Class HybrisSessionFixationProtectionStrategy
java.lang.Object
org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy
- All Implemented Interfaces:
org.springframework.beans.factory.Aware,org.springframework.context.ApplicationEventPublisherAware,org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
public class HybrisSessionFixationProtectionStrategy
extends org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by
accessing a site, then persuade another user to log in with the same session (by sending them a link containing the
session identifier as a parameter, for example). Spring Security protects against this automatically by creating a
new session when a user logs in.
Adding ...
Adding ...
<security:http ...
<security:session-management session-authentication-strategy-ref="fixation"/>
</security:http>
<bean id="fixation" class="de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy"/>
.. will enable this feature for your cockpit based frontend.
-
Nested Class Summary
Nested classes/interfaces inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy.NullEventPublisher -
Field Summary
Fields inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
logger -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected javax.servlet.http.HttpSessioncreateNewSessionAndMigrate(javax.servlet.http.HttpServletRequest request, String originalSessionId, Map<String, Object> attributesToMigrate) getAttributesAndinvalidateOldSession(javax.servlet.http.HttpSession originalSession) protected booleankeyCanBeMigrated(String key) voidonAuthentication(org.springframework.security.core.Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Called when a user is newly authenticated.voidsetMigrateSessionAttributes(boolean migrateSessionAttributes) Methods inherited from class org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
extractAttributesMethods inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
onSessionChange, setAlwaysCreateSession, setApplicationEventPublisher
-
Constructor Details
-
HybrisSessionFixationProtectionStrategy
public HybrisSessionFixationProtectionStrategy()
-
-
Method Details
-
onAuthentication
public void onAuthentication(org.springframework.security.core.Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Called when a user is newly authenticated.If a session already exists, a new session will be created, the session attributes copied to it (if migrateSessionAttributes is set) and the sessionRegistry updated with the new session information.
If there is no session, no action is taken unless the alwaysCreateSession property is set, in which case a session will be created if one doesn't already exist.
- Specified by:
onAuthenticationin interfaceorg.springframework.security.web.authentication.session.SessionAuthenticationStrategy- Overrides:
onAuthenticationin classorg.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
-
createNewSessionAndMigrate
-
getAttributesAndinvalidateOldSession
-
keyCanBeMigrated
-
setMigrateSessionAttributes
public void setMigrateSessionAttributes(boolean migrateSessionAttributes) - Overrides:
setMigrateSessionAttributesin classorg.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
-