[
https://issues.apache.org/jira/browse/SHIRO-170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14621859#comment-14621859
]
Devendra Mani commented on SHIRO-170:
-------------------------------------
package in.org.cris.oaew.common.shiro;
You need to override executeLogin only for "Force New Session ID on
Authentication" example like:
import java.util.Collection;
import java.util.LinkedHashMap;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class MyFormAuthenticationFilter extends FormAuthenticationFilter {
private static final Logger log =
LoggerFactory.getLogger(MyFormAuthenticationFilter.class);
@Override
protected boolean executeLogin(final ServletRequest request, final
ServletResponse response) throws Exception {
final AuthenticationToken token = createToken(request, response);
if (token == null)
{ String msg = "createToken method implementation returned null. A
valid non-null AuthenticationToken " + "must be created in order to execute a
login attempt."; throw new IllegalStateException(msg); }
try {
// Stop session fixation issues.
// https://issues.apache.org/jira/browse/SHIRO-170
final Subject subject = getSubject(request, response);
Session session = subject.getSession();
String old_id= (String) session.getId();
// Store the attributes so we can copy them to the new session after
auth.
final LinkedHashMap<Object, Object> attributes = new
LinkedHashMap<Object, Object>();
final Collection<Object> keys = session.getAttributeKeys();
for (Object key : keys) {
final Object value = session.getAttribute(key);
if (value != null)
{ attributes.put(key, value); }
}
session.stop();
subject.login(token);
// Restore the attributes.
session = subject.getSession();
log.debug("OWASP session fixation from " +old_id +" to "+
session.getId());
for (final Object key : attributes.keySet())
{ session.setAttribute(key, attributes.get(key)); }
return onLoginSuccess(token, subject, request, response);
} catch (AuthenticationException e)
{ return onLoginFailure(token, e, request, response); }
}
}
> Force New Session ID on Authentication
> --------------------------------------
>
> Key: SHIRO-170
> URL: https://issues.apache.org/jira/browse/SHIRO-170
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Configuration
> Affects Versions: 1.0.0, 1.1.0, 1.2.0
> Reporter: Jakob Külzer
> Priority: Minor
> Fix For: 1.3.0
>
>
> I am working on an application that has very high security standards. One of
> the issues raised after a full audit of the app is that it might be
> vulnerable for session fixation attacks. Shiro does not reset the Session ID
> after successful authentication, which would prevent this type of attack.
> IMHO this would add another level of security to Shiro beneficial for all
> kinds of applications.
> OWASP has a good page on session fixation attacks:
> http://www.owasp.org/index.php/Session_fixation
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
