How to get a link to SessionAuthenticationStrategy without properly setting up a strategy?

Question

How to get a link to SessionAuthenticationStrategy without properly setting up a strategy?

In Spring Security 3.2, I configured an explicitly configured UsernamePasswordAuthenticationFilter that needs a reference to sessionAuthenticationStrategy (to call .onAuthentication ). *

sessionAuthenticationStrategy is the default value created by <security:http> ( HttpSecurityBeanDefinitionParser ).

My question is: How can I get a link to sessionAuthenticationStrategy without setting up a full sessionAuthenticationStrategy explicite so that I can add this link to the XML configuration?

 <security:http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint" access-decision-manager-ref="httpAccessDecisionManager"> ... <security:custom-filter ref="usernamePasswordAuthenticationFilter" position="FORM_LOGIN_FILTER"/> ... </security:http> ... <bean id="usernamePasswordAuthenticationFilter" class=" osscurity.web.authentication.UsernamePasswordAuthenticationFilter"> <property name="sessionAuthenticationStrategy" ref="????"> <!-- ?? -> ... </bean>

* my real UsernamePasswordAuthenticationFilter is a custom subclass, but this should not matter for this question

+6

java spring spring-security

Ralph Oct 17 '14 at 17:01

source share

4 answers

Serge Ballesta · Answer 1 · 2014-10-19T21:28:29+0000

I am afraid that there is no obvious way to get it.

But all the examples from the Spring-Security Security reference guide are consistent with this: you don’t even want to get it: everyone displays the explicit SessionAuthenticationStrategy entered in UserNamePasswordAuthenticationFilter and, if necessary, in SessionManagementFilter .

According to the javadocs of these two classes, the default SessionAuthenticationStrategy :

SessionFixationProtectionStrategy for Servlet <3.1
ChangeSessionIdAuthenticationStrategy for Servlet 3.1 +

So the right way is to create a bean of the SessionAuthenticationStrategy implementation SessionAuthenticationStrategy either one of the defaults above, or another if you have special needs, and use it where you need it.

Of course, you can always use reflection to access the private members of the Spring Security implementation classes, but you know that this is bad and could be compromised in the next version of Spring security.

Ralph · Answer 2 · 2014-10-27T08:29:54+0000

I looked at the HttpSecurityBeanDefinitionParser (and HttpConfigurationBuilder.createSessionManagementFilters() ), which is the class responsible for parsing the security:http tag and creating the SessionAuthenticationStrategy bean.

Therefore, I know that Spring Security 3.2.5.RELEASE creates (in my configuration) a CompositeSessionAuthenticationStrategy bean and uses this as a session strategy. This bean will get the default name: org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0

So my current workaround is to have a link to this bean by its name:

 <bean id="usernamePasswordAuthenticationFilter" class=" osscurity.web.authentication.UsernamePasswordAuthenticationFilter"> <property name="sessionAuthenticationStrategy"> <ref bean="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0"/> </property> ... </bean>

This workaround has some serious limitations:

when a newer version of Spring Security works differently (creating a different bean) then it will fail.
when there is another CompositeSessionAuthenticationStrategy name that is created using ReaderContext.generateBeanName , then this approach may fail because #0 can become #1 (depends on the order in which the beans are created)

Jordi · Answer 3 · 2015-06-20T16:43:33+0000

When working with JavaConfig (I'm afraid this is not your case), you can get the link by doing

  http.getConfigurer(SessionManagementConfigurer.class).init(http); http.getSharedObject(SessionAuthenticationStrategy.class);

mhnagaoka · Answer 4 · 2016-09-27T03:02:58+0000

FactoryBean Ralph's answer , you can use FactoryBean to get a link to AuthenticationStrategy .

 public class SessionAuthenticationStrategyFactoryBean implements BeanFactoryAware, FactoryBean<SessionAuthenticationStrategy> { private BeanFactory beanFactory; @Override public void setBeanFactory(BeanFactory beanFactory) throws BeansException { this.beanFactory = beanFactory; } @Override public SessionAuthenticationStrategy getObject() throws Exception { final CompositeSessionAuthenticationStrategy sas = beanFactory.getBean(CompositeSessionAuthenticationStrategy.class); return sas; } @Override public Class<?> getObjectType() { return SessionAuthenticationStrategy.class; } @Override public boolean isSingleton() { return true; } }

... and make it available to you in the XML configuration:

 <bean id="sas" class="com.example.SessionAuthenticationStrategyFactoryBean" /> <bean id="usernamePasswordAuthenticationFilter" class=" osscurity.web.authentication.UsernamePasswordAuthenticationFilter"> <property name="sessionAuthenticationStrategy" ref="sas"> ... </bean>

How to get a link to SessionAuthenticationStrategy without properly setting up a strategy?

More articles: