Spring Security
  1. Spring Security
  2. SEC-1211

Create strategy for session handling on successful authentication

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0 M1
    • Fix Version/s: 3.0.0 M2
    • Component/s: Web
    • Labels:
      None

      Description

      The code for session-fixation protection is currently duplicated between the AbstractAuthenticationProcessingFilter and the SessionFixationProtectionFilter. The former deals needs to create a new session before it redirects to the required target, the latter handles authentication which has occurred during the current request.

      A strategy implementation could be shared between them and also deal with updating the session registry, deciding what attributes to migrate etc.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          I've extracted the interface AuthenticatedSessionStrategy which is now used in both places. DefaultAuthenticationStrategy implements the standard session-fixation protection behaviour, renewing the session and migrating the attributes if configured to do so. It also retains the SavedRequest attribute by default, even if not migrating the attributes (see SEC-1077).

          Show
          Luke Taylor added a comment - I've extracted the interface AuthenticatedSessionStrategy which is now used in both places. DefaultAuthenticationStrategy implements the standard session-fixation protection behaviour, renewing the session and migrating the attributes if configured to do so. It also retains the SavedRequest attribute by default, even if not migrating the attributes (see SEC-1077 ).
          Hide
          Luke Taylor added a comment -

          SessionFixationProtectionFilter has also been renamed to SessionManagementFilter, since it no longer performs session-fixation protection itself, but delegates to the configured strategy.

          Show
          Luke Taylor added a comment - SessionFixationProtectionFilter has also been renamed to SessionManagementFilter, since it no longer performs session-fixation protection itself, but delegates to the configured strategy.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Luke Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: