[
https://issues.apache.org/jira/browse/SHIRO-170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14621864#comment-14621864
]
Devendra Mani commented on SHIRO-170:
-------------------------------------
Here is my full code if it helps you It has few methods that are specific to my
project which you can change in your own.
package in.org.cris.oaew.common.shiro;
//import in.org.cris.oaew.rshl.dao.SuccessURLDAO;
import in.org.cris.oaew.mrappt.beans.LoggedInUser;
import in.org.cris.oaew.mrappt.dao.SuccessURLDAO;
import java.util.Collection;
import java.util.LinkedHashMap;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class MyFormAuthenticationFilter extends FormAuthenticationFilter {
private static final Logger log =
LoggerFactory.getLogger(MyFormAuthenticationFilter.class);
@Override
protected boolean onLoginSuccess(AuthenticationToken token, Subject
subject,
ServletRequest
request, ServletResponse response) throws Exception {
log.debug("setting users attributes");
new SuccessURLDAO().setUserAttribute(subject);
if(((LoggedInUser)
subject.getSession().getAttribute("userinfo")).getIsAccountLocked()==1)
{
subject.logout();
return onLoginFailure( token, new
DisabledAccountException(), request, response);
}else
{
issueSuccessRedirect(request, response);
//we handled the success redirect
directly, prevent the chain from continuing:
return false;
}
}
protected boolean onLoginFailure(AuthenticationToken token,
AuthenticationException e,
ServletRequest request, ServletResponse
response) {
SuccessURLDAO dao = new SuccessURLDAO();
String userid
=token.getPrincipal().toString();
if((!(e instanceof
org.apache.shiro.authc.UnknownAccountException))){
if( dao.isAccountLocked(userid))
{
setFailureAttribute(
request,new DisabledAccountException());
}else
{
setFailureAttribute(request, e);
new
SuccessURLDAO().setUserFailedAttempt(token.getPrincipal().toString());
}
}else{
setFailureAttribute(request, e);
}
return true;
}
@Override
protected boolean executeLogin(final ServletRequest request, final
ServletResponse response) throws Exception {
final AuthenticationToken token = createToken(request, response);
if (token == null)
{ String msg = "createToken method implementation returned null. A
valid non-null AuthenticationToken " + "must be created in order to execute a
login attempt."; throw new IllegalStateException(msg); }
try {
// Stop session fixation issues.
// https://issues.apache.org/jira/browse/SHIRO-170
final Subject subject = getSubject(request, response);
Session session = subject.getSession();
String old_id= (String) session.getId();
// Store the attributes so we can copy them to the new session after
auth.
final LinkedHashMap<Object, Object> attributes = new
LinkedHashMap<Object, Object>();
final Collection<Object> keys = session.getAttributeKeys();
for (Object key : keys) {
final Object value = session.getAttribute(key);
if (value != null)
{ attributes.put(key, value); }
}
session.stop();
subject.login(token);
// Restore the attributes.
session = subject.getSession();
log.debug("OWASP session fixation from " +old_id +" to "+
session.getId());
for (final Object key : attributes.keySet())
{ session.setAttribute(key, attributes.get(key)); }
return onLoginSuccess(token, subject, request, response);
} catch (AuthenticationException e)
{ return onLoginFailure(token, e, request, response); }
}
}
> Force New Session ID on Authentication
> --------------------------------------
>
> Key: SHIRO-170
> URL: https://issues.apache.org/jira/browse/SHIRO-170
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Configuration
> Affects Versions: 1.0.0, 1.1.0, 1.2.0
> Reporter: Jakob Külzer
> Priority: Minor
> Fix For: 1.3.0
>
>
> I am working on an application that has very high security standards. One of
> the issues raised after a full audit of the app is that it might be
> vulnerable for session fixation attacks. Shiro does not reset the Session ID
> after successful authentication, which would prevent this type of attack.
> IMHO this would add another level of security to Shiro beneficial for all
> kinds of applications.
> OWASP has a good page on session fixation attacks:
> http://www.owasp.org/index.php/Session_fixation
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
