Spring option create-session="never" is ignored in some scenarios? -


for web services want disable use of sessions. added create-session="never" config: 

<beans:bean id="http403entrypoint"     class="org.springframework.security.web.authentication.http403forbiddenentrypoint"/> <http use-expressions="true" entry-point-ref="http403entrypoint"     create-session="never">     <custom-filter ref="x509filter" position="pre_auth_filter"/> </http>

this works cases, except when pre-authenticated user has client certificate not registered in application, our authenticationuserdetailsservice throws usernamenotfoundexception. if user has no certificate or has registered certificate, no session created (no set-cookie header in http response). in described case cookie sent. (the cookie respectively session) evaluated on each following request, if client certificate changed (basically allowing session fixation attack - app uses saved authentication instead of re-authenticating on each call).

we use spring security 3.0.5. tested tomcat 6 , 7 , jboss 7.1.1.

why session created in described scenario?

ps: session fixation problem can workarounded setting checkforprincipalchanges in abstractpreauthenticatedprocessingfilter, interested in answer why session created @ all.

the culprit https://jira.spring.io/browse/sec-1476 :

in case of unauthorized access following method in class abstractpreauthenticatedprocessingfilter create session , store exception there:

protected void unsuccessfulauthentication(httpservletrequest request, httpservletresponse response, authenticationexception failed) {     securitycontextholder.clearcontext();      if (logger.isdebugenabled()) {         logger.debug("cleared security context due exception", failed);     }     request.getsession().setattribute(webattributes.authentication_exception, failed); }

in fix changed last line, removed getsession() call authenticationexception stored in request.

to fix our project created new class extends x509authenticationfilter , there overrode method unsuccessfulauthentication same content except removed getsession() call.


Comments

Post a Comment

Popular posts from this blog

php - failed to open stream: HTTP request failed! HTTP/1.0 400 Bad Request -

this code i'm using find latitude , longitude of place: function coords($address){ echo $url="http://maps.googleapis.com/maps/api/geocode/json?address=".$address; $json = file_get_contents(urlencode($url)); $data = json_decode($json, true); print_r($data['results'][0]['geometry']['location']['lat']); print_r($data['results'][0]['geometry']['location']['lng']); } however returns warning: failed open stream: http request failed! http/1.0 400 bad request if use above code in simple procedure works fine not in function. note: have tried curl_init()... method produced same result? instead of encoding whole url encode address part. following code work fine $add='jamshoro phase 2'; $url="http://maps.googleapis.com/maps/api/geocode/json?address=".urlencode($add); $json = file_get_contents($url); $data = json_decode($json, true); print_r($data['r
Read more

java - How to filter a backspace keyboard input -

i have code gives message when key number pressed: txtvalueofclause.addeventfilter(keyevent.key_typed, new eventhandler<keyevent>() { @override public void handle(keyevent t) { char ar[] = t.getcharacter().tochararray(); char ch = ar[t.getcharacter().tochararray().length - 1]; if (!(ch >= '0' && ch <= '9')) { system.out.println("the char entered not number"); t.consume(); } } }); now if press on wrong button , press backspace remove it, error message. how can add backspace input if statement? i have found answer: txtvalueofclause.addeventfilter(keyevent.key_typed, new eventhandler<keyevent>() { @override public void handle(keyevent t) { char ar[] = t.getcharacter().tochararray(); char ch = ar[t.getcharacter().tochar
Read more

java - Show Soft Keyboard when EditText Appears -

i have code in android app, alert dialog , keyboard, , when dialog shown want keyboard appear. not , not sure why? here code: final alertdialog.builder alert = new alertdialog.builder(this); alert.settitle("title"); alert.setmessage("message"); final edittext input = new edittext(this); input.setinputtype(inputtype.type_class_number); alert.setview(input); input.setonfocuschangelistener(new view.onfocuschangelistener() { @override public void onfocuschange(view v, boolean hasfocus) { if (hasfocus) { log.i(tag, "in focus"); inputmethodmanager inputmethodmanager = (inputmethodmanager) getsystemservice(context.input_method_service); inputmethodmanager.showsoftinput(input, inputmethodmanager.show_implicit); } } }); but keyboard not appear though edit text in focus, , tell appear why, doesn't come up? thanks in advance.
Read more