Программное использование Spring Security
я используюкалитка с Wicket Auth Project для моего уровня представления, и поэтому я интегрировал его с Spring Security. Это метод, который вызывается Wicket для аутентификации для меня:
@Override
public boolean authenticate(String username, String password) {
try {
Authentication request = new UsernamePasswordAuthenticationToken(
username, password);
Authentication result = authenticationManager.authenticate(request);
SecurityContextHolder.getContext().setAuthentication(result);
} catch (AuthenticationException e) {
return false;
}
return true;
}
Содержимое (внутри) моей конфигурации Spring Security XML:
<http path-type="regex">
<form-login login-page="/signin"/>
<logout logout-url="/logout" />
</http>
<global-method-security secured-annotations="enabled" />
<authentication-manager alias="authenticationManager"/>
<authentication-provider user-service-ref="userService">
<password-encoder ref="bcryptpasswordencoder" />
</authentication-provider>
Секция2.3.6. Фиксация сессии Защита от атак В справочной документации сказано:
Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session when a user logs in. If you don't require this protection, or it conflicts with some other requirement, you can control the behaviour using the session-fixation-protection attribute on , which has three options:
migrateSession - creates a new session and copies the existing session attributes to the new session. This is the default. none - Don't do anything. The original session will be retained. newSession - Create a new "clean" session, without copying the existing session data.The authentication works, but I as I'm fairly new to Spring Security I have some questions which I need answers too:
Normally for login, I would POST the authentication information toj_spring_security_check
and let Spring Security perform the actual authentication code. I would like to have protection against session fixation attacks, will I get it when I perform a programmatic login as I do? And if not, what would I have to do to get it?
How do I perform programmatic logout?
As I will use programmatic login and logout, how do I disable Spring from intercepting those URL's?
Update:
Похоже, что для защиты от атак фиксации сеанса мне нужно вызвать метод в классе SessionUtils с подписьюstartNewSessionIfRequired(HttpServletRequest request, boolean migrateAttributes, SessionRegistry sessionRegistry)
.
Как получить экземпляр SessionRegistry, который мне нужно передать? Я не могу найти какой-либо способ создать для него идентификатор псевдонима или узнать, как получить его идентификатор или имя.