26 Aralık 2019 Perşembe

SpringSecurity SessionManagementConfigurer Sınıfı

Giriş
5 çeşit session management yöntemi var. Bunlar şöyle.
Long-lived access token.
Short  — Medium term lived access token used to get a new access token.
Short — Medium term access token whose usage extends its expiry.
Short-lived access token.
Short-lived access token with long-lived refresh token.
invalidSessionUrl metodu
Şöyle yaparız.
http
    .sessionManagement()
