shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Devendra Mani (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-170) Force New Session ID on Authentication
Date Fri, 10 Jul 2015 07:10:05 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14621864#comment-14621864
] 

Devendra Mani commented on SHIRO-170:
-------------------------------------

Here is my full code if it helps you It has few methods that are specific to my project which
you can change in your own.

package in.org.cris.oaew.common.shiro;

//import in.org.cris.oaew.rshl.dao.SuccessURLDAO;

import in.org.cris.oaew.mrappt.beans.LoggedInUser;
import in.org.cris.oaew.mrappt.dao.SuccessURLDAO;

import java.util.Collection;
import java.util.LinkedHashMap;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class MyFormAuthenticationFilter extends FormAuthenticationFilter {
	private static final Logger log = LoggerFactory.getLogger(MyFormAuthenticationFilter.class);
	@Override
	protected boolean onLoginSuccess(AuthenticationToken token, Subject subject,
			                                    ServletRequest request, ServletResponse response) throws
Exception {
			       
			       
			       log.debug("setting users attributes");
			       new SuccessURLDAO().setUserAttribute(subject);
			       
			       if(((LoggedInUser) subject.getSession().getAttribute("userinfo")).getIsAccountLocked()==1)
			       {
			    	   subject.logout();
			    	   return onLoginFailure( token, new DisabledAccountException(), request,  response);
			       }else
			       {
			    	   issueSuccessRedirect(request, response);
				       //we handled the success redirect directly, prevent the chain from continuing:
				       return false;
			       }
			       
			     
			       
			       
			    }
	
	 protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e,
             				ServletRequest request, ServletResponse response) {
		 			SuccessURLDAO dao = new SuccessURLDAO();
		 			String userid =token.getPrincipal().toString();
		 				
		 			if((!(e instanceof org.apache.shiro.authc.UnknownAccountException))){
		 			   if( dao.isAccountLocked(userid))
		 				{
		 					setFailureAttribute( request,new DisabledAccountException());
		 				}else
		 				{
		 					setFailureAttribute(request, e);
		 					new SuccessURLDAO().setUserFailedAttempt(token.getPrincipal().toString());
		 				}
		 			}else{
		 				setFailureAttribute(request, e);
		 			}
		 				
		 				
		 				return true;
	 }
	


	@Override
	 protected boolean executeLogin(final ServletRequest request, final ServletResponse response)
throws Exception {
	 final AuthenticationToken token = createToken(request, response);
	 if (token == null)
	 { String msg = "createToken method implementation returned null. A valid non-null AuthenticationToken
" + "must be created in order to execute a login attempt."; throw new IllegalStateException(msg);
}
	 try {
	 // Stop session fixation issues.
	 // https://issues.apache.org/jira/browse/SHIRO-170
	 final Subject subject = getSubject(request, response);
	 Session session = subject.getSession();
	 String old_id= (String) session.getId();
	 // Store the attributes so we can copy them to the new session after auth.
	 final LinkedHashMap<Object, Object> attributes = new LinkedHashMap<Object, Object>();
	 final Collection<Object> keys = session.getAttributeKeys();
	 for (Object key : keys) {
	 final Object value = session.getAttribute(key);
	 if (value != null)
	 { attributes.put(key, value); }
	 }
	 session.stop();
	 
	 subject.login(token);
	 // Restore the attributes. 
	 session = subject.getSession();
	 log.debug("OWASP session fixation  from " +old_id +" to "+  session.getId());
	 for (final Object key : attributes.keySet())
	 { session.setAttribute(key, attributes.get(key)); }
	 return onLoginSuccess(token, subject, request, response);
	 } catch (AuthenticationException e)
	 { return onLoginFailure(token, e, request, response); }
	 }
}

> Force New Session ID on Authentication
> --------------------------------------
>
>                 Key: SHIRO-170
>                 URL: https://issues.apache.org/jira/browse/SHIRO-170
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Configuration
>    Affects Versions: 1.0.0, 1.1.0, 1.2.0
>            Reporter: Jakob K├╝lzer
>            Priority: Minor
>             Fix For: 1.3.0
>
>
> I am working on an application that has very high security standards. One of the issues
raised after a full audit of the app is that it might be vulnerable for session fixation attacks.
Shiro does not reset the Session ID after successful authentication, which would prevent this
type of attack. 
> IMHO this would add another level of security to Shiro beneficial for all kinds of applications.

> OWASP has a good page on session fixation attacks: http://www.owasp.org/index.php/Session_fixation



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message