Spring, can't change SessionAuthenticationStrategy in Java config

2
votes

I want to disable session-fixation-protection on Spring-Boot (using version 1.2.4). We are configuring the httpSecurity in Java:

SecurityConfig.Scala

  override def configure(http: HttpSecurity): Unit = {
    println("loading config")
    http.
      csrf().disable().
      authorizeRequests().
      antMatchers("/api/member/**").permitAll().
      antMatchers("/api/feedback/submit").permitAll().
      antMatchers("/test/**").permitAll().
      antMatchers("/session").access("hasRole('ROLE_ADMIN')").
        anyRequest().anonymous().and().
      securityContext().securityContextRepository(memcachedSecurityContextRepository).and().
      formLogin().
        loginPage("/login").failureUrl("/denied").defaultSuccessUrl("/session").and().
      logout().invalidateHttpSession(true).logoutSuccessUrl("/login").and().
      sessionManagement().invalidSessionUrl("/login").maximumSessions(1).expiredUrl("/login").and().
      sessionFixation().none()
  }
}

Here is some Debug from Spring while executing the above code:

loading config

Adding web access control expression 'permitAll', for Ant [pattern='/api/member/**']

Adding web access control expression 'permitAll', for Ant [pattern='/api/feedback/submit']

Adding web access control expression 'permitAll', for Ant [pattern='/test/**']

Adding web access control expression 'hasRole('ROLE_ADMIN')', for Ant [pattern='/session']

Adding web access control expression 'anonymous', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1 Validated configuration attributes

Validated configuration attributes

Here the debug output while authentication:

COOKIEVAL:Some(mh3dg7l715nhvtfdfpng11ooa7)

/api/member/account at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'

Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@4e2ca7d9

/api/member/account at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'

Checking match of request : '/api/member/account'; against '/logout'

/api/member/account at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'

Checking match of request : '/api/member/account'; against '/login'

/api/member/account at position 6 of 12 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'

/api/member/account at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'

/api/member/account at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'

/api/member/account at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'

SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4525caad: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN'

/api/member/account at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'

/api/member/account at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'

/api/member/account at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'

Checking match of request : '/api/member/account'; against '/api/member/**'

Secure object: FilterInvocation: URL: /api/member/account; Attributes: [permitAll]

Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4525caad: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN

Voter: org.springframework.security.web.access.expression.WebExpressionVoter@28549e18, returned: 1

Authorization successful

RunAsManager did not change Authentication object

/api/member/account reached end of additional filter chain; proceeding with original chain

What do i have to do to prevent that the cookie value is changed after authentication ? I thought calling sessionFixation().none() would turn of session-fixation-protection.

1
springspring-security

1 Answers

0
votes

In my case, this helped:

http
  .sessionManagement()
    .sessionAuthenticationStrategy(new NullAuthenticatedSessionStrategy()).and()
  ....

NullAuthenticatedSessionStrategy will do nothing on authentication.

Doing this is unsafe! this only for testing purposes!