spring-security
spring-security copied to clipboard
spring-projects
Session Management filter does not seem to honor the require explicit save option -> securityContext .requireExplicitSave(true)
Describe the bug SessionManagementFilter does not seem to honor the require explicit save option - securityContext .requireExplicitSave(true) and saves the authenticated security context to session.
The require explicit save option is supposed to be used for cases where session management is required, but, authorization comes from a stateless option like a token. But, as part of the fix for SEC-1396 (https://github.com/spring-projects/spring-security/issues/1639), the saveContext is done without considering the option.
To Reproduce
- Configure HTTP to use requireExplicitSave as true, to have securityContext not saved to session
- Configure spring to issue JWT token on login
- Authenticate into the application
- Call any of the URLs requiring authentication with JSESSIONID, but without the token
Expected behavior The request should fail as unauthorized, since no token is passed
Workaround
Since SessionManagementFilter could not be easily overridden, only workaround seems to be to extend the SecurityContextRepository and override saveContext and containsContext as below, so as to handle the case where the SessionManagementFilter knows that the authentication was done in an earlier request and not authenticate again, without storing the security context.
http.setSharedObject(SecurityContextRepository.class,
new HttpSessionSecurityContextRepository() {
@Override
public void saveContext(org.springframework.security.core.context.SecurityContext context, HttpServletRequest request, HttpServletResponse response) {
super.saveContext(context, request, response);
if (request.getSession(false) != null) {
request.getSession(false).removeAttribute(this.SPRING_SECURITY_CONTEXT_KEY);
request.getSession(false).setAttribute("SPRING_WORKAROUND_AUTH_COMPLETE", "true");
}
}
@Override
public boolean containsContext(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session == null) {
return false;
}
return session.getAttribute("SPRING_WORKAROUND_AUTH_COMPLETE") != null;
}
});
Hi, @srividhyakk, thanks for the report. I think this statement:
- Configure HTTP to use requireExplicitSave as true, to have securityContext not saved to session
may misunderstand the purpose of requireExplicitSave. Setting this value only reconfigures the filter chain with regards to which filters will save the session. true means that each authentication filter must do it, false means that SessionManagementFilter must do it.
The reason for introducing requireExplicitSave was introduced to ensure the session wasn't retrieved unnecessarily on each request. Setting it to true does not turn off session management.
If you want to not have a session, instead please configure the sessionCreationPolicy.
If I am understanding correctly, following this recommendation will also allow you to remove the session management filter customization that you are doing.
Does this address your use case? If not, please see if you can add more detail or a sample application to illustrate.
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
While we are using JWT token for Authorization, we also would want to have the concurrent session control. So when we have the concurrent session control enabled. we would not want to have the security context saved in the session. Instead, we would want to have the security context derived from the token on every request. So the behavior of the Session Management Filter to handle the race condition is coming in the way of this behavior.