RANGER-995 : Implement session fixation protection Signed-off-by: Gautam Borad <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/14f8c118 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/14f8c118 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/14f8c118 Branch: refs/heads/master Commit: 14f8c118368cb9e5ee01a7a59b9ade03de48a288 Parents: e115000 Author: pradeep <[email protected]> Authored: Thu May 26 14:43:22 2016 +0530 Committer: Gautam Borad <[email protected]> Committed: Mon May 30 17:58:14 2016 +0530 ---------------------------------------------------------------------- .../RangerAuthSuccessHandler.java | 2 ++ ...RangerSessionFixationProtectionStrategy.java | 33 ++++++++++++++++++++ 2 files changed, 35 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/14f8c118/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java index bf16a57..877620b 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java @@ -76,6 +76,8 @@ SavedRequestAwareAuthenticationSuccessHandler { HttpServletResponse response, Authentication authentication) throws ServletException, IOException { + RangerSessionFixationProtectionStrategy rangerSessionFixationProtectionStrategy=new RangerSessionFixationProtectionStrategy(); + rangerSessionFixationProtectionStrategy.onAuthentication(authentication, request, response); WebAuthenticationDetails details = (WebAuthenticationDetails) authentication .getDetails(); String remoteAddress = details != null ? details.getRemoteAddress() http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/14f8c118/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerSessionFixationProtectionStrategy.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerSessionFixationProtectionStrategy.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerSessionFixationProtectionStrategy.java new file mode 100644 index 0000000..4c73b52 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerSessionFixationProtectionStrategy.java @@ -0,0 +1,33 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.security.web.authentication; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.springframework.security.core.Authentication; +import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy; + +public class RangerSessionFixationProtectionStrategy extends SessionFixationProtectionStrategy { + + @Override + public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response){ + super.onAuthentication(authentication, request, response); + } +}
