Spring Security
  1. Spring Security
  2. SEC-1077

AuthenticationProcessingFilter doesn't redirect to target url in case of session-fixation "newSession".

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M2
    • Component/s: Core
    • Labels:
      None

      Description

      When session-fixation-protection="newSession" is used then AbstractProcessingFilter processing filter doesn't redirect to target url. It is because of saved request clearing in session (2.0.4, trunk).

        Issue Links

          Activity

          Hide
          Andrei Tsibets added a comment -

          Sorry, I cannot change priority to Minor.

          Show
          Andrei Tsibets added a comment - Sorry, I cannot change priority to Minor.
          Hide
          Luke Taylor added a comment -

          This is what I would expect given that it if you explicitly say you want a new clean session then any state prior to that point will be lost. The default target option will be used instead. If you want the saved request to be retained, then you have to migrate the existing session state (the default behaviour), so I don't really think that is a bug.

          Show
          Luke Taylor added a comment - This is what I would expect given that it if you explicitly say you want a new clean session then any state prior to that point will be lost. The default target option will be used instead. If you want the saved request to be retained, then you have to migrate the existing session state (the default behaviour), so I don't really think that is a bug.
          Hide
          Andrei Tsibets added a comment -

          I thought that session usage for target url functionality is just implementation solution and session-fixation didn't have to influence on it.

          Show
          Andrei Tsibets added a comment - I thought that session usage for target url functionality is just implementation solution and session-fixation didn't have to influence on it.
          Hide
          Luke Taylor added a comment -

          Hmm. The problem is that the target Url functionality is handled by a separate strategy - there is now no assumption in the AbstractProcessing filter that a SavedRequest exists. It's all handled by the strategy (AuthenticationSuccessHandler). The current ordering of the code means the session state has gone by the time the attempt is made to access the SavedRequest.

          The problem is that the amount of functonality in these classes has grown considerable since they were first introduced. Another possibility would be to implement the session fixation logic as another AuthenticationSuccessHandler and call it after the one which performs the navigation. I'm not sure if this will break something else though. Alternatively we could do the same as for LogoutHandler and allow all the "on succes" operations to be configured as a list of AuthenticationSuccessHandlers. Comments are welcome.

          Show
          Luke Taylor added a comment - Hmm. The problem is that the target Url functionality is handled by a separate strategy - there is now no assumption in the AbstractProcessing filter that a SavedRequest exists. It's all handled by the strategy (AuthenticationSuccessHandler). The current ordering of the code means the session state has gone by the time the attempt is made to access the SavedRequest. The problem is that the amount of functonality in these classes has grown considerable since they were first introduced. Another possibility would be to implement the session fixation logic as another AuthenticationSuccessHandler and call it after the one which performs the navigation. I'm not sure if this will break something else though. Alternatively we could do the same as for LogoutHandler and allow all the "on succes" operations to be configured as a list of AuthenticationSuccessHandlers. Comments are welcome.
          Hide
          Luke Taylor added a comment -

          This should be fixed by the changes for SEC-1211. The default implementation of the new session handling strategy which is responsible for migrating the attributes has an additional list of attribute names which it will retain even if migrateSessionAttributes is set to false. By default this list is set to contain only the SavedRequest attribute name.

          Show
          Luke Taylor added a comment - This should be fixed by the changes for SEC-1211 . The default implementation of the new session handling strategy which is responsible for migrating the attributes has an additional list of attribute names which it will retain even if migrateSessionAttributes is set to false. By default this list is set to contain only the SavedRequest attribute name.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Andrei Tsibets
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: