Class HybrisSessionFixationProtectionStrategy

  • All Implemented Interfaces:
    org.springframework.beans.factory.Aware, org.springframework.context.ApplicationEventPublisherAware, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy

    public class HybrisSessionFixationProtectionStrategy
    extends org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
    Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session when a user logs in.
    Adding ...
     <security:http ...
            <security:session-management session-authentication-strategy-ref="fixation"/>
     </security:http>
     <bean id="fixation" class="de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy"/>
     

    .. will enable this feature for your cockpit based frontend.

    • Nested Class Summary

      • Nested classes/interfaces inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy

        org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy.NullEventPublisher
    • Field Summary

      • Fields inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy

        logger
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected javax.servlet.http.HttpSession createNewSessionAndMigrate​(javax.servlet.http.HttpServletRequest request, java.lang.String originalSessionId, java.util.Map<java.lang.String,​java.lang.Object> attributesToMigrate)  
      protected java.util.Map<java.lang.String,​java.lang.Object> getAttributesAndinvalidateOldSession​(javax.servlet.http.HttpSession originalSession)  
      protected boolean keyCanBeMigrated​(java.lang.String key)  
      void onAuthentication​(org.springframework.security.core.Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Called when a user is newly authenticated.
      void setMigrateSessionAttributes​(boolean migrateSessionAttributes)  
      • Methods inherited from class org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

        extractAttributes
      • Methods inherited from class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy

        onSessionChange, setAlwaysCreateSession, setApplicationEventPublisher
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • HybrisSessionFixationProtectionStrategy

        public HybrisSessionFixationProtectionStrategy()
    • Method Detail

      • onAuthentication

        public void onAuthentication​(org.springframework.security.core.Authentication authentication,
                                     javax.servlet.http.HttpServletRequest request,
                                     javax.servlet.http.HttpServletResponse response)
        Called when a user is newly authenticated.

        If a session already exists, a new session will be created, the session attributes copied to it (if migrateSessionAttributes is set) and the sessionRegistry updated with the new session information.

        If there is no session, no action is taken unless the alwaysCreateSession property is set, in which case a session will be created if one doesn't already exist.

        Specified by:
        onAuthentication in interface org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
        Overrides:
        onAuthentication in class org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy
      • createNewSessionAndMigrate

        protected javax.servlet.http.HttpSession createNewSessionAndMigrate​(javax.servlet.http.HttpServletRequest request,
                                                                            java.lang.String originalSessionId,
                                                                            java.util.Map<java.lang.String,​java.lang.Object> attributesToMigrate)
      • getAttributesAndinvalidateOldSession

        protected java.util.Map<java.lang.String,​java.lang.Object> getAttributesAndinvalidateOldSession​(javax.servlet.http.HttpSession originalSession)
      • keyCanBeMigrated

        protected boolean keyCanBeMigrated​(java.lang.String key)
      • setMigrateSessionAttributes

        public void setMigrateSessionAttributes​(boolean migrateSessionAttributes)
        Overrides:
        setMigrateSessionAttributes in class org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy