java - Programmatic use of Spring Security

Question

I am using Wicket with the Wicket Auth Project for my presentation layer and I have therefore integrated it with Spring Security. This is the method which is called by Wicket for authentication for me:

@Override
public boolean authenticate(String username, String password) {
    try {
        Authentication request = new UsernamePasswordAuthenticationToken(
                username, password);
        Authentication result = authenticationManager.authenticate(request);
        SecurityContextHolder.getContext().setAuthentication(result);
    } catch (AuthenticationException e) {
        return false;
    }
    return true;
}

The contents (inside ) of my Spring Security XML configuration are:

<http path-type="regex">
    <form-login login-page="/signin"/>
<logout logout-url="/logout" />
</http>
<global-method-security secured-annotations="enabled" />
<authentication-manager alias="authenticationManager"/>
<authentication-provider user-service-ref="userService">
    <password-encoder ref="bcryptpasswordencoder" />
</authentication-provider>

The section 2.3.6. Session Fixation Attack Protection of the reference documentation says:

Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session when a user logs in. If you don't require this protection, or it conflicts with some other requirement, you can control the behaviour using the session-fixation-protection attribute on , which has three options:

• migrateSession - creates a new session and copies the existing session attributes to the new session. This is the default.
• none - Don't do anything. The original session will be retained.
• newSession - Create a new "clean" session, without copying the existing session data.

The authentication works, but I as I'm fairly new to Spring Security I have some questions which I need answers too:

• Normally for login, I would POST the authentication information to j_spring_security_check and let Spring Security perform the actual authentication code. I would like to have protection against session fixation attacks, will I get it when I perform a programmatic login as I do? And if not, what would I have to do to get it?
• How do I perform programmatic logout?
• As I will use programmatic login and logout, how do I disable Spring from intercepting those URL's?

Update: For session fixation attack protection it seems that I need to call the method in the SessionUtils class with the signature startNewSessionIfRequired(HttpServletRequest request, boolean migrateAttributes, SessionRegistry sessionRegistry).

How do I get the SessionRegistry instance which I need to pass in? I can't find any way to create an alias ID for it, or how to get it's ID or name.

question from:https://stackoverflow.com/questions/1013032/programmatic-use-of-spring-security

Answer 1

Maybe it's not a full answer to your questions, but maybe it might help you.

The code being called when you do NOT use programmatic login, but a standard one is to be found here:

org.springframework.security.ui.webapp.AuthenticationProcessingFilter

I guess you were inspired by this in your code. It looks quite similar.

Similarly the code executed when you access the /j_spring_security_logout in the standard approach, is to be found here:

org.springframework.security.ui.logout.LogoutFilter

The LogoutFilter calls multiple handlers. The handler we are using is called: org.springframework.security.ui.logout.SecurityContextLogoutHandler, so you might call the same code in your approach.