Results 1 to 1 of 1

Thread: HTTPS to HTTP Switch on Tomcat with Spring 3.X.X

  1. Jan 20th, 2011, 11:54 AM #1
    pmdubik
    pmdubik is offline Junior Member
    Join Date
    Jan 2011
    Location
    FRANCE
    Posts
    1

    Default HTTPS to HTTP Switch on Tomcat with Spring 3.X.X

    Reading

    I read many thread talking about the issue with Tomcat when we try to switch after login from HTTPS to HTTP.
    and specially:
    http://forum.springsource.org/showthread.php?t=65651

    The described solution based on REMEMBER ME is more a workaround than a real one and introduce a Security HOLE, specially on Computers used by many users.

    I also found in Spring Sec FAQ:
    http://static.springsource.org/sprin...-https-session

    You say: I'm using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards. It doesn't work - I just end up back at the login page after authenticating. This happens because sessions created under HTTPS, for which the session cookie is marked as "secure", cannot subsequently be used under HTTP. The browser will not send the cookie back to the server and any session state will be lost (including the security context information). Starting a session in HTTP first should work as the session cookie won't be marked as secure.

    I may be wrong but I don't understand how this can work with current default configuration of Session Authentication Strategy.

    The solution to this I found which seems better to me is to:
    1) change sessionAuthenticationStrategy from default one (org.springframework.security.web.authentication.s ession.SessionFixationProtectionStrategy) to org.springframework.security.web.authentication.se ssion.NullAuthenticatedSessionStrategy.
    This has to be done in
    * org.springframework.security.web.authentication.Us ernamePasswordAuthenticationFilter
    and
    * session-management

    2) Start a Session in HTTP



    I may be wrong but unless it is done I don't understand how it can work, if you do please tell me how.
    Here is my explanation:
    When we authenticate, defaults policy (SessionFixationProtectionStrategy) will create a new Session and SessionFixationProtectionStrategy will make it copy attributes,
    since this new session is in HTTPS so Cookie marked as SECURE, later when we switch back to HTTP cookie will consequently not be transmitted resulting
    in either a new session being created or the old invalidated one.
    This can be fixed by using a org.springframework.security.web.authentication.se ssion.SessionFixationProtectionStrategy set to org.springframework.security.web.authentication.se ssion.NullAuthenticatedSessionStrategy.


    This solution make the session a bit less secure since Session is not copied so same JSESSIONID will be used but is there a better one ?

    Regarding this I opened a "Documentation" bug:
    https://jira.springsource.org/browse/SEC-1660

    Philippe
    http://www.ubik-ingenierie.com
    Last edited by pmdubik; Jan 20th, 2011 at 12:04 PM.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules