Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1077: AuthenticationProcessingFilter doesn't redirect to target url in case of session-fixation "newSession". #1328

Closed
spring-issuemaster opened this Issue Jan 8, 2009 · 5 comments

Comments

Projects
None yet
1 participant

Andrei Tsibets(Migrated from SEC-1077) said:

When session-fixation-protection=“newSession” is used then AbstractProcessingFilter processing filter doesn’t redirect to target url. It is because of saved request clearing in session (2.0.4, trunk).

Andrei Tsibets said:

Sorry, I cannot change priority to Minor.

Luke Taylor said:

This is what I would expect given that it if you explicitly say you want a new clean session then any state prior to that point will be lost. The default target option will be used instead. If you want the saved request to be retained, then you have to migrate the existing session state (the default behaviour), so I don’t really think that is a bug.

Andrei Tsibets said:

I thought that session usage for target url functionality is just implementation solution and session-fixation didn’t have to influence on it.

Luke Taylor said:

Hmm. The problem is that the target Url functionality is handled by a separate strategy – there is now no assumption in the AbstractProcessing filter that a SavedRequest exists. It’s all handled by the strategy (AuthenticationSuccessHandler). The current ordering of the code means the session state has gone by the time the attempt is made to access the SavedRequest.

The problem is that the amount of functonality in these classes has grown considerable since they were first introduced. Another possibility would be to implement the session fixation logic as another AuthenticationSuccessHandler and call it after the one which performs the navigation. I’m not sure if this will break something else though. Alternatively we could do the same as for LogoutHandler and allow all the “on succes” operations to be configured as a list of AuthenticationSuccessHandlers. Comments are welcome.

Luke Taylor said:

This should be fixed by the changes for SEC-1211. The default implementation of the new session handling strategy which is responsible for migrating the attributes has an additional list of attribute names which it will retain even if migrateSessionAttributes is set to false. By default this list is set to contain only the SavedRequest attribute name.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment