- 浏览: 2539586 次
- 性别:
- 来自: 成都
文章分类
最新评论
-
nation:
你好,在部署Mesos+Spark的运行环境时,出现一个现象, ...
Spark(4)Deal with Mesos -
sillycat:
AMAZON Relatedhttps://www.godad ...
AMAZON API Gateway(2)Client Side SSL with NGINX -
sillycat:
sudo usermod -aG docker ec2-use ...
Docker and VirtualBox(1)Set up Shared Disk for Virtual Box -
sillycat:
Every Half an Hour30 * * * * /u ...
Build Home NAS(3)Data Redundancy -
sillycat:
3 List the Cron Job I Have>c ...
Build Home NAS(3)Data Redundancy
Session Fixation Security Issue(5)Security Token
I discuss this with my collegue, and he figures out another way. To use addtional information, for example, security token to validate this.
1. Generate Random String with SecurityRandom
package com.sillycat.easywebflow.util;
import java.security.SecureRandom;
import org.apache.log4j.Logger;
public class SecurityTokenUtil {
private static final Logger log = Logger
.getLogger(SecurityTokenUtil.class);
private static final SecureRandom sr = new SecureRandom();
/**
* generate random number
*
* @param length
* @return
*/
public static String getRandomIntNum(int length) {
sr.setSeed(sr.nextLong());
StringBuffer sb = new StringBuffer();
for (int i = 0; i < length; i++) {
sb.append(Math.abs(sr.nextInt(10)));
}
log.debug("gen randomIntNum=" + sb.toString());
return sb.toString();
}
/**
* generate random string
*
* @param length
* @return
*/
public static char[] getRandomCharArray(int length) {
sr.setSeed(sr.nextLong());
char[] ca = new char[length];
for (int i = 0; i < ca.length; i++) {
ca[i] = (char) (((Math.abs(sr.nextInt())) % 26) + (sr.nextBoolean() ? 65
: 97));
}
return ca;
}
/**
* get a random String
*
* @param length
* @return
*/
public static String getRandomString(int length) {
String returnstr = new String(getRandomCharArray(length));
log.debug("gen randomIntNum=" + returnstr);
return returnstr;
}
public static String getRandomIntNumCharacter(int length) {
sr.setSeed(sr.nextLong());
StringBuffer sb = new StringBuffer();
for (int i = 0; i < length; i++) {
if (sr.nextBoolean()) {
sb.append(Math.abs(sr.nextInt(10)));
} else {
char c = (char) (((Math.abs(sr.nextInt())) % 26) + (sr
.nextBoolean() ? 65 : 97));
sb.append(c);
}
}
log.debug("gen getRandomIntNumCharacter=" + sb.toString());
return sb.toString();
}
}
And the verify test case is as follow:
package com.sillycat.easywebflow.util;
import junit.framework.Assert;
import org.junit.Test;
public class SecurityTokenUtilTest {
@Test
public void getRandomIntNum(){
String num1 = SecurityTokenUtil.getRandomIntNum(10);
String num2 = SecurityTokenUtil.getRandomIntNum(10);
Assert.assertNotSame(num1, num2);
}
@Test
public void getRandomString(){
String str1 = SecurityTokenUtil.getRandomString(30);
String str2 = SecurityTokenUtil.getRandomString(30);
Assert.assertNotSame(str1,str2);
}
@Test
public void getRandomIntNumCharacter(){
String str1 = SecurityTokenUtil.getRandomIntNumCharacter(30);
String str2 = SecurityTokenUtil.getRandomIntNumCharacter(30);
Assert.assertNotSame(str1, str2);
}
}
2. Use a SessionCookieUtil to deal with Session and Cookie things
package com.sillycat.easywebflow.util;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class SessionCookieUtil {
public static final String COOKIE_SECURITY_TOKEN_NAME = "cookie_security_token";
public static final String SESSION_SECURITY_TOKEN_NAME = "session_security_token";
public static void writeValueToCookie(String key, String value,
HttpServletRequest request, HttpServletResponse response) {
