Use session fixation protection strategy

WE2-849

Signed-off-by: Raul Metsma <[email protected]>

Author: metsma

example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java

@@ -39,6 +39,7 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
 
 public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProcessingFilter {
     private static final Logger LOG = LoggerFactory.getLogger(WebEidAjaxLoginProcessingFilter.class);
@@ -51,6 +52,7 @@ public WebEidAjaxLoginProcessingFilter(
         this.setAuthenticationManager(authenticationManager);
         this.setAuthenticationSuccessHandler(new AjaxAuthenticationSuccessHandler());
         this.setAuthenticationFailureHandler(new AjaxAuthenticationFailureHandler());
+        setSessionAuthenticationStrategy(new SessionFixationProtectionStrategy());
     }
 
     @Override

example/src/test/java/eu/webeid/example/WebApplicationTest.java

@@ -37,6 +37,7 @@
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.setup.DefaultMockMvcBuilder;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;
@@ -98,15 +99,17 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
             }
         };
 
-        final MockHttpSession session = new MockHttpSession();
+        MockHttpSession session = new MockHttpSession();
         session.setAttribute("challenge-nonce", new ChallengeNonce(ObjectMother.VALID_CHALLENGE_NONCE, DateAndTime.utcNow().plusMinutes(1)));
 
         Dates.setMockedSignatureDate(Dates.getSigningDateTime());
 
         // Act and assert
         mvcBuilder.build().perform(get("/auth/challenge"));
 
-        MockHttpServletResponse response = HttpHelper.login(mvcBuilder, session, ObjectMother.mockAuthToken());
+        MvcResult result = HttpHelper.login(mvcBuilder, session, ObjectMother.mockAuthToken());
+        session = (MockHttpSession) result.getRequest().getSession();
+        MockHttpServletResponse response = result.getResponse();
         assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG\",\"auth\":[\"ROLE_USER\"]}", response.getContentAsString());
 
         /* Example how to test file upload.

example/src/test/java/eu/webeid/example/testutil/HttpHelper.java

@@ -26,6 +26,7 @@
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.mock.web.MockMultipartFile;
+import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.DefaultMockMvcBuilder;
 import eu.webeid.example.security.dto.AuthTokenDTO;
@@ -38,7 +39,7 @@
 
 public class HttpHelper {
 
-    public static MockHttpServletResponse login(DefaultMockMvcBuilder mvcBuilder, MockHttpSession session, AuthTokenDTO authTokenDTO) throws Exception {
+    public static MvcResult login(DefaultMockMvcBuilder mvcBuilder, MockHttpSession session, AuthTokenDTO authTokenDTO) throws Exception {
         // @formatter:off
         return mvcBuilder
                 .build()
@@ -47,8 +48,7 @@ public static MockHttpServletResponse login(DefaultMockMvcBuilder mvcBuilder, Mo
                         .with(csrf())
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(ObjectMother.toJson(authTokenDTO)))
-                .andReturn()
-                .getResponse();
+                .andReturn();
         // @formatter:on
     }