application multiple times. I added the appropriate spring configuration and filters to my filter chain proxy and expected the best but it seems that session fixation protection is not working for me. After (html-based) login, the SWF fails to load and there is a blank white screen with no information.

    The first call to the application (from a JSP form) goes through authentication just fine and when it returns the browser should request the SWF and other additional JS/images/etc. These subsequent calls are not successful, though and are providing no errors. They are, however, creating new sessions for some reason:

    Code:
    18:00:47,517 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] Chain processed normally
    18:00:47,517 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrappe
    r] SecurityContext stored to HttpSession: '[email protected]67582: Authentica
    tion: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@7f767582: Principal: User{i
    d: {null}, createdBy: {null}, createdDate: {null}, modifiedBy: {null}, modifiedDate: {null}, version: {null}}; Password: [PRO
    TECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthori
    tiesWebAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: D7B18246B63BE1D265FF9241F301F7B0; Authorities:
    []; Granted Authorities: ROLE_USER'
    18:00:47,517 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] SecurityContextHolder now clea
    red, as request processing completed
    18:00:47,533 DEBUG [org.springframework.security.web.session.HttpSessionEventPublisher] Publishing event: org.springframework
    .security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@24513d]
    18:00:47,533 DEBUG [org.springframework.security.web.session.HttpSessionEventPublisher] Publishing event: org.springframework
    .security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@51a7f9]
    18:00:47,533 DEBUG [org.springframework.security.web.session.HttpSessionEventPublisher] Publishing event: org.springframework
    .security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@ef49ce]
    It appears (to me) that for some reason each new request from the browser is attempting to create a new session but I'm not sure why that would be. My session concurrency setup is as follows:


    Code:
      <bean id="concurrencyFilter"
          class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <property name="sessionRegistry" ref="sessionRegistry" />
        <property name="expiredUrl" value="/session-expired.htm" />
      </bean>
      
      <bean id="sessionMgmtFilter" class="org.springframework.security.web.session.SessionManagementFilter" >
    	    <constructor-arg ref="securityContextRepository" />
    		<property name="sessionAuthenticationStrategy" ref="sas"/>
    	</bean>
    
      <bean id="sas"
          class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
        <property name="maximumSessions" value="1" />
        <property name="exceptionIfMaximumExceeded" value="true"/>
      </bean>
    
      <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
    My sessionManagementFilter is placed after my j2eePreAuthenticatedAuthenticationFilter as it should be.

    Relevant Flex Config:

    Code:
      <!-- Message Broker secured for authorized roles  -->
      <flex:message-broker>
    	<flex:secured>
    		<flex:secured-endpoint-path pattern="**/messagebroker/**" access="ROLE_USER,ROLE_MANAGER,ROLE_ADMINISTRATOR" />
    	</flex:secured>	
      </flex:message-broker>
    Any help understanding/fixing this problem would be greatly appreciated. I have looked through the additional spring-flex security source for "security3" and the session fixation code and it has not helped shed much light.

    Thanks,

    Sam

  • #2
    I'm not certain what could be causing the problem. Could you post a bit more of your security config so I can try and reproduce? Or even better, if you can modify the security sample in the Test Drive to show the behavior, I can likely track down any issue much faster.

    Comment


    • #3
      I was able to get past the multiple session creation through an upgrade to Tomcat 6.0.29 and Spring Security 3.0.3 but the original problem of my SWF not loading still persists. I have updated to a more modern Spring Security configuration to see if that would alleviate my issue but no luck. What is most odd, is that I have turned session-fixation-protection to "none" and it is still occurring as evidenced by my log:

      Code:
      17:19:45,543 DEBUG [org.springframework.security.web.FilterChainProxy$VirtualFilterChain] /index.html at position 9 of 11 in
      additional filter chain; firing Filter: '[email protected]12914a8'
      17:19:45,543 DEBUG [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy] Invalidating s
      ession with Id '1DCF4E2DC2D989BC4834BD9E03C7EEB2' and migrating attributes.
      My security is configured as follows:

      Code:
            <sec:http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
              <sec:intercept-url pattern='/**' access='ROLE_USER, ROLE_MANAGER, ROLE_ADMINISTRATOR'/>
              <sec:custom-filter position="PRE_AUTH_FILTER" ref="j2eePreAuthFilter" />
              <sec:session-management session-fixation-protection="none" invalid-session-url="/sessionTimeout.htm">
                  <sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
              </sec:session-management>
              <sec:logout logout-success-url="/"/>
            </sec:http>
      I believe that Tomcat is getting confused with the session id returned because the session ID and jsessionid have changed since it sent them to the web application. I am using FORM based login with Tomcat and web.xml and then forwarding from there to a Spring Security J2EEPreauthenticatedAuthenticationFilter to simulate some SSO behavior we have in another environment. The first request and authorization go fine but the subsequent requests are returned as the login page because Tomcat does not understand the session that it got back.

      Any help greatly appreciated.

      Thanks,

      Sam

      Comment


      • #4
        Thanks Jeremy, take a look at my latest response and let me know if there is more that I can provide. As mentioned web.xml is configured for FORM login with Tomcat so that a session is pre-created prior to being handed off to Spring Security J2EEPreAuth. Once it gets there the config is as I posted above. Let me know if you see anything incorrect or let me know if you think that PreAuth may not be compatible with the session fixation protection.

        Thanks,

        Sam

        Comment


        • #5
          Session fixation

          Hi friends,

          I want to use session fixation in my application, please help me out and give me some direction how can i do this?

          what are the required things to implement session Management in spring.

          Comment

          Working...
          X