Cookie cookie = new Cookie(key, value);
cookie.setMaxAge(-1);
String contextPath = null;
if (request != null) {
contextPath = request.getContextPath();
}
if ((contextPath != null) && (contextPath.length() > 0)) {
cookie.setPath(contextPath);
} else {
cookie.setPath("/");
}
if (response != null) {
response.addCookie(cookie);
}
}
public static String getValueFromCookie(String key,
HttpServletRequest request) {
String sessionId_fromCookie = "";
Cookie[] cookies_array = null;
if (request != null) {
cookies_array = request.getCookies();
}
if (cookies_array != null && cookies_array.length > 0) {
for (int i = 0; i < cookies_array.length; i++) {
Cookie cookie = cookies_array[i];
if (cookie.getName().equalsIgnoreCase(key)) {
sessionId_fromCookie = cookie.getValue();
break;
}
}
}
return sessionId_fromCookie;
}
public static void putValueinSession(String key, String value,
HttpServletRequest request) {
HttpSession session = null;
if (request != null) {
session = request.getSession();
}
if (session != null) {
session.setAttribute(key, value);
}
}
public static String fetchValuefromSession(String key,
HttpServletRequest request) {
String tokenValuefromSession = "";
HttpSession session = null;
if (request != null) {
session = request.getSession();
}
if (session != null) {
if (session.getAttribute(key) != null) {
tokenValuefromSession = (String) session.getAttribute(key);
}
}
return tokenValuefromSession;
}
}
3. Once our login action or other actions are taken, we will modify cookie and session
String token = SecurityTokenUtil.getRandomIntNumCharacter(30);
SessionCookieUtil.writeValueToCookie(SessionCookieUtil.COOKIE_SECURITY_TOKEN_NAME,token,request,response);
SessionCookieUtil.putValueinSession(SessionCookieUtil.SESSION_SECURITY_TOKEN_NAME, token, request);
4. Use filter to validate the token in every important steps
package com.sillycat.easywebflow.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.sillycat.easywebflow.util.SessionCookieUtil;
public class SessionFixationProtectionFilter implements Filter {
private final Log log = LogFactory
.getLog(SessionFixationProtectionFilter.class);
public void doFilter(ServletRequest servletRequest,
ServletResponse serlvetResponse, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) serlvetResponse;
String tokenValuefromCookie = SessionCookieUtil.getValueFromCookie(
SessionCookieUtil.COOKIE_SECURITY_TOKEN_NAME, request);
String tokenValuefromSession = SessionCookieUtil.fetchValuefromSession(
SessionCookieUtil.SESSION_SECURITY_TOKEN_NAME, request);
log.debug("COOKIE tokenValue = " + tokenValuefromCookie);
log.debug("SESSION tokenValue = " + tokenValuefromSession);
if (tokenValuefromSession != null
&& !"".equals(tokenValuefromSession)
&& !tokenValuefromSession
.equalsIgnoreCase(tokenValuefromCookie)) {
// there is token in session, and it is not equals from cookie
request.getSession().invalidate();
}
chain.doFilter(request, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
}
public void destroy() {
}
}
I verified, this should be working.
references:
http://en.wikipedia.org/wiki/Session_fixation
https://www.owasp.org/index.php/Session_Fixation_Protection
http://www.exampledepot.com/egs/java.security/CreateSecureRandom.html
http://www.exampledepot.com/egs/java.security/ListSecureRnd.html
http://xiongjiajia.iteye.com/blog/1461424
I discuss this with my collegue, and he figures out another way. To use addtional information, for example, security token to validate this.
