session-fixation and session-controller-ref

[SterligovAK]

If i set session-controller-ref and session-fixation-protection then concurrent session won't work at all because invalidateSessionOnSuccessfulAuthentication will be set to true and this will invalidate session that was added to sessionRegister.

I found some solution for this, but it is rather slow:
1. Check login and password.
2. Create session
3. Check concurrent sessions and save created session in sessionRegister
4. Recreate session (session-fixation-protection)
5. Check concurent sessions again.

This solution works (be modifiing AbstractProcessingFilter), but I need to save sessions in database and this solution is very slow for me.

Is it a bug or there is some solution? Why can't sessionId be added to sessionRegister after it was recreated by AbstractProcessingFilter?

In my opinion it would be better if:
1. Check login and password
2. Recreate session (session-fixation-protection)
3. Process it by concurrent session controller.

Maybe i'm understanding something wrong?

PS Sorry for my english

[Luke Taylor]

I'm not entirely clear what you're saying, but it's likely that if you are configuring all the concurrent session control beans manually, then you will need to do the same for other beans which depend on the (such as the AuthenticationProcessingFilter/AbstractProcessingFilter).

Could you attach a configuration file to illustrate the kind of setup you're using?

[SterligovAK]

Yes you are right. Here is my configuration:

Code:

<security:authentication-manager alias="authenticationManager" session-controller-ref="mwSessionController"/>
  	
	<security:http auto-config="true" session-fixation-protection="none">
    	<security:intercept-url pattern="/Game/**" access="ROLE_CHARACTER" />
    	<security:intercept-url pattern="/Game/login.htm*" filters="none" />  
    	<security:intercept-url pattern="/Game/registration.htm*" filters="none"/>
		<security:form-login login-page="/Game/login.htm" default-target-url="/Game/game.htm" authentication-failure-url="/Game/login.htm?login_error=1"/>
        <security:logout logout-url="/Game/logout.htm" logout-success-url="/Game/login.htm"/>
  	</security:http>
  	
	<security:authentication-provider  user-service-ref="mwUserDetailsService">
		<security:password-encoder hash="plaintext"/>
	</security:authentication-provider>
	
	<bean id="sessionFilter" class="org.springframework.security.concurrent.ConcurrentSessionFilter">
 		<security:custom-filter position="CONCURRENT_SESSION_FILTER"/>
 		<property name="sessionRegistry" ref="mwSessionRegistry" />
 	</bean>

 	<bean id="mwUserDetailsService" class="ru.mirrorworlds.util.SecurityManager" />	
 	
 	<bean id="mwSessionController" class="ru.mirrorworlds.util.session.ConcurrentSessionControllerImpl">
 		<property name="maximumSessions" value="1" />
 		<property name="exceptionIfMaximumExceeded" value="true" />
 		<property name="sessionRegistry" ref="mwSessionRegistry" />
 	</bean>

	<bean id="mwSessionRegistry" class="ru.mirrorworlds.util.session.SessionRegistryImpl" />

This is working configuration. But if i set session-fixation-protection to "migrateSession", then I get this log (i'm using a lot of stuff so i made log more short to see what's happening):

Code:

