Example 26 with HttpSession
use of jakarta.servlet.http.HttpSession in project spring-security by spring-projects.
the class ConcurrentSessionControlAuthenticationStrategy method onAuthentication.
/**
* In addition to the steps from the superclass, the sessionRegistry will be updated
* with the new session information.
*/
@Override
public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
int allowedSessions = getMaximumSessionsForThisUser(authentication);
if (allowedSessions == -1) {
// We permit unlimited logins
return;
}
List<SessionInformation> sessions = this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false);
int sessionCount = sessions.size();
if (sessionCount < allowedSessions) {
// They haven't got too many login sessions running at present
return;
}
if (sessionCount == allowedSessions) {
HttpSession session = request.getSession(false);
if (session != null) {
// already registered sessions
for (SessionInformation si : sessions) {
if (si.getSessionId().equals(session.getId())) {
return;
}
}
}
// If the session is null, a new one will be created by the parent class,
// exceeding the allowed number
}
allowableSessionsExceeded(sessions, allowedSessions, this.sessionRegistry);
}
Also used :
SessionInformation(org.springframework.security.core.session.SessionInformation)
HttpSession(jakarta.servlet.http.HttpSession)
Example 27 with HttpSession
use of jakarta.servlet.http.HttpSession in project spring-security by spring-projects.
the class AbstractSessionFixationProtectionStrategy method onAuthentication.
/**
* Called when a user is newly authenticated.
* <p>
* If a session already exists, and matches the session Id from the client, a new
* session will be created, and the session attributes copied to it (if
* {@code migrateSessionAttributes} is set). If the client's requested session Id is
* invalid, nothing will be done, since there is no need to change the session Id if
* it doesn't match the current session.
* <p>
* If there is no session, no action is taken unless the {@code alwaysCreateSession}
* property is set, in which case a session will be created if one doesn't already
* exist.
*/
@Override
public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
boolean hadSessionAlready = request.getSession(false) != null;
if (!hadSessionAlready && !this.alwaysCreateSession) {
// Session fixation isn't a problem if there's no session
return;
}
// Create new session if necessary
HttpSession session = request.getSession();
if (hadSessionAlready && request.isRequestedSessionIdValid()) {
String originalSessionId;
String newSessionId;
Object mutex = WebUtils.getSessionMutex(session);
synchronized (mutex) {
// We need to migrate to a new session
originalSessionId = session.getId();
session = applySessionFixation(request);
newSessionId = session.getId();
}
if (originalSessionId.equals(newSessionId)) {
this.logger.warn("Your servlet container did not change the session ID when a new session " + "was created. You will not be adequately protected against session-fixation attacks");
} else {
if (this.logger.isDebugEnabled()) {
this.logger.debug(LogMessage.format("Changed session id from %s", originalSessionId));
}
}
onSessionChange(originalSessionId, session, authentication);
}
}
Also used :
HttpSession(jakarta.servlet.http.HttpSession)
Example 28 with HttpSession
use of jakarta.servlet.http.HttpSession in project tomcat by apache.
the class Request method setUserPrincipal.
/**
* Set the Principal who has been authenticated for this Request. This
* value is also used to calculate the value to be returned by the
* <code>getRemoteUser()</code> method.
*
* @param principal The user Principal
*/
public void setUserPrincipal(final Principal principal) {
if (Globals.IS_SECURITY_ENABLED && principal != null) {
if (subject == null) {
final HttpSession session = getSession(false);
if (session == null) {
// Cache the subject in the request
subject = newSubject(principal);
} else {
// Cache the subject in the request and the session
subject = (Subject) session.getAttribute(Globals.SUBJECT_ATTR);
if (subject == null) {
subject = newSubject(principal);
session.setAttribute(Globals.SUBJECT_ATTR, subject);
} else {
subject.getPrincipals().add(principal);
}
}
} else {
subject.getPrincipals().add(principal);
}
}
userPrincipal = principal;
}
Also used :
HttpSession(jakarta.servlet.http.HttpSession)
Example 29 with HttpSession
use of jakarta.servlet.http.HttpSession in project tomcat by apache.
the class CrawlerSessionManagerValve method invoke.
