OPEN - issue SEC-834: Session fixation attack protection will cause problems with URL rewriting

http://jira.springframework.org/browse/SEC-834. Modified HttpSecurityBDP to add session-fixation parameters to openId and form-login filters. Also added sessionRegistry property to AbstractProcessingFilter so that it doesn't conflict with concurrent session control.

core/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java

@@ -1,5 +1,6 @@
 package org.springframework.security.config;
 
+import org.springframework.beans.PropertyValue;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
@@ -54,6 +55,18 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser {
         
         Object source = null;
 
+        // Copy values from the session fixation protection filter        
+        final Boolean sessionFixationProtectionEnabled = 
+            new Boolean(pc.getRegistry().containsBeanDefinition(BeanIds.SESSION_FIXATION_PROTECTION_FILTER));
+        Boolean migrateSessionAttributes = Boolean.FALSE;
+        
+        if (sessionFixationProtectionEnabled.booleanValue()) {
+            PropertyValue pv = 
+                    pc.getRegistry().getBeanDefinition(BeanIds.SESSION_FIXATION_PROTECTION_FILTER)
+                        .getPropertyValues().getPropertyValue("migrateSessionAttributes");
+            migrateSessionAttributes = (Boolean)pv.getValue(); 
+        }        
+        
         if (elt != null) {
         	source = pc.extractSource(elt);
             loginUrl = elt.getAttribute(ATT_LOGIN_URL);
@@ -79,10 +92,20 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser {
         filterBean.getPropertyValues().addPropertyValue("authenticationManager",
                 new RuntimeBeanReference(BeanIds.AUTHENTICATION_MANAGER));
         
+        filterBean.getPropertyValues().addPropertyValue("invalidateSessionOnSuccessfulAuthentication", 
+                sessionFixationProtectionEnabled);
+        filterBean.getPropertyValues().addPropertyValue("migrateInvalidatedSessionAttributes", 
+                migrateSessionAttributes);            
+        
         if (pc.getRegistry().containsBeanDefinition(BeanIds.REMEMBER_ME_SERVICES)) {
             filterBean.getPropertyValues().addPropertyValue("rememberMeServices", 
                     new RuntimeBeanReference(BeanIds.REMEMBER_ME_SERVICES) );
         }
+        
+        if (pc.getRegistry().containsBeanDefinition(BeanIds.SESSION_REGISTRY)) {
+            filterBean.getPropertyValues().addPropertyValue("sessionRegistry", 
+                    new RuntimeBeanReference(BeanIds.SESSION_REGISTRY));
+        }
 
         BeanDefinitionBuilder entryPointBuilder =
                 BeanDefinitionBuilder.rootBeanDefinition(AuthenticationProcessingFilterEntryPoint.class);

core/src/main/java/org/springframework/security/ui/AbstractProcessingFilter.java

@@ -23,6 +23,7 @@ import org.springframework.security.util.RedirectUtils;
 import org.springframework.security.util.SessionUtils;
 import org.springframework.security.util.UrlUtils;
 
+import org.springframework.security.concurrent.SessionRegistry;
 import org.springframework.security.context.SecurityContextHolder;
 
 import org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent;
@@ -207,6 +208,8 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
     private boolean allowSessionCreation = true;
     
     private boolean serverSideRedirect = false;
+    
+    private SessionRegistry sessionRegistry;
 
     //~ Methods ========================================================================================================
 
@@ -355,7 +358,7 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
         }
 
         if (invalidateSessionOnSuccessfulAuthentication) {
-            SessionUtils.startNewSessionIfRequired(request, migrateInvalidatedSessionAttributes, null);
+            SessionUtils.startNewSessionIfRequired(request, migrateInvalidatedSessionAttributes, sessionRegistry);
         }
 
         String targetUrl = determineTargetUrl(request);
@@ -567,5 +570,13 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
      */	
 	public void setServerSideRedirect(boolean serverSideRedirect) {
 		this.serverSideRedirect = serverSideRedirect;
-	}	
+	}
+
+	/**
+	 * The session registry needs to be set if session fixation attack protection is in use (and concurrent 
+	 * session control is enabled).
+	 */
+    public void setSessionRegistry(SessionRegistry sessionRegistry) {
+        this.sessionRegistry = sessionRegistry;
+    }
 }