Session fixation protection jmix-framework#1523 (jmix-framework#1528)

freecrmsystem · Mar 27, 2023 · 9eb94de · 9eb94de
1 parent 0806630
commit 9eb94de
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 4 deletions.
diff --git a/jmix-flowui/flowui/src/main/java/io/jmix/flowui/FlowuiProperties.java b/jmix-flowui/flowui/src/main/java/io/jmix/flowui/FlowuiProperties.java
@@ -62,6 +62,11 @@ public class FlowuiProperties {
      */
     int saveExportedByteArrayDataThresholdBytes;
 
+    /**
+     * Whether to reinitialize a session after login to protect from session fixation attacks.
+     */
+    boolean useSessionFixationProtection;
+
     public FlowuiProperties(@DefaultValue("login") String loginViewId,
                             @DefaultValue("main") String mainViewId,
                             @DefaultValue("true") boolean compositeMenu,
@@ -70,7 +75,9 @@ public FlowuiProperties(@DefaultValue("login") String loginViewId,
                             @DefaultValue("50") Integer defaultPageSize,
                             @Nullable Map<String, Integer> entityPageSize,
                             @DefaultValue({"htm", "html", "jpg", "png", "jpeg", "pdf"}) List<String> viewFileExtensions,
-                            @DefaultValue("102400") int saveExportedByteArrayDataThresholdBytes) {
+                            @DefaultValue("102400") int saveExportedByteArrayDataThresholdBytes,
+                            @DefaultValue("true") boolean useSessionFixationProtection
+    ) {
         this.loginViewId = loginViewId;
         this.mainViewId = mainViewId;
         this.compositeMenu = compositeMenu;
@@ -80,6 +87,7 @@ public FlowuiProperties(@DefaultValue("login") String loginViewId,
         this.entityPageSize = entityPageSize == null ? Collections.emptyMap() : entityPageSize;
         this.viewFileExtensions = viewFileExtensions;
         this.saveExportedByteArrayDataThresholdBytes = saveExportedByteArrayDataThresholdBytes;
+        this.useSessionFixationProtection = useSessionFixationProtection;
     }
 
     /**
@@ -138,4 +146,11 @@ public List<String> getViewFileExtensions() {
     public int getSaveExportedByteArrayDataThresholdBytes() {
         return saveExportedByteArrayDataThresholdBytes;
     }
+
+    /**
+     * @see #useSessionFixationProtection
+     */
+    public boolean isUseSessionFixationProtection() {
+        return useSessionFixationProtection;
+    }
 }
diff --git a/...security-flowui/src/main/java/io/jmix/securityflowui/authentication/LoginViewSupport.java b/...security-flowui/src/main/java/io/jmix/securityflowui/authentication/LoginViewSupport.java
@@ -20,6 +20,8 @@
 import com.vaadin.flow.component.UI;
 import com.vaadin.flow.component.page.ExtendedClientDetails;
 import com.vaadin.flow.router.Location;
+import com.vaadin.flow.server.VaadinRequest;
+import com.vaadin.flow.server.VaadinService;
 import com.vaadin.flow.server.VaadinServletRequest;
 import com.vaadin.flow.server.VaadinServletResponse;
 import com.vaadin.flow.server.auth.ViewAccessChecker;
@@ -176,11 +178,21 @@ public Authentication authenticate(AuthDetails authDetails) throws Authenticatio
                         authDetails.getTimeZone())
         );
 
+        preventSessionFixation(authenticationToken);
+
         onSuccessfulAuthentication(authenticationToken, authDetails);
 
         return authenticationToken;
     }
 
+    protected void preventSessionFixation(Authentication authentication) {
+        if (authentication.isAuthenticated()
+                && VaadinRequest.getCurrent() != null
+                && flowuiProperties.isUseSessionFixationProtection()) {
+            VaadinService.reinitializeSession(VaadinRequest.getCurrent());
+        }
+    }
+
     protected void onSuccessfulAuthentication(Authentication authentication,
                                               AuthDetails authDetails) {
         VaadinServletRequest request = VaadinServletRequest.getCurrent();

diff --git a/...urity/security-ui/src/main/java/io/jmix/securityui/authentication/LoginScreenSupport.java b/...urity/security-ui/src/main/java/io/jmix/securityui/authentication/LoginScreenSupport.java
@@ -16,8 +16,7 @@
 
 package io.jmix.securityui.authentication;
 
-import com.vaadin.server.VaadinServletRequest;
-import com.vaadin.server.VaadinServletResponse;
+import com.vaadin.server.*;
 import io.jmix.core.AccessManager;
 import io.jmix.core.CoreProperties;
 import io.jmix.core.Messages;
@@ -169,11 +168,25 @@ public Authentication authenticate(AuthDetails authDetails,
                         authDetails.getTimeZone())
         );
 
+        preventSessionFixation(authenticationToken);
+
         onSuccessfulAuthentication(authenticationToken, authDetails, frameOwner);
 
         return authenticationToken;
     }
 
+    protected void preventSessionFixation(Authentication authentication) {
+        if (authentication.isAuthenticated()
+                && VaadinRequest.getCurrent() != null
+                && uiProperties.isUseSessionFixationProtection()) {
+            VaadinService.reinitializeSession(VaadinRequest.getCurrent());
+
+            WrappedSession session = VaadinSession.getCurrent().getSession();
+            int timeout = uiProperties.getHttpSessionExpirationTimeoutSec();
+            session.setMaxInactiveInterval(timeout);
+        }
+    }
+
     protected void onSuccessfulAuthentication(Authentication authentication,
                                               AuthDetails authDetails,
                                               @Nullable FrameOwner frameOwner) {

diff --git a/jmix-ui/ui/src/main/java/io/jmix/ui/UiProperties.java b/jmix-ui/ui/src/main/java/io/jmix/ui/UiProperties.java
@@ -135,6 +135,11 @@ public class UiProperties {
      */
     int mainTabCaptionLength;
 
+    /**
+     * Whether to reinitialize a session after login to protect from session fixation attacks.
+     */
+    boolean useSessionFixationProtection;
+
     public UiProperties(
             boolean testMode,
             boolean performanceTestMode,
@@ -161,7 +166,8 @@ public UiProperties(
             @DefaultValue("main") String mainScreenId,
             String initialScreenId,
             @DefaultValue("true") boolean localeSelectVisible,
-            @DefaultValue("25") int mainTabCaptionLength
+            @DefaultValue("25") int mainTabCaptionLength,
+            @DefaultValue("true") boolean useSessionFixationProtection
     ) {
         this.testMode = testMode;
         this.performanceTestMode = performanceTestMode;
@@ -189,6 +195,7 @@ public UiProperties(
         this.initialScreenId = initialScreenId;
         this.localeSelectVisible = localeSelectVisible;
         this.mainTabCaptionLength = mainTabCaptionLength;
+        this.useSessionFixationProtection = useSessionFixationProtection;
     }
 
     /**
@@ -354,4 +361,11 @@ public int getMainTabCaptionLength() {
     public boolean isLocaleSelectVisible() {
         return localeSelectVisible;
     }
+
+    /**
+     * @see #useSessionFixationProtection
+     */
+    public boolean isUseSessionFixationProtection() {
+        return useSessionFixationProtection;
+    }
 }