[
https://jira.jboss.org/jira/browse/JBSEAM-2450?page=com.atlassian.jira.pl...
]
Steffen Schlager commented on JBSEAM-2450:
------------------------------------------
Hi Alexander,
I included your solution in my application. In principle, your approach works fine. But
there is a small problem related to session-scoped beans. Suppose you have a
session-scoped bean (e.g., a shopping basket). The user is allowed to put items in the
shopping basket without having to be logged in. The user has only to log in when he wants
to actually order the items in the shopping cart. However, follwing you approach the
session scoped shopping cart is destroyed when the user actually logs in. The reason is
the destroy-method in class Contexts which destroys also the session context.
I could fix that problem by adding the following line
right after
while (keys.hasMoreElements()) {
String key = keys.nextElement();
if (!NEW_SESSION_INDICATOR.equals(key)) {
old.put(key, session.getAttribute(key));
session.removeAttribute(key);
}
}
OWASP / New Session after Login
-------------------------------
Key: JBSEAM-2450
URL:
https://jira.jboss.org/jira/browse/JBSEAM-2450
Project: Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 2.0.0.GA
Environment: Linux 2.6, jetty 6.1.5, java 6
Reporter: Alexander Schwartz
Assignee: Shane Bryzak
Fix For: 3.0.0.BETA1
Attachments: NewSessionFilter.java, NewSessionFilter.java
Hello,
OWASP has compiled a "top 10" vulnerablilities for web applications.
One suggestion against session hijacking was the following: Start a new HTTP-Session
after a successful login:
"Consider regenerating a new session upon successful authentication or privilege
level change."
http://www.owasp.org/index.php/Top_10_2007-A7
Therefore there should be a (configurable?) switch to choose "continue with new
session ID after successful log on"
I have thought of invalidating the current HTTP session, creating a new one and copying
all elements from the old session to the new session in my Authenticator. But Seam 2.0.0
doesn't allow this: When I use the lowlevel functions this is blocked by
IllegalStateException("Please end the HttpSession via Seam.invalidateSession()")
in Lifecyle. When I use Seam.invalidateSession(), the session is only destroyed at the end
of the request and I am unable to copy any objects in my Authenticator as the new session
doesn't exist yet.
The workaround I have come up with is a filter, that destroys the complete session before
the log in.
This is not very elegant, but it works for me as I don't have i.e. a shoping basket
that I'd like to preserve.
A "nice" implementation in seam shouldn't have this limitation.
shane.bryzak(a)jboss.com asked for this ticket to be assigned to her.
The Java Class:
Code:
/**
* This filter enforces a new session whenever there is a POST, should be mapped
* to the URL of the login page in your web.xml
* @author Alexander Schwartz 2007
*/
public class NewSessionFilter implements Filter {
private Log log = LogFactory.getLog(NewSessionFilter.class);
private String url;
public void destroy() {
// empty.
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
if (request instanceof HttpServletRequest) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (httpRequest.getMethod().equals("POST")
&& httpRequest.getSession() != null
&& !httpRequest.getSession().isNew()
&& httpRequest.getRequestURI().endsWith(url)) {
httpRequest.getSession().invalidate();
httpRequest.getSession(true);
log.info("new Session:" + httpRequest.getSession().getId());
}
}
chain.doFilter(request, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
url = filterConfig.getInitParameter("url");
if (url == null) {
throw new ServletException(
"please specify parameter 'url' with login URL");
}
}
}
The web.xml:
Code:
<filter>
<display-name>NewSessionFilter</display-name>
<filter-name>NewSessionFilter</filter-name>
<filter-class>
NewSessionFilter
</filter-class>
<init-param>
<param-name>url</param-name>
<param-value>/iss/login.jsf</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>NewSessionFilter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/iss/login.jsf</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira