我使用
Wicket与Wicket Auth项目为我的表示层,因此与Spring Security集成。这是Wicket为我进行身份验证的方法:
@Override
public boolean authenticate(String username, String password) {
try {
Authentication request = new UsernamePasswordAuthenticationToken(
username, password);
Authentication result = authenticationManager.authenticate(request);
SecurityContextHolder.getContext().setAuthentication(result);
} catch (AuthenticationException e) {
return false;
}
return true;
}
我的Spring Security XML配置的内容(内部)是:
Session fixation attacks are a potential risk where it is possible
for a malicious attacker to create a
session by accessing a site, then
persuade another user to log in with
the same session (by sending them a
link containing the session identifier
as a parameter, for example). Spring
Security protects against this
automatically by creating a new
session when a user logs in. If you
don’t require this protection, or it
conflicts with some other requirement,
you can control the behaviour using
the session-fixation-protection
attribute on , which has three
options:
migrateSession – creates a new session and copies the existing
session attributes to the new session. This is the default.
none – Don’t do anything. The original session will be retained.
newSession – Create a new “clean” session, without copying the
existing session data.
认证工作,但我是我相当新的Spring安全我有一些问题,我需要答案:
>通常为了登录,我将POST认证信息到j_spring_security_check,并让Spring Security执行实际的认证代码。我想有保护免受会话固定攻击,我会得到它当我执行程序化登录,因为我吗?如果没有,我该怎么办呢?
>如何执行程序性注销?
>由于我将使用编程登录和注销,如何禁用Spring拦截那些URL?
更新:
对于会话固定攻击保护,似乎我需要调用具有签名startNewSessionIfRequired(HttpServletRequest请求,布尔值migrateAttributes,SessionRegistry会话注册表)的SessionUtils类中的方法。
如何获取我需要传入的SessionRegistry实例?我找不到任何方法为它创建别名ID,或如何获取它的ID或名称。