org.springframework.security.web.authentication.session
Class SessionFixationProtectionStrategy

java.lang.Object
  org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

All Implemented Interfaces:

SessionAuthenticationStrategy

Direct Known Subclasses:

ConcurrentSessionControlStrategy

public class SessionFixationProtectionStrategy
extends Object
implements SessionAuthenticationStrategy

The default implementation of SessionAuthenticationStrategy.

Creates a new session for the newly authenticated user if they already have a session (as a defence against session-fixation protection attacks), and copies their session attributes across to the new session (can be disabled by setting migrateSessionAttributes to false).

This approach will only be effective if your servlet container always assigns a new session Id when a session is invalidated and a new session created by calling HttpServletRequest.getSession().

If concurrent session control is in use, then a SessionRegistry must be injected.

Since:

3.0

Field Summary

protected org.apache.commons.logging.Log

logger

Constructor Summary

SessionFixationProtectionStrategy()

Method Summary

void	onAuthentication(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Called when a user is newly authenticated.
protected void	onSessionChange(String originalSessionId, javax.servlet.http.HttpSession newSession, Authentication auth) Called when the session has been changed and the old attributes have been migrated to the new session.
void	setAlwaysCreateSession(boolean alwaysCreateSession)
void	setMigrateSessionAttributes(boolean migrateSessionAttributes)
void	setRetainedAttributes(List<String> retainedAttributes)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

protected final org.apache.commons.logging.Log logger

Constructor Detail

SessionFixationProtectionStrategy

public SessionFixationProtectionStrategy()

Method Detail

onAuthentication

public void onAuthentication(Authentication authentication,
                             javax.servlet.http.HttpServletRequest request,
                             javax.servlet.http.HttpServletResponse response)

Called when a user is newly authenticated.

If a session already exists, and matches the session Id from the client, a new session will be created, and the session attributes copied to it (if migrateSessionAttributes is set). The sessionRegistry will be updated with the new session information. If the client's requested session Id is invalid, nothing will be done, since there is no need to change the session Id if it doesn't match the current session.

If there is no session, no action is taken unless the alwaysCreateSession property is set, in which case a session will be created if one doesn't already exist.

Specified by:

onAuthentication in interface SessionAuthenticationStrategy

onSessionChange

protected void onSessionChange(String originalSessionId,
                               javax.servlet.http.HttpSession newSession,
                               Authentication auth)

Called when the session has been changed and the old attributes have been migrated to the new session. Only called if a session existed to start with. Allows subclasses to plug in additional behaviour.

Parameters:

originalSessionId - the original session identifier

newSession - the newly created session

auth - the token for the newly authenticated principal

setMigrateSessionAttributes

public void setMigrateSessionAttributes(boolean migrateSessionAttributes)

setRetainedAttributes

public void setRetainedAttributes(List<String> retainedAttributes)

setAlwaysCreateSession

public void setAlwaysCreateSession(boolean alwaysCreateSession)