惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

W
WeLiveSecurity
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
Microsoft Azure Blog
Microsoft Azure Blog
The Register - Security
The Register - Security
Stack Overflow Blog
Stack Overflow Blog
博客园 - 三生石上(FineUI控件)
T
Threat Research - Cisco Blogs
S
SegmentFault 最新的问题
V2EX - 技术
V2EX - 技术
Hacker News: Ask HN
Hacker News: Ask HN
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Proofpoint News Feed
J
Java Code Geeks
Microsoft Security Blog
Microsoft Security Blog
M
MIT News - Artificial intelligence
AI
AI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
P
Proofpoint News Feed
Hacker News - Newest:
Hacker News - Newest: "LLM"
B
Blog
N
News and Events Feed by Topic
N
News | PayPal Newsroom
Google DeepMind News
Google DeepMind News
酷 壳 – CoolShell
酷 壳 – CoolShell
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
WordPress大学
WordPress大学
C
Cybersecurity and Infrastructure Security Agency CISA
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
U
Unit 42
腾讯CDC
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Cloudflare Blog
H
Help Net Security
Recent Announcements
Recent Announcements
P
Privacy & Cybersecurity Law Blog
IT之家
IT之家
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Security Archives - TechRepublic
Security Archives - TechRepublic
L
LINUX DO - 热门话题
Martin Fowler
Martin Fowler
MongoDB | Blog
MongoDB | Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
H
Heimdal Security Blog
博客园 - 聂微东
S
Securelist
大猫的无限游戏
大猫的无限游戏
Cloudbric
Cloudbric
Cisco Talos Blog
Cisco Talos Blog

博客园 - Bryan Wong

Pushlets的初始化陷阱 在Tomcat部署Solr 4.3 Jdk自带的定时任务TimerTask和ScheduledExecutorService及其在Spring中的集成 Lucene索引,查询及高亮显示 记录几个Json的lib 蛋疼的腾讯微博数据类型和API文档 语言检测工具language-detection 你所不知道的Quartz特性 Spring Data集成MongoDB访问 Jetty的jar包依赖关系图 CAPS & BHCA Java中的集合类图 下载SUSE Linux 10 sp1的经历好曲折 C#代码检查工具:stylecop 圈复杂度基础 Scrum——“鸡”和“猪”的寓言 使用java断言调测程序 无所不能的final关键字 不同于C#的Java值类型和String类型
Spring Security如何防止会话固定攻击(session fixation attack)
Bryan Wong · 2013-05-12 · via 博客园 - Bryan Wong

Session fixation attack(会话固定攻击)是利用服务器的session不变机制,借他人之手获得认证和授权,然后冒充他人。如果应用程序在用户首次访问它时为每一名用户建立一个匿名会话,这时往往就会出现会话固定漏洞。然后,一旦用户登录,该会话即升级为通过验证的会话。最初,会话令牌并未被赋予任何访问权限,但在用户通过验证后,这个令牌也具有了该用户的访问权限。

防止会话固定攻击,可以在用户登录成功后重新创建一个session id,并将登录前的匿名会话强制失效。Spring Security默认即可防止会话固定攻击。具体实现方式[3.1版本]如下:HttpConfigurationBuilder的createSessionManagementFilters方法用于配置文件中的session-management属性,并根据配置创建SessionManagementFilter。其首先读取session-fixation-protection并存入sessionFixationAttribute变量,随后,通过如下语句判断是否需要进行会话规定漏洞保护

boolean sessionFixationProtectionRequired = !sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION);

 需要说明的是在上述语句之前,如果发现sessionFixationAttribute变量没有赋值(例如,没有配置session-management属性),程序会采用如下语句确保缺省的session-fixation-protection=migrateSession

if (!StringUtils.hasText(sessionFixationAttribute)) {
            sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION;

下面的判断,如果您配置了session-management并启用了concurrency-control,则向SessionManagementFilter注册ConcurrentSessionControlStrategy类;否则如果上面代码中的sessionFixationProtectionRequired = true或者配置了invalid-session-url,则向SessionManagementFilter注册SessionFixationProtectionStrategy类,由于ConcurrentSessionControlStrategy继承自SessionFixationProtectionStrategy,因此以上条件下,都会导致SessionFixationProtectionStrategy的策略被应用,而SessionFixationProtectionStrategy的策略,将在SessionManagementFilter中被执行,代码如下

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException
  {
    HttpServletRequest request = (HttpServletRequest)req;
    HttpServletResponse response = (HttpServletResponse)res;

    if (request.getAttribute("__spring_security_session_mgmt_filter_applied") != null) {
      chain.doFilter(request, response);
      return;
    }

    request.setAttribute("__spring_security_session_mgmt_filter_applied", Boolean.TRUE);

    if (!this.securityContextRepository.containsContext(request)) {
      Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

      if ((authentication != null) && (!this.authenticationTrustResolver.isAnonymous(authentication)))
      {
        try {
          this.sessionAuthenticationStrategy.onAuthentication(authentication, request, response);
   
          ......

回头来看SessionFixationProtectionStrategy的onAuthentication方法,如下代码中,字体加粗部分,先设置当前的session失效,再创建一个新的session

public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response)
  {
    boolean hadSessionAlready = request.getSession(false) != null;

    if ((!hadSessionAlready) && (!this.alwaysCreateSession))
    {
      return;
    }

    HttpSession session = request.getSession();

    if ((hadSessionAlready) && (request.isRequestedSessionIdValid()))
    {
      String originalSessionId = session.getId();

      if (this.logger.isDebugEnabled()) {
        this.logger.debug("Invalidating session with Id '" + originalSessionId + "' " + (this.migrateSessionAttributes ? "and" : "without") + " migrating attributes.");
      }

      Map attributesToMigrate = extractAttributes(session);

      session.invalidate();
   
session = request.getSession(true); if (this.logger.isDebugEnabled()) { this.logger.debug("Started new session: " + session.getId()); } if (originalSessionId.equals(session.getId())) { this.logger.warn("Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks"); } transferAttributes(attributesToMigrate, session); onSessionChange(originalSessionId, session, authentication); } }

最后,怎么关闭Spring Security的session-fixation-protection呢,由以上代码分析知,除了将session-fixation-protection设置为null以外,还不能设置诸如concurrency-control或invalid-session-url属性,举例如下

<session-management session-fixation-protection="none" />