Best IT Recipes

Programmatically Using Spring Security

I use Wicket with the Wicket Auth project for my presentation level, and therefore I integrated it with Spring Security. This is the method that Wicket calls for authentication for me:

@Override public boolean authenticate(String username, String password) { try { Authentication request = new UsernamePasswordAuthenticationToken( username, password); Authentication result = authenticationManager.authenticate(request); SecurityContextHolder.getContext().setAuthentication(result); } catch (AuthenticationException e) { return false; } return true; }

The content (inside) of my Spring Security security configuration:

 <http path-type="regex"> <form-login login-page="/signin"/> <logout logout-url="/logout" /> </http> <global-method-security secured-annotations="enabled" /> <authentication-manager alias="authenticationManager"/> <authentication-provider user-service-ref="userService"> <password-encoder ref="bcryptpasswordencoder" /> </authentication-provider>

Section 2.3.6. Fixing session attachment protection in the help documentation states:

Session fix attacks are a potential risk when it is possible for a malicious attacker to create a session by accessing the site, then convincing another user to log in from the same session (by sending them a link containing the session ID as a parameter, for example). Spring Security protects automatically by creating a new one when a user logs in. If you do not require such protection, or contradict some other requirements, you can control the behavior using the session-fixing attribute, which has three parameters:

  • migrateSession - creates a new session and copies existing session attributes for a new session. This is the default value.
  • none - do nothing. The original session will be saved.
  • newSession - create a new "clean" session without copying existing session data.

Authentication works, but I, since I'm pretty new to Spring Security, I have some questions that I need answers to too:

  • Normally, for login, I would set the POST authentication information in j_spring_security_check and let Spring Security execute the actual authentication code. I would like to have protection against session fix attacks, will I get it when I execute the program login, just like me? And if not, what do I need to do to get it?
  • How to perform a program logout?
  • How will I use programmatic login and logout, how to disable Spring from intercepting these URLs?

Update: To protect against session-fixing attacks, it seems that I need to call a method in the SessionUtils class with the signature startNewSessionIfRequired(HttpServletRequest request, boolean migrateAttributes, SessionRegistry sessionRegistry) .

How do I get the SessionRegistry instance that I need to pass? I cannot find a way to create an alias identifier for it or how to get its identifier or name.

+36
java spring spring-security wicket
Jun 18 '09 at 14:40
source share
6 answers

This may not be the complete answer to your questions, but it may help you.

The code is called when you DO NOT use the program login, but the standard file can be found here:

org.springframework.security.ui.webapp.AuthenticationProcessingFilter

I think you were inspired by this in your code. It looks very similar.

Similarly, the code executed when accessing /j_spring_security_logout in the standard approach can be found here:

org.springframework.security.ui.logout.LogoutFilter

LogoutFilter calls several handlers. The handler we use is called: org.springframework.security.ui.logout.SecurityContextLogoutHandler , so you can call the same code in your approach.

+22
Jun 19 '09 at 11:04
source share

You really will be open to session fix attacks. To fix this, you can again be β€œinspired” by the Spring code. To create a new session, you obviously need access to httpsession, so you may need to do refactoring.

If you see the SessionUtils method. startNewSessionIfRequired .

This will transfer authentication to a new session. You could call this method directly or just slightly reorganize the code.

Regarding programmatic logout, you can't go wrong just by calling session.invalidate() when you need to register a person. This will do everything you need in terms of overall security, but keep in mind, although you may need to clear some things in the session. If you have a very complicated set of filters, etc., and you need to make sure that the user is logged out for the rest of the request, you can add:

 SecurityContextHolder.getContext().setAuthentication(null);

As for intercepting the url, you can just set them to something unused and ignore it! I'm not sure if you can disable capture in the configuration - if you really want to remove it, look at AuthenticationProcessingFilter - you can configure this. If you do this, you will have to manually configure Spring xml security and not use the provided namespaces. This is not too complicated - look at some old documents and you will see how to do it.

Hope this helps!

+8
Jun 21 '09 at 20:39
source share

1) Program output

  • call HttpServletRequest.getSession (false) .invalidate
  • call SecurityContextHolder.clearContext ()

2) Tell Spring Security NOT to intercept specific URLs, this view depends on how your application space is configured. If all your pages (except / logIn and / logout) live in the context of / myApp, you can do this:

 <http ....> <intercept-url pattern="/myApp/**" ..> .... </http>
+6
Jun 23 '09 at 22:26
source share

I have a problem with programmatic input. I called all authenticationManager.authenticate(...) and SecurityContextHolder.getContext().setAuthentication(...) , but had some problems with the session. I needed to add the following lines to properly manage the session:

 HttpSession session = request.getSession(); session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());

This was not clear from the above code example. See http://forum.springsource.org/showthread.php?t=69761 for more details.

+1
Nov 03 '10 at 13:51
source share

To perform a programmatic org.springframework.security.core.AuthenticationException , you can also run the org.springframework.security.core.AuthenticationException command. For example, SessionAuthenticationException . In this case, the ExceptionTranslationFilter triggers a logout.

0
Jul 16 '10 at 7:27
source share

You can try this

  try { HttpSession session = request.getSession(false); if (session != null) { session.invalidate(); } SecurityContextHolder.clearContext(); } catch (Exception e) { logger.log(LogLevel.INFO, "Problem logging out."); }
0
Mar 19 2018-12-12T00:
source share


More articles:


All Articles