1. Generate Random String with SecurityRandom
package com.sillycat.easywebflow.util;
import java.security.SecureRandom;
import org.apache.log4j.Logger;
public class SecurityTokenUtil {
private static final Logger log = Logger
.getLogger(SecurityTokenUtil.class);
private static final SecureRandom sr = new SecureRandom();
/**
* generate random number
*
* @param length
* @return
*/
public static String getRandomIntNum(int length) {
sr.setSeed(sr.nextLong());
StringBuffer sb = new StringBuffer();
for (int i = 0; i < length; i++) {
sb.append(Math.abs(sr.nextInt(10)));
}
log.debug("gen randomIntNum=" + sb.toString());
return sb.toString();
}
/**
* generate random string
*
* @param length
* @return
*/
public static char[] getRandomCharArray(int length) {
sr.setSeed(sr.nextLong());
char[] ca = new char[length];
for (int i = 0; i < ca.length; i++) {
ca[i] = (char) (((Math.abs(sr.nextInt())) % 26) + (sr.nextBoolean() ? 65
: 97));
}
return ca;
}
/**
* get a random String
*
* @param length
* @return
*/
public static String getRandomString(int length) {
String returnstr = new String(getRandomCharArray(length));
log.debug("gen randomIntNum=" + returnstr);
return returnstr;
}
public static String getRandomIntNumCharacter(int length) {
sr.setSeed(sr.nextLong());
StringBuffer sb = new StringBuffer();
for (int i = 0; i < length; i++) {
if (sr.nextBoolean()) {
sb.append(Math.abs(sr.nextInt(10)));
} else {
char c = (char) (((Math.abs(sr.nextInt())) % 26) + (sr
.nextBoolean() ? 65 : 97));
sb.append(c);
}
}
log.debug("gen getRandomIntNumCharacter=" + sb.toString());
return sb.toString();
}
}
And the verify test case is as follow:
package com.sillycat.easywebflow.util;
import junit.framework.Assert;
import org.junit.Test;
public class SecurityTokenUtilTest {
@Test
public void getRandomIntNum(){
String num1 = SecurityTokenUtil.getRandomIntNum(10);
String num2 = SecurityTokenUtil.getRandomIntNum(10);
Assert.assertNotSame(num1, num2);
}
@Test
public void getRandomString(){
String str1 = SecurityTokenUtil.getRandomString(30);
String str2 = SecurityTokenUtil.getRandomString(30);
Assert.assertNotSame(str1,str2);
}
@Test
public void getRandomIntNumCharacter(){
String str1 = SecurityTokenUtil.getRandomIntNumCharacter(30);
String str2 = SecurityTokenUtil.getRandomIntNumCharacter(30);
Assert.assertNotSame(str1, str2);
}
}
2. Use a SessionCookieUtil to deal with Session and Cookie things
package com.sillycat.easywebflow.util;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class SessionCookieUtil {
public static final String COOKIE_SECURITY_TOKEN_NAME = "cookie_security_token";
public static final String SESSION_SECURITY_TOKEN_NAME = "session_security_token";
public static void writeValueToCookie(String key, String value,
HttpServletRequest request, HttpServletResponse response) {
Cookie cookie = new Cookie(key, value);
cookie.setMaxAge(-1);
String contextPath = null;
if (request != null) {
contextPath = request.getContextPath();
}
if ((contextPath != null) && (contextPath.length() > 0)) {
cookie.setPath(contextPath);
} else {
cookie.setPath("/");
}
if (response != null) {
response.addCookie(cookie);
}
}
public static String getValueFromCookie(String key,
HttpServletRequest request) {
String sessionId_fromCookie = "";
Cookie[] cookies_array = null;
if (request != null) {
cookies_array = request.getCookies();
}
if (cookies_array != null && cookies_array.length > 0) {
for (int i = 0; i < cookies_array.length; i++) {
Cookie cookie = cookies_array[i];
if (cookie.getName().equalsIgnoreCase(key)) {
sessionId_fromCookie = cookie.getValue();
break;
}
}
}
return sessionId_fromCookie;
}
public static void putValueinSession(String key, String value,
HttpServletRequest request) {
HttpSession session = null;
if (request != null) {
session = request.getSession();
}
if (session != null) {
session.setAttribute(key, value);
}
}
public static String fetchValuefromSession(String key,
HttpServletRequest request) {
String tokenValuefromSession = "";
HttpSession session = null;
if (request != null) {
session = request.getSession();
}
if (session != null) {
if (session.getAttribute(key) != null) {
tokenValuefromSession = (String) session.getAttribute(key);
}
}
return tokenValuefromSession;
}
}
3. Once our login action or other actions are taken, we will modify cookie and session
String token = SecurityTokenUtil.getRandomIntNumCharacter(30);
SessionCookieUtil.writeValueToCookie(SessionCookieUtil.COOKIE_SECURITY_TOKEN_NAME,token,request,response);
SessionCookieUtil.putValueinSession(SessionCookieUtil.SESSION_SECURITY_TOKEN_NAME, token, request);
4. Use filter to validate the token in every important steps
package com.sillycat.easywebflow.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.sillycat.easywebflow.util.SessionCookieUtil;
public class SessionFixationProtectionFilter implements Filter {
private final Log log = LogFactory
.getLog(SessionFixationProtectionFilter.class);
public void doFilter(ServletRequest servletRequest,
ServletResponse serlvetResponse, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) serlvetResponse;
String tokenValuefromCookie = SessionCookieUtil.getValueFromCookie(
SessionCookieUtil.COOKIE_SECURITY_TOKEN_NAME, request);
String tokenValuefromSession = SessionCookieUtil.fetchValuefromSession(
SessionCookieUtil.SESSION_SECURITY_TOKEN_NAME, request);
log.debug("COOKIE tokenValue = " + tokenValuefromCookie);
log.debug("SESSION tokenValue = " + tokenValuefromSession);
if (tokenValuefromSession != null
&& !"".equals(tokenValuefromSession)
&& !tokenValuefromSession
.equalsIgnoreCase(tokenValuefromCookie)) {
// there is token in session, and it is not equals from cookie
request.getSession().invalidate();
}
chain.doFilter(request, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
}
public void destroy() {
}
}
I verified, this should be working.
references:
http://en.wikipedia.org/wiki/Session_fixation
https://www.owasp.org/index.php/Session_Fixation_Protection
http://www.exampledepot.com/egs/java.security/CreateSecureRandom.html
http://www.exampledepot.com/egs/java.security/ListSecureRnd.html
http://xiongjiajia.iteye.com/blog/1461424
发表评论
-
Update Site will come soon
2021-06-02 04:10 1672I am still keep notes my tech n ... -
Portainer 2020(4)Deploy Nginx and Others
2020-03-20 12:06 419Portainer 2020(4)Deploy Nginx a ... -
Private Registry 2020(1)No auth in registry Nginx AUTH for UI
2020-03-18 00:56 428Private Registry 2020(1)No auth ... -
Docker Compose 2020(1)Installation and Basic
2020-03-15 08:10 364Docker Compose 2020(1)Installat ... -
VPN Server 2020(2)Docker on CentOS in Ubuntu
2020-03-02 08:04 444VPN Server 2020(2)Docker on Cen ... -
Nginx Deal with OPTIONS in HTTP Protocol
2020-02-15 01:33 343Nginx Deal with OPTIONS in HTTP ... -
PDF to HTML 2020(1)pdftohtml Linux tool or PDFBox
2020-01-29 07:37 396PDF to HTML 2020(1)pdftohtml Li ... -
Elasticsearch Cluster 2019(2)Kibana Issue or Upgrade
2020-01-12 03:25 709Elasticsearch Cluster 2019(2)Ki ... -
Spark Streaming 2020(1)Investigation
2020-01-08 07:19 290Spark Streaming 2020(1)Investig ... -
Hadoop Docker 2019 Version 3.2.1
2019-12-10 07:39 288Hadoop Docker 2019 Version 3.2. ... -
MongoDB 2019(3)Security and Auth
2019-11-16 06:48 232MongoDB 2019(3)Security and Aut ... -
MongoDB 2019(1)Install 4.2.1 Single and Cluster
2019-11-11 05:07 284MongoDB 2019(1) Follow this ht ... -
Monitor Tool 2019(1)Monit Installation and Usage
2019-10-17 08:22 318Monitor Tool 2019(1)Monit Insta ... -
Ansible 2019(1)Introduction and Installation on Ubuntu and CentOS
2019-10-12 06:15 305Ansible 2019(1)Introduction and ... -
Timezone and Time on All Servers and Docker Containers
2019-10-10 11:18 326Timezone and Time on All Server ... -
Kafka Cluster 2019(6) 3 Nodes Cluster on CentOS7
2019-10-05 23:28 272Kafka Cluster 2019(6) 3 Nodes C ... -
K8S Helm(1)Understand YAML and Kubectl Pod and Deployment
2019-10-01 01:21 315K8S Helm(1)Understand YAML and ... -
Rancher and k8s 2019(5)Private Registry
2019-09-27 03:25 350Rancher and k8s 2019(5)Private ... -
Jenkins 2019 Cluster(1)Version 2.194
2019-09-12 02:53 437Jenkins 2019 Cluster(1)Version ... -
Redis Cluster 2019(3)Redis Cluster on CentOS
2019-08-17 04:07 365Redis Cluster 2019(3)Redis Clus ...
相关推荐
**会话固定攻击(Session Fixation)** 会话固定攻击是一种网络安全性问题,攻击者通过在用户登录前预先设定一个已知的会话ID(Session ID),然后在用户登录后继续使用这个固定的会话ID,从而能够控制或劫持用户的...
在Spring Security中,会话管理主要涉及到会话固定防护(Session Fixation Protection)和会话超时(Session Timeout)。 2. **会话固定防护** - 会话固定攻击是一种常见的安全威胁,攻击者通过获取用户的会话ID来...
