Spring Security
  1. Spring Security
  2. SEC-1052

Add option to prevent URL rewriting of jsessionid

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core, Namespace
    • Labels:
      None

      Description

      This is often seen as a security risk:

      http://www.owasp.org/index.php/Top_10_2007-A7

      "Do not expose any session identifiers or any portion of valid credentials in URLs or logs (no session rewriting or storing the user's password in log files)"

      We should add an option in the namespace (and the HttpSessionSecurityContextRepository) to override URL encoding and prevent the id being written to the URL.

        Activity

        Hide
        Luke Taylor added a comment -

        I've added the property disableUrlRewriting to HttpSessionSecurityContextRepository. Just need to add a corresponding one to the namespace.

        Show
        Luke Taylor added a comment - I've added the property disableUrlRewriting to HttpSessionSecurityContextRepository. Just need to add a corresponding one to the namespace.
        Hide
        Luke Taylor added a comment -

        I've added support for "disable-url-rewriting" to the <http> namespace parser.

        Show
        Luke Taylor added a comment - I've added support for "disable-url-rewriting" to the <http> namespace parser.
        Hide
        Chas Emerick added a comment -
        Show
        Chas Emerick added a comment - FYI, this should probably get added to the documentation here: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/appendix-namespace.html#nsa-http-attributes

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Luke Taylor
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: