Jan 20th, 2011, 11:54 AM
HTTPS to HTTP Switch on Tomcat with Spring 3.X.X
I read many thread talking about the issue with Tomcat when we try to switch after login from HTTPS to HTTP.
The described solution based on REMEMBER ME is more a workaround than a real one and introduce a Security HOLE, specially on Computers used by many users.
I also found in Spring Sec FAQ:
You say: I'm using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards. It doesn't work - I just end up back at the login page after authenticating. This happens because sessions created under HTTPS, for which the session cookie is marked as "secure", cannot subsequently be used under HTTP. The browser will not send the cookie back to the server and any session state will be lost (including the security context information). Starting a session in HTTP first should work as the session cookie won't be marked as secure.
I may be wrong but I don't understand how this can work with current default configuration of Session Authentication Strategy.
The solution to this I found which seems better to me is to:
1) change sessionAuthenticationStrategy from default one (org.springframework.security.web.authentication.s ession.SessionFixationProtectionStrategy) to org.springframework.security.web.authentication.se ssion.NullAuthenticatedSessionStrategy.
This has to be done in
* org.springframework.security.web.authentication.Us ernamePasswordAuthenticationFilter
2) Start a Session in HTTP
I may be wrong but unless it is done I don't understand how it can work, if you do please tell me how.
Here is my explanation:
When we authenticate, defaults policy (SessionFixationProtectionStrategy) will create a new Session and SessionFixationProtectionStrategy will make it copy attributes,
since this new session is in HTTPS so Cookie marked as SECURE, later when we switch back to HTTP cookie will consequently not be transmitted resulting
in either a new session being created or the old invalidated one.
This can be fixed by using a org.springframework.security.web.authentication.se ssion.SessionFixationProtectionStrategy set to org.springframework.security.web.authentication.se ssion.NullAuthenticatedSessionStrategy.
This solution make the session a bit less secure since Session is not copied so same JSESSIONID will be used but is there a better one ?
Regarding this I opened a "Documentation" bug:
Last edited by pmdubik; Jan 20th, 2011 at 12:04 PM.
Tags for this Thread