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
boolean isBot = false;
String sessionId = null;
String clientIp = request.getRemoteAddr();
String clientIdentifier = getClientIdentifier(request.getHost(), request.getContext(), clientIp);
if (log.isDebugEnabled()) {
log.debug(request.hashCode() + ": ClientIdentifier=" + clientIdentifier + ", RequestedSessionId=" + request.getRequestedSessionId());
}
// If the incoming request has a valid session ID, no action is required
if (request.getSession(false) == null) {
// Is this a crawler - check the UA headers
Enumeration<String> uaHeaders = request.getHeaders("user-agent");
String uaHeader = null;
if (uaHeaders.hasMoreElements()) {
uaHeader = uaHeaders.nextElement();
}
// If more than one UA header - assume not a bot
if (uaHeader != null && !uaHeaders.hasMoreElements()) {
if (log.isDebugEnabled()) {
log.debug(request.hashCode() + ": UserAgent=" + uaHeader);
}
if (uaPattern.matcher(uaHeader).matches()) {
isBot = true;
if (log.isDebugEnabled()) {
log.debug(request.hashCode() + ": Bot found. UserAgent=" + uaHeader);
}
}
}
if (ipPattern != null && ipPattern.matcher(clientIp).matches()) {
isBot = true;
if (log.isDebugEnabled()) {
log.debug(request.hashCode() + ": Bot found. IP=" + clientIp);
}
}
// If this is a bot, is the session ID known?
if (isBot) {
sessionId = clientIdSessionId.get(clientIdentifier);
if (sessionId != null) {
request.setRequestedSessionId(sessionId);
if (log.isDebugEnabled()) {
log.debug(request.hashCode() + ": SessionID=" + sessionId);
}
}
}
}
getNext().invoke(request, response);
if (isBot) {
if (sessionId == null) {
// Has bot just created a session, if so make a note of it
HttpSession s = request.getSession(false);
if (s != null) {
clientIdSessionId.put(clientIdentifier, s.getId());
sessionIdClientId.put(s.getId(), clientIdentifier);
// #valueUnbound() will be called on session expiration
s.setAttribute(this.getClass().getName(), new CrawlerHttpSessionBindingListener(clientIdSessionId, clientIdentifier));
s.setMaxInactiveInterval(sessionInactiveInterval);
if (log.isDebugEnabled()) {
log.debug(request.hashCode() + ": New bot session. SessionID=" + s.getId());
}
}
} else {
if (log.isDebugEnabled()) {
log.debug(request.hashCode() + ": Bot session accessed. SessionID=" + sessionId);
}
}
}
}
Also used :
HttpSession(jakarta.servlet.http.HttpSession)
Example 30 with HttpSession
use of jakarta.servlet.http.HttpSession in project tomcat by apache.
the class TestCrawlerSessionManagerValve method createSessionExpectations.
private HttpSession createSessionExpectations(CrawlerSessionManagerValve valve, boolean isBot) {
HttpSession session = EasyMock.createMock(HttpSession.class);
if (isBot) {
EasyMock.expect(session.getId()).andReturn("id").times(2);
session.setAttribute(EasyMock.eq(valve.getClass().getName()), EasyMock.anyObject(HttpSessionBindingListener.class));
EasyMock.expectLastCall();
session.setMaxInactiveInterval(60);
EasyMock.expectLastCall();
}
return session;
}
Also used :
HttpSession(jakarta.servlet.http.HttpSession)
HttpSessionBindingListener(jakarta.servlet.http.HttpSessionBindingListener)
Aggregations
HttpSession (jakarta.servlet.http.HttpSession)98
Test (org.junit.jupiter.api.Test)38
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)17
MvcResult (org.springframework.test.web.servlet.MvcResult)16
HttpServletRequest (jakarta.servlet.http.HttpServletRequest)12
MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)12
MockHttpSession (org.springframework.mock.web.MockHttpSession)12
MockHttpServletRequest (org.springframework.web.testfixture.servlet.MockHttpServletRequest)11
Map (java.util.Map)10
MockHttpServletResponse (org.springframework.web.testfixture.servlet.MockHttpServletResponse)9
SecurityContext (org.springframework.security.core.context.SecurityContext)7
PathPatternsParameterizedTest (org.springframework.web.servlet.handler.PathPatternsParameterizedTest)7
Authentication (org.springframework.security.core.Authentication)6
Cookie (jakarta.servlet.http.Cookie)5
Request (org.apache.catalina.connector.Request)5
OAuth2AuthorizedClient (org.springframework.security.oauth2.client.OAuth2AuthorizedClient)5
SessionFixationProtectionStrategy (org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy)5
Response (org.apache.catalina.connector.Response)4
RootBeanDefinition (org.springframework.beans.factory.support.RootBeanDefinition)4
PrintWriter (java.io.PrintWriter)3
