Class HybrisSessionFixationProtectionStrategy

java.lang.Object
org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy
All Implemented Interfaces:
org.springframework.beans.factory.Aware, org.springframework.context.ApplicationEventPublisherAware, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy

public class HybrisSessionFixationProtectionStrategy extends org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session when a user logs in.
Adding ...
 <security:http ...
        <security:session-management session-authentication-strategy-ref="fixation"/>
 </security:http>
 <bean id="fixation" class="de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy"/>
 

.. will enable this feature for your cockpit based frontend.

  • Nested Class Summary

    Nested classes/interfaces inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy

    org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy.NullEventPublisher
  • Field Summary

    Fields inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy

    logger
  • Constructor Summary

    Constructors
    Constructor
    Description
     
  • Method Summary

    Modifier and Type
    Method
    Description
    protected javax.servlet.http.HttpSession
    createNewSessionAndMigrate(javax.servlet.http.HttpServletRequest request, String originalSessionId, Map<String,Object> attributesToMigrate)
     
    protected Map<String,Object>
    getAttributesAndinvalidateOldSession(javax.servlet.http.HttpSession originalSession)
     
    protected boolean
     
    void
    onAuthentication(org.springframework.security.core.Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    Called when a user is newly authenticated.
    void
    setMigrateSessionAttributes(boolean migrateSessionAttributes)
     

    Methods inherited from class org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

    extractAttributes

    Methods inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy

    onSessionChange, setAlwaysCreateSession, setApplicationEventPublisher

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Constructor Details

    • HybrisSessionFixationProtectionStrategy

      public HybrisSessionFixationProtectionStrategy()
  • Method Details

    • onAuthentication

      public void onAuthentication(org.springframework.security.core.Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Called when a user is newly authenticated.

      If a session already exists, a new session will be created, the session attributes copied to it (if migrateSessionAttributes is set) and the sessionRegistry updated with the new session information.

      If there is no session, no action is taken unless the alwaysCreateSession property is set, in which case a session will be created if one doesn't already exist.

      Specified by:
      onAuthentication in interface org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
      Overrides:
      onAuthentication in class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
    • createNewSessionAndMigrate

      protected javax.servlet.http.HttpSession createNewSessionAndMigrate(javax.servlet.http.HttpServletRequest request, String originalSessionId, Map<String,Object> attributesToMigrate)
    • getAttributesAndinvalidateOldSession

      protected Map<String,Object> getAttributesAndinvalidateOldSession(javax.servlet.http.HttpSession originalSession)
    • keyCanBeMigrated

      protected boolean keyCanBeMigrated(String key)
    • setMigrateSessionAttributes

      public void setMigrateSessionAttributes(boolean migrateSessionAttributes)
      Overrides:
      setMigrateSessionAttributes in class org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy