使用CAS的Spring Security会跳过会话固定保护 [英] Spring Security with CAS skips session fixation protection
问题描述
我有一个使用spring security和CAS(spring 3.0.5,cas 3.4.5)的应用程序但是当我登录会话时id没有改变。
I have an application which uses spring security and CAS (spring 3.0.5, cas 3.4.5) but when I log in the session id isn't changing.
当我登录 CasAuthenticationFilter
执行身份验证时,如果auth成功,它不会继续过滤器链,而是在 SecurityContextHolder
并调用successHandler。这会重定向到我请求的原始URL,该URL需要进行身份验证。 SessionManagementFilter
永远不会破解调用会话策略来创建新会话。
When I log in the CasAuthenticationFilter
performs authentication and if the auth is successful it doesn't continue the filter chain, instead it sets the authentication on the SecurityContextHolder
and calls the successHandler. This redirects to the original URL I requested which required authentication. The SessionManagementFilter
never gets a crack calling the session strategy to create a new session.
似乎 AbstractAuthenticationFilter
CasAuthenticationFilter
extends有自己的会话策略,但默认为 NullAuthenticatedSessionStrategy
易受会话固定的影响。问题是当spring 声称默认会阻止会话固定?
It appears that the AbstractAuthenticationFilter
that CasAuthenticationFilter
extends has its own session strategy but the default is NullAuthenticatedSessionStrategy
which is vulnerable to session fixation. Question is why is the default strategy vulnerable, when spring claims to prevent session fixation by default?
解决此问题的最佳解决方案是什么?
What is the best resolution to fix this?
推荐答案
只有在使用命名空间时才会自动设置会话固定策略。如果您使用的是显式过滤器,那么您只需注入 SessionFixationProtectionStrategy
自己进入过滤器。或者,如果您的应用程序中存在明显的验证后起始点,则可以在那里重新创建会话。
The session-fixation strategy is only automatically set when you are using the namespace. If you are using an explicit filter then you can just inject a SessionFixationProtectionStrategy
into the filter yourself. Alternatively, if there's an obvious post-authentication starting point in your application, you can just recreate the session there.
默认情况下,会话固定版本可能未设置为历史原因,因为过滤器早于会话认证策略的引入,并且通常以保守的方式引入变化。您可以打开一个更改请求,建议默认情况下它可能更好。
The session fixation version probably isn't set by default for historical reasons, since the filters predate the introduction of the session authentication strategy and changes are usually introduced in a conservative fashion. You could open a change request to suggest that it might be better on by default.
这篇关于使用CAS的Spring Security会跳过会话固定保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!