2008-06-10 09:04:08,984 DEBUG [org.springframework.security.util.FilterChainProxy] - /Game/j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
2008-06-10 09:04:08,984 DEBUG [org.springframework.security.context.HttpSessionContextIntegrationFilter] - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2008-06-10 09:04:08,984 DEBUG [org.springframework.security.context.HttpSessionContextIntegrationFilter] - New SecurityContext instance will be associated with SecurityContextHolder
2008-06-10 09:04:08,984 DEBUG [org.springframework.security.util.FilterChainProxy] - /Game/j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=300; ]'
2008-06-10 09:04:08,984 DEBUG [org.springframework.security.util.FilterChainProxy] - /Game/j_spring_security_check at position 4 of 11 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]'
2008-06-10 09:04:08,984 DEBUG [org.springframework.security.ui.webapp.AuthenticationProcessingFilter] - Request is to process authentication
2008-06-10 09:04:08,984 DEBUG [org.springframework.security.providers.ProviderManager] - Authentication attempt using org.springframework.security.providers.dao.DaoAuthenticationProvider
2008-06-10 09:04:09,187 DEBUG [ru.mirrorworlds.util.session.SessionRegistryImpl] - Creating new session with id: 28B0BD2FC206852BB8235F6D4014BEE5
2008-06-10 09:04:09,250 INFO [ru.mirrorworlds.util.LogEventListener] - login: Hamster
2008-06-10 09:04:09,250 DEBUG [org.springframework.security.ui.webapp.AuthenticationProcessingFilter] - Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken@58a5eb5e: Principal: ru.mirrorworlds.model.Character@514f7f; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: 28B0BD2FC206852BB8235F6D4014BEE5; Granted Authorities: ru.mirrorworlds.model.Authority@ec42e0
2008-06-10 09:04:09,250 DEBUG [org.springframework.security.ui.webapp.AuthenticationProcessingFilter] - Updated SecurityContextHolder to contain the following Authentication: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken@58a5eb5e: Principal: ru.mirrorworlds.model.Character@514f7f; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: 28B0BD2FC206852BB8235F6D4014BEE5; Granted Authorities: ru.mirrorworlds.model.Authority@ec42e0'
2008-06-10 09:04:09,250 DEBUG [org.springframework.security.util.SessionUtils] - Invalidating session with Id '28B0BD2FC206852BB8235F6D4014BEE5' and migrating attributes.
2008-06-10 09:04:09,250 DEBUG [org.springframework.security.ui.session.HttpSessionEventPublisher] - Publishing event: org.springframework.security.ui.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@7cb44d]
2008-06-10 09:04:09,250 DEBUG [ru.mirrorworlds.util.session.SessionRegistryImpl] - onApplication event log out
2008-06-10 09:04:09,250 DEBUG [ru.mirrorworlds.util.session.SessionRegistryImpl] - Remove session with id: 28B0BD2FC206852BB8235F6D4014BEE5
2008-06-10 09:04:09,296 DEBUG [org.springframework.security.context.HttpSessionContextIntegrationFilter] - SecurityContext stored to HttpSession: 'org.springframework.security.context.SecurityContextImpl@58a5eb5e: Authentication: org.springframework.security.providers.UsernamePasswordAuthenticationToken@58a5eb5e: Principal: ru.mirrorworlds.model.Character@514f7f; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: 28B0BD2FC206852BB8235F6D4014BEE5; Granted Authorities: ru.mirrorworlds.model.Authority@ec42e0'
2008-06-10 09:04:09,296 DEBUG [org.springframework.security.context.HttpSessionContextIntegrationFilter] - SecurityContextHolder now cleared, as request processing completed
2008-06-10 09:04:09,312 DEBUG [org.springframework.security.util.FilterChainProxy] - Converted URL to lowercase, from: '/game/game.htm'; to: '/game/game.htm'
2008-06-10 09:04:09,312 DEBUG [org.springframework.security.util.FilterChainProxy] - Candidate is: '/game/game.htm'; pattern is /game/login.htm*; matched=false
2008-06-10 09:04:09,312 DEBUG [org.springframework.security.util.FilterChainProxy] - Converted URL to lowercase, from: '/game/game.htm'; to: '/game/game.htm'
2008-06-10 09:04:09,312 DEBUG [org.springframework.security.util.FilterChainProxy] - Candidate is: '/game/game.htm'; pattern is /game/registration.htm*; matched=false
2008-06-10 09:04:09,312 DEBUG [org.springframework.security.util.FilterChainProxy] - Converted URL to lowercase, from: '/game/game.htm'; to: '/game/game.htm'
2008-06-10 09:04:09,312 DEBUG [org.springframework.security.util.FilterChainProxy] - Candidate is: '/game/game.htm'; pattern is /**; matched=true
2008-06-10 09:04:09,312 DEBUG [org.springframework.security.util.FilterChainProxy] - /Game/game.htm at position 1 of 11 in additional filter chain; firing Filter: 'org.springframework.security.concurrent.ConcurrentSessionFilter[ order=100; ]'

As you can see first of all session is registered fo id 28B0BD2FC206852BB8235F6D4014BEE5. Then it invalidates and SessionRegister removes session information and after login I don't have any session in sessionRegistry.

As i can see problem is in AbstractProcessingFilter:

Code:

if (invalidateSessionOnSuccessfulAuthentication) {
            SessionUtils.startNewSessionIfRequired(request, migrateInvalidatedSessionAttributes, sessionRegistry);
        }

AbstractProcessingFilter doesn't now about my sessionRegistry.
How to set it with namespace configuration?

[Luke Taylor]

You'll probably have to remove the form-login element and configure an AuthenticationProcessingFilter explicitly. We should probably add a BeanPostProcessor which detected that a ConcurrrentSessionController is in use and attempts to make sure that the associated session registry is set on beans which require it. This kind of thing can start to get a bit messy though.

[Luke Taylor]

I've added an issue to look into this

http://jira.springframework.org/browse/SEC-879

[ronak2121]

I'm getting the same error...and it's very frustrating to fix...

Can I just turn off session fixation support and still enjoy the breadth of security support that Spring Security provides?