2009/12/2 Andrew Turner <[email protected]>:
>
>
> Good morning all,
>
> I'm hoping I've misconfigured something in my application, but we seem to be
> prone to session stealing in our wicket application. We're using
> wicket-auth-roles to provide the security, and if you are able to access the
> jsessionid you can get another machine to log straight into the application
> as the intercepted user. We're using HTTPS for the communication, so
> hopefully the likelihood of this occurring is quite small, but we are still
> being forced to contemplate rewriting the security layer (which I want to
> avoid if possible).
>
> So, my question, have I misconfigured something, or is it just not possible
> to prevent this sort of attack when using wicket-auth-roles?
>
> I've managed to create a completely stripped-down app that still has the
> problem, below is the AuthenticatedWhenSession implementation.
>
> public class HelloWorldWebSession extends AuthenticatedWebSession {
> public HelloWorldWebSession(Request request) { super(request); }
> public boolean authenticate(String username, String password) { return
> "helloUser".equals(username) && "password".equals(password); }
> public Roles getRoles() { return isSignedIn() ? new Roles(Roles.USER) :
> null; }
> }
>
> And the simple page:
>
> @AuthorizeInstantiation("USER")
> public class HelloWorldHomePage extends WebPage { }
>
> And the application:
>
> public class HelloWorldApplication extends AuthenticatedWebApplication {
> protected void init() {
> super.init();
> mountBookmarkablePage("home", HelloWorldHomePage.class);
> mountBookmarkablePage("signin", SignInPage.class);
> }
>
> protected Class<? extends WebPage> getSignInPageClass() { return
> SignInPage.class; }
> protected Class<? extends AuthenticatedWebSession> getWebSessionClass() {
> return HelloWorldWebSession.class; }
> public Class<? extends Page> getHomePage() { return
> HelloWorldHomePage.class; }
> }
>
> The URL below, once logged in on one machine, could then be used on multiple
> machines to bypass the security layer.
>
> http://localhost:9090/HelloWorld/home;jsessionid=<SESSION_ID_TAKEN_FROM_URL/COOKIE>
>
> Many Thanks
> Andy
>
>
> _________________________________________________________________
> Add your Gmail and Yahoo! Mail email accounts into Hotmail - it's easy
> http://clk.atdmt.com/UKM/go/186394592/direct/01/
Man, just configure you webserver properly so it doesn't append
jsessionid to urls. Wicket has nothing to do with session management.
Jetty (web.xml):
<context-param>
<param-name>org.mortbay.jetty.servlet.SessionURL</param-name>
<param-value>none</param-value>
</context-param>
Resin (resin-web.xml):
<web-app id='...'>
<session-config enable-cookies='true' enable-url-rewriting='false' />
</web-app>
Other:
use your webserver docs.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
