-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Hi everyone,
Hope someone has an Idea.
What I need:
Check if a certain session attribute is set when trying to authenticate:
Sessions.getCurrent().getAttribute(...);
By doing this a new session is created. If the attribute is not set, the authentication is checked and needs to be saved into a new session. It must be a new session to retrieve a new session ID, otherwise the app would be vulnarable to session token fixation attacks.
Now I can't invalidate the session, get a new one and then set the authentication because
Sessions.getCurrent().invalidate();
Sessions.getCurrent(true).setAttribute(...);
Will not destroy the session until the last request is completed, hence getCurrent() will give me the "old" session which at this point in time is still valid.
My idea was to send a forward afterwords with the necessary attributes in the URL to save them in the other method to the session, in which I would have access to the new session. However, I'm getting an IllegalStateException:
java.lang.IllegalStateException: Use sendRedirect instead when processing user's request
Any ideas on how to solve this scenario?
Thanks in advance! MJ.
I am not a security expert so please check for yourself (and with your security team) whether the code below fulfills your particular requirements. It merely tries to demonstrate how the native session and request objects can be used to conditionally invalidate a session, set/check an attribute and forward the request if needed.
For this scenario I'd suggest a lower level of abstraction and work with the native HttpSession and HttpServletRequest objects directly, e.g. in a servlet filter.
This catches potential manipulation attempts at an earlier stage in the request processing (and makes you independent of the frame work used).
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.io.IOException;
public class CheckCertainAttributeFilter implements Filter {
public static final String CERTAIN_SESSION_ATTRIBUTE = "certain-session-attribute";
public static final String MY_EXPECTED_VALUE = "my-expected-value";
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
final HttpServletRequest httpServletRequest = (HttpServletRequest) request;
final HttpSession session = httpServletRequest.getSession();
//session present, check for certain session attribute value
if (session != null) {
final String certainSessionAttributeValue =
(String) session.getAttribute(CERTAIN_SESSION_ATTRIBUTE);
if (!MY_EXPECTED_VALUE.equals(certainSessionAttributeValue)) {
session.invalidate();
HttpSession newSession = ((HttpServletRequest) request).getSession(true);
newSession.setAttribute(CERTAIN_SESSION_ATTRIBUTE, MY_EXPECTED_VALUE);
request.getRequestDispatcher("/login.zul").forward(request, response);
}
}
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException { }
@Override
public void destroy() { }
}
Then configure the filter in your web.xml
<filter>
<filter-name>checkCertainAttribute</filter-name>
<filter-class>CheckCertainAttributeFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>checkCertainAttribute</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
After that each request will be forwarded to the login.zul page, unless the expected value is present in the session attribute.
Asked: 2019-02-12 23:36:33 +0800
Seen: 9 times
Last updated: Feb 13 '19