Spring Security with CAS Skips Session Lock Protection

Question

Spring Security with CAS Skips Session Lock Protection

I have an application that uses spring security and CAS (spring 3.0.5, cas 3.4.5), but when I register the session identifier, it does not change.

When I register, the CasAuthenticationFilter authenticates, and if the authentication is successful, it does not continue the filter chain, instead sets the authentication to the SecurityContextHolder and calls successHandler. This redirects to the source URL to which I requested the required authentication. SessionManagementFilter never gets cracks causing a session strategy to create a new session.

It seems like AbstractAuthenticationFilter , that CasAuthenticationFilter extends has its own session strategy, but by default it is NullAuthenticatedSessionStrategy , which is vulnerable to session fixation. The question is, why is the default strategy vulnerable when spring claims to prevent the default session from committing ?

What is the best resolution to fix this?

+4

java spring-security cas

Qwerky Jan 25 '13 at 16:47

source share

2 answers

Shaun the sheep · Answer 1 · 2013-01-31T12:49:50+0000

A session commit strategy is set automatically only when using a namespace. If you use an explicit filter, you can simply enter SessionFixationProtectionStrategy into the filter yourself. Alternatively, if the application has an obvious starting point after authentication, you can simply recreate the session there.

The session commit version is probably not set by default for historical reasons, since filters precede the implementation of a session authentication strategy, and changes are usually made in a conservative way. You can open a change request to suggest that the default might be better.

aaguilera · Answer 2 · 2013-12-12T12:24:10+0000

I had the same problem. I solved this by explicitly introducing SessionFixationProtectionStrategy (the namespace-based configuration does not seem to work with my custom CAS filter). This is my current configuration:

 <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/> <bean id="sessionControlStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <constructor-arg ref="sessionRegistry"/> <property name="maximumSessions" value="2"/> </bean> <bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="sessionAuthenticationStrategy" ref="sessionControlStrategy"/> </bean>

Spring Security with CAS Skips Session Lock Protection

More articles: