Package de.hybris.platform.servicelayer.security.spring

Class HybrisSessionFixationProtectionStrategy

  • All Implemented Interfaces:
    org.springframework.beans.factory.Aware, org.springframework.context.ApplicationEventPublisherAware, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
    public class HybrisSessionFixationProtectionStrategy
extends org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
    Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session when a user logs in.
    Adding ... 
     <security:http ...
        <security:session-management session-authentication-strategy-ref="fixation"/>
 </security:http>
 <bean id="fixation" class="de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy"/>

    .. will enable this feature for your cockpit based frontend.

    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected org.apache.commons.logging.Log logger  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected javax.servlet.http.HttpSession createNewSessionAndMigrate​(javax.servlet.http.HttpServletRequest request, java.lang.String originalSessionId, java.util.Map<java.lang.String,​java.lang.Object> attributesToMigrate)  
      protected java.util.Map<java.lang.String,​java.lang.Object> getAttributesAndinvalidateOldSession​(javax.servlet.http.HttpSession originalSession)  
      protected boolean keyCanBeMigrated​(java.lang.String key)  
      void onAuthentication​(org.springframework.security.core.Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Called when a user is newly authenticated.
      protected void onSessionChange​(java.lang.String arg0, javax.servlet.http.HttpSession arg1, org.springframework.security.core.Authentication arg2)  
      void setAlwaysCreateSession​(boolean arg0)  
      void setApplicationEventPublisher​(org.springframework.context.ApplicationEventPublisher arg0)  
      void setMigrateSessionAttributes​(boolean migrateSessionAttributes)  

      • Methods inherited from class org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

        extractAttributes

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • logger

        protected final org.apache.commons.logging.Log logger

    • Constructor Detail

      • HybrisSessionFixationProtectionStrategy

        public HybrisSessionFixationProtectionStrategy()

    • Method Detail

      • onAuthentication

        public void onAuthentication​(org.springframework.security.core.Authentication authentication,
                             javax.servlet.http.HttpServletRequest request,
                             javax.servlet.http.HttpServletResponse response)
        Called when a user is newly authenticated.

        If a session already exists, a new session will be created, the session attributes copied to it (if migrateSessionAttributes is set) and the sessionRegistry updated with the new session information.

        If there is no session, no action is taken unless the alwaysCreateSession property is set, in which case a session will be created if one doesn't already exist.

        Specified by:
        onAuthentication in interface org.springframework.security.web.authentication.session.SessionAuthenticationStrategy

      • createNewSessionAndMigrate

        protected javax.servlet.http.HttpSession createNewSessionAndMigrate​(javax.servlet.http.HttpServletRequest request,
                                                                    java.lang.String originalSessionId,
                                                                    java.util.Map<java.lang.String,​java.lang.Object> attributesToMigrate)

      • getAttributesAndinvalidateOldSession

        protected java.util.Map<java.lang.String,​java.lang.Object> getAttributesAndinvalidateOldSession​(javax.servlet.http.HttpSession originalSession)

      • keyCanBeMigrated

        protected boolean keyCanBeMigrated​(java.lang.String key)

      • setMigrateSessionAttributes

        public void setMigrateSessionAttributes​(boolean migrateSessionAttributes)
        Overrides:
        setMigrateSessionAttributes in class org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

      • onSessionChange

        protected void onSessionChange​(java.lang.String arg0,
                               javax.servlet.http.HttpSession arg1,
                               org.springframework.security.core.Authentication arg2)

      • setApplicationEventPublisher

        public void setApplicationEventPublisher​(org.springframework.context.ApplicationEventPublisher arg0)
        Specified by:
        setApplicationEventPublisher in interface org.springframework.context.ApplicationEventPublisherAware

      • setAlwaysCreateSession

        public void setAlwaysCreateSession​(boolean arg0)