Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 3.0.7, 3.1.0, 3.1.1
    • Fix Version/s: 3.2.0.M2
    • Component/s: Web
    • Labels:
      None
    • Environment:
      Windows 7 x64
      Java 7 x64
      Tomcat 7.0.26
      Spring Framework 3.1.2
      Spring Security 3.1.1

      Description

      Both types of successful authentication events (AuthenticationSuccessEvent AND InteractiveAuthenticationSuccessEvent) are fired BEFORE the session fixation protection migrates the session data. This is INVALID, as the session ID contained within the data provided by the event is no longer valid immediately after the event completes processing.

      So, for example, one cannot use ApplicationListeners for AuthenticationSuccessEvent and SessionDestroyedEvent to maintain a log of login/logout activity, because the session ID changes between when the success event is called and the destroyed event is called.

      There was a discussion about this in the Spring forums (attached). The conclusion reached in this discussion is, I believe, also invalid. Spring Security classes shouldn't have to be overridden in order to make them behave correctly. It seems a trivial matter for the authentication event to be called AFTER the session has been migrated, which would provide accurate information in objects provided, through events, to a consuming application.

        Activity

        Hide
        Nick Williams added a comment -

        Okay. The comment you made on the pull request an hour ago confused me, so if you could respond to my question that would be great. Thanks!

        (P.S. Sorry if it seems like I'm nagging. I know y'all are busy, so I also know I have to be persistent to avoid getting lost in the shuffle. )

        Show
        Nick Williams added a comment - Okay. The comment you made on the pull request an hour ago confused me, so if you could respond to my question that would be great. Thanks! (P.S. Sorry if it seems like I'm nagging. I know y'all are busy, so I also know I have to be persistent to avoid getting lost in the shuffle. )
        Hide
        Rob Winch added a comment - - edited

        You are not nagging...it is GREAT to have contributions! I think I replied (I just responded to the latest comment but there are quite a few so perhaps it was a different one), but if you don't see it please send me a link to the comment.

        Show
        Rob Winch added a comment - - edited You are not nagging...it is GREAT to have contributions! I think I replied (I just responded to the latest comment but there are quite a few so perhaps it was a different one), but if you don't see it please send me a link to the comment.
        Hide
        Nick Williams added a comment -

        Yes, you replied, I'm just still not clear on whether you NEED me to re-do this pull request from a branch (originally you said it would be fine this time), or whether you're just telling me for future reference again.

        Show
        Nick Williams added a comment - Yes, you replied, I'm just still not clear on whether you NEED me to re-do this pull request from a branch (originally you said it would be fine this time), or whether you're just telling me for future reference again.
        Hide
        Rob Winch added a comment -

        No I do not need you to do it, but thought it would make working on multiple issues at the same time easier for you.

        Show
        Rob Winch added a comment - No I do not need you to do it, but thought it would make working on multiple issues at the same time easier for you.
        Hide
        Rob Winch added a comment -

        Resolved per https://github.com/SpringSource/spring-security/pull/33 Thanks for contributing Nick!

        Show
        Rob Winch added a comment - Resolved per https://github.com/SpringSource/spring-security/pull/33 Thanks for contributing Nick!

          People

          • Assignee:
            Rob Winch
            Reporter:
            Nick Williams
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: