Session Fixation Security Issue

Session Fixation Security Issue

1. Fix Maven project warning first
error message:
Project configuration is not up-to-date with pom.xml. Run project configuration update
solution:
[Maven] ----> [Update Project Configuration]

2. Use filter to solve the issue in web.xml
<filter>
<filter-name>sessionFixationProtoctionFilter</filter-name>
<filter-class>com.sillycat.easywebflow.filter.SessionFixationProtectionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>sessionFixationProtoctionFilter</filter-name>
<url-pattern>/order/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>sessionFixationProtoctionFilter</filter-name>
<url-pattern>/account.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>sessionFixationProtoctionFilter</filter-name>
<url-pattern>/product/detail.do</url-pattern>
</filter-mapping>

3. Relate Java classes reference from Spring security 2.x
package com.sillycat.easywebflow.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.sillycat.easywebflow.util.SessionUtil;

public class SessionFixationProtectionFilter implements Filter {

private boolean migrateSessionAttributes = true;

public void init(FilterConfig filterConfig) throws ServletException {
}

public void doFilter(ServletRequest servletRequest,
ServletResponse serlvetResponse, FilterChain chain)
throws IOException, ServletException {
if (!(servletRequest instanceof HttpServletRequest)) {
throw new ServletException("Can only process HttpServletRequest");
}

if (!(serlvetResponse instanceof HttpServletResponse)) {
throw new ServletException("Can only process HttpServletResponse");
}

HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) serlvetResponse;

startNewSessionIfRequired(request, response);

chain.doFilter(request, response);
}

public void destroy() {

}

protected void startNewSessionIfRequired(HttpServletRequest request,
HttpServletResponse response) {
SessionUtil
.startNewSessionIfRequired(request, migrateSessionAttributes);
}

public boolean isMigrateSessionAttributes() {
return migrateSessionAttributes;
}

public void setMigrateSessionAttributes(boolean migrateSessionAttributes) {
this.migrateSessionAttributes = migrateSessionAttributes;
}

}

package com.sillycat.easywebflow.util;

import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

public class SessionUtil {

private final static Log log = LogFactory.getLog(SessionUtil.class);

static public void startNewSessionIfRequired(HttpServletRequest request,
boolean migrateSessionAttributes) {
//map to hold all the parameters
HashMap<String, Object> attributesToMigrate = null;

//get session
HttpSession session = request.getSession(false);
if (session == null) {
//if no session, there is nothing to deal
return;
}

String originalSessionId = session.getId();

if (log.isDebugEnabled()) {
log.debug("Invalidating session with Id '" + originalSessionId
+ "' " + (migrateSessionAttributes ? "and" : "without")
+ " migrating attributes.");
}
//save the attributes in map
if (migrateSessionAttributes) {
attributesToMigrate = new HashMap<String, Object>();
Enumeration<?> enumer = session.getAttributeNames();

while (enumer.hasMoreElements()) {
String key = (String) enumer.nextElement();
attributesToMigrate.put(key, session.getAttribute(key));
}
}

//kill the old session
session.invalidate();
session = request.getSession(true); // we now have a new session

if (log.isDebugEnabled()) {
log.debug("Started new session: " + session.getId());
}

//migrate the attribute to new session
if (attributesToMigrate != null) {
Iterator<?> iter = attributesToMigrate.entrySet().iterator();

while (iter.hasNext()) {
Map.Entry<?, ?> entry = (Entry<?, ?>) iter.next();
session.setAttribute((String) entry.getKey(), entry.getValue());
}
}
}

}


references:
https://issues.jboss.org/browse/JBAS-4436
http://forum.springsource.org/showthread.php?54688-SessionFixationProtectionFilter-does-not-work-on-JBoss
http://en.wikipedia.org/wiki/Session_fixation
http://grepcode.com/file/repo1.maven.org/maven2/org.springframework.security/spring-security-core/2.0.3/org/springframework/security/util/SessionUtils.java
http://www.jarvana.com/jarvana/view/org/springframework/security/spring-security-core/2.0.2/spring-security-core-2.0.2-sources.jar!/org/springframework/security/ui/SessionFixationProtectionFilter.java?format=ok
http://www.jarvana.com/jarvana/view/org/springframework/security/spring-security-core/2.0.2/spring-security-core-2.0.2-sources.jar!/org/springframework/security/ui/SpringSecurityFilter.java?format=ok
http://lxs647.iteye.com/blog/1274975