Jan 27th, 2011, 03:47 PM
Authentication and session-fixation-protection
I am a little confused about the workings of the session-fixation-protection attribute (in Spring Security 2 and 3).
Our application uses Siteminder for authentication and so uses a pre-authenticated filter. If Siteminder is ever down, then our contingency is for users to add a request variable to the URL which will be added to the session. Therefore we have overriden the RequestHeaderPreAuthenticatedProcessingFilter class to read from the session if the header is empty and placed this custom class in the "PRE_AUTH_FILTER" position of the stack.
Invoking our home page URL with this contingency request parameter works fine when we have session-fixation-protection="none". However, when we have it set to the default "migrateSession" our authorization fails.
From my reading of the reference documentation, all session attributes should be recreated in a new session when a session is invalidated.
Therefore my question is this....at what stage is my session being invalidated for pre-authentication, and how come it's not being created?
I've attached a log for when it fails. Somewhere between lines 108 and 113 the session is invalidated.
Any information would be appreciated.
Jan 28th, 2011, 07:14 AM
Are you saying that the user can just bypass siteminder by adding a principal name to the request?
How are they actually authenticated in that case?
Jan 28th, 2011, 02:33 PM
No, the contingency request parameter is only read if Siteminder is down. So if Siteminder is working correctly, then the contingency parameter is never read so users cannot bypass Siteminder.
That's the logic we added to our overriden class