de.hybris.platform.servicelayer.security.spring

Class HybrisSessionFixationProtectionStrategy

java.lang.Object

SessionFixationProtectionStrategy

de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy

public class HybrisSessionFixationProtectionStrategy
extends SessionFixationProtectionStrategy

Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session when a user logs in.
Adding ...

 <security:http ...
        <security:session-management session-authentication-strategy-ref="fixation"/>
 </security:http>
 <bean id="fixation" class="de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy"/>
 

.. will enable this feature for your cockpit based frontend.

Constructor Summary

Constructors

Constructor and Description
HybrisSessionFixationProtectionStrategy()

Method Summary

Modifier and Type	Method and Description
protected HttpSession	createNewSessionAndMigrate(HttpServletRequest request, java.lang.String originalSessionId, java.util.Map<java.lang.String,java.lang.Object> attributesToMigrate)
protected java.util.Map<java.lang.String,java.lang.Object>	getAttributesAndinvalidateOldSession(HttpSession originalSession)
protected boolean	keyCanBeMigrated(java.lang.String key)
void	onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) Called when a user is newly authenticated.
void	setMigrateSessionAttributes(boolean migrateSessionAttributes)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

HybrisSessionFixationProtectionStrategy

public HybrisSessionFixationProtectionStrategy()

Method Detail

onAuthentication

public void onAuthentication(Authentication authentication,
                             HttpServletRequest request,
                             HttpServletResponse response)

Called when a user is newly authenticated.

If a session already exists, a new session will be created, the session attributes copied to it (if migrateSessionAttributes is set) and the sessionRegistry updated with the new session information.

If there is no session, no action is taken unless the alwaysCreateSession property is set, in which case a session will be created if one doesn't already exist.

createNewSessionAndMigrate

protected HttpSession createNewSessionAndMigrate(HttpServletRequest request,
                                                 java.lang.String originalSessionId,
                                                 java.util.Map<java.lang.String,java.lang.Object> attributesToMigrate)

getAttributesAndinvalidateOldSession

protected java.util.Map<java.lang.String,java.lang.Object> getAttributesAndinvalidateOldSession(HttpSession originalSession)

keyCanBeMigrated

protected boolean keyCanBeMigrated(java.lang.String key)

setMigrateSessionAttributes

public void setMigrateSessionAttributes(boolean migrateSessionAttributes)