RE: [cas-user] Session Fixation - CAS Client - Tomcat

[James Parry]

Unfortunately we have a very keen pen tester who is blocking the project until 
I manage to fix this issue.
I also mentioned the same think as the system is only accessible via https.


I've been playing around with the session-fixation attribute within Spring Sec:

<http entry-point-ref="casProcessingFilterEntryPoint" use-expressions="true" >
        ....
        ....
        <logout logout-success-url="/logout"/>
        <custom-filter ref="casAuthenticationFilter" after="CAS_FILTER"/>
        <session-management session-fixation-protection="migrateSession" />
    </http>

However it doesn't seem to take any effect on the SessionID's.
Looking at the javadoc  it looks like the CasAuthenticationFilter is meant to 
invoke the session handler that controls the session-fixation.
But I can't seem to find where it actually does it.

Anyone else ever managed to get this working


/**
     * Default behaviour for successful authentication.
     * <ol>
     * <li>Sets the successful <tt>Authentication</tt> object on the {@link 
SecurityContextHolder}</li>
     * <li>Invokes the configured {@link SessionAuthenticationStrategy} to 
handle any session-related behaviour
     * (such as creating a new session to protect against session-fixation 
attacks).</li>
     * <li>Informs the configured <tt>RememberMeServices</tt> of the successful 
login</li>
     * <li>Fires an {@link InteractiveAuthenticationSuccessEvent} via the 
configured
     * <tt>ApplicationEventPublisher</tt></li>
     * <li>Delegates additional behaviour to the {@link 
AuthenticationSuccessHandler}.</li>
     * </ol>
     *
     * @param authResult the object returned from the 
<tt>attemptAuthentication</tt> method.
     */
    protected void successfulAuthentication(HttpServletRequest request, 
HttpServletResponse response,
            Authentication authResult) throws IOException, ServletException {

        if (logger.isDebugEnabled()) {
            logger.debug("Authentication success. Updating 
SecurityContextHolder to contain: " + authResult);
        }

        SecurityContextHolder.getContext().setAuthentication(authResult);

        rememberMeServices.loginSuccess(request, response, authResult);

        // Fire event
        if (this.eventPublisher != null) {
            eventPublisher.publishEvent(new 
InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
        }

        successHandler.onAuthenticationSuccess(request, response, authResult);
    }



Many Thanks

James Parry

From: Scott Battaglia [mailto:scott.battag...@gmail.com]
Sent: 12 September 2012 14:53
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Session Fixation - CAS Client - Tomcat

I do not believe we have anything specific for it, mostly because better 
security packages that integrate the raw client do (i.e. Spring Security).

On Wed, Sep 12, 2012 at 9:50 AM, James Parry 
<james.pa...@meganexus.com<mailto:james.pa...@meganexus.com>> wrote:
Hi All,

I'm not sure if this is a CAS Client issue or Tomcat but trying to doing a 
little research to try and get to the bottom of the problem so I thought I 
would check here.

We have a Spring Web app using the CAS client and SAML auth against a CAS 
Server.

I'm looking to try and protect the Spring Web App against Session Fixation.

There are two main methods of exploitation for this issue:
1) The application sets a session ID for a non-authenticated user. When the 
user authenticates, the session ID is not changed. If the attacker can access 
this session ID token then they will be able to steal the user's session.
2) The attacker can "force" the user to use a token they have created. This is 
accomplished by the attacker visiting the site and being assigned a session ID.

I was wondering if the CAS client already contains protection against Session 
Fixation  and I just need to set a certain feature.
A simple point in the right direction will probably be enough.

Many Thanks

James

--
You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
scott.battag...@gmail.com<mailto:scott.battag...@gmail.com>




To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


--
You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
james.pa...@meganexus.com<mailto:james.pa...@meganexus.com>
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user