至于`<session-management>`元素下的`<session-fixation-protection>`,它用于防止会话固定攻击,策略`migrateSession`意味着在用户登录后创建新的会话,以确保即使攻击者知道旧的会话ID也无法继续访问系统。...
3. **会话管理**:SpringSecurity可以帮助管理和保护用户的会话,防止会话固定攻击(Session Fixation)和会话劫持。它支持基于cookie的会话管理和基于token的无状态会话。 4. **CSRF防护**:为了防止跨站请求伪造...
Spring Security提供了一套完整的会话管理机制,包括会话固定保护(Session Fixation Protection)和会话超时控制,以防止会话劫持和会话持久化攻击。 7. **CSRF防护**: 为了防止跨站请求伪造(CSRF)攻击,...
4. **会话管理**:Spring Security提供了会话管理功能,可以防止会话固定攻击(Session Fixation)、实现会话超时以及单点登录(Single Sign-On, SSO)。 5. **异常处理**:当安全规则不满足时,Spring Security会...
它可以通过配置防止会话固定攻击(session fixation)和会话超时(session timeout)等问题。 4. **过滤器链**:SpringSecurity的核心是Filter Security Interceptor(FSI)过滤器链,它在每个HTTP请求中检查安全性...
此外,SpringSecurity还提供了会话管理功能,包括会话固定保护(Session Fixation Protection)和会话超时(Session Timeout)等,以防止会话劫持和会话固定攻击。它还集成了Remember Me服务,允许用户在一定时间内...
3. 会话管理:Spring Security可以管理和监控用户会话,防止会话固定攻击(Session Fixation)和会话劫持(Session Hijacking),同时支持会话超时和跨站请求伪造(CSRF)防护。 三、Spring Security 3.1特性 1. ...
7. **会话管理**:Spring Security提供了会话管理功能,包括会话固定攻击防护(Session Fixation Protection)、会话超时(Session Timeout)和并发会话控制(Concurrent Session Control)。 8. **记住我功能**:...
5. **安全性会话管理**:Spring Security可以管理用户的会话,防止会话固定攻击(session fixation)和会话超时等安全问题。 **二、Spring Security配置** 1. **XML配置**:在传统的Spring项目中,我们通常通过XML...
- **防止Session Fixation攻击**:通过在用户登录后重新生成Session ID来防止此类攻击,确保即使Session被恶意复制,攻击者也无法继续使用。 ### 方法安全控制 Spring Security不仅限于Web层的安全控制,还提供了...
5. **会话管理(Session Management)**:Spring Security可以控制会话的创建、销毁以及会话固定攻击(Session Fixation)防护。默认情况下,Spring Security会自动处理会话管理。 6. **密码加密(Password ...
Spring Security提供了一套全面的会话管理机制,防止会话固定攻击(Session Fixation)和会话劫持(Session Hijacking)。它可以监控和控制会话创建、超时、复制和销毁。例如,SessionManagementConfigurer可以配置...
10. **Session Management**:Spring Security提供了丰富的会话管理策略,可以防止会话固定攻击(session fixation)、超时管理以及会话并发控制。 在实际开发中,我们可以通过XML或Java配置来集成Spring Security...
5. **会话管理(Session Management)**:SpringSecurity可以控制会话的创建、生命周期和并发控制,防止会话固定攻击(Session Fixation)和会话劫持(Session Hijacking)。 6. **CSRF防护(Cross-Site Request ...
4. **会话管理**:Spring Security提供了会话管理功能,可以防止会话固定攻击(Session Fixation),并能控制单个用户的最大并发会话数量。 5. **CSRF保护**:Spring Security默认开启CSRF防护,通过生成并验证CSRF...
4. **会话管理**:处理会话相关的安全问题,如会话固定攻击(Session Fixation)和会话超时。 5. **加密工具**:提供密码哈希、随机数生成等加密功能,确保密码安全存储。 **Spring Security 配置** Spring ...
- 管理会话,包括会话固定化(Session Fixation)防护和会话超时。 - 提供Remember Me服务,使得用户在一段时间内无需重新登录。 2.2. Hap框架中的使用 在HAP框架中,Spring Security通常通过以下方式集成: - 在...
Spring Security内置了多种防御机制,如CSRF(跨站请求伪造)防护、XSS(跨站脚本攻击)过滤,以及Session Fixation防护等,增强了应用程序的安全性。开发者可以通过简单配置就能启用这些防护措施,无需编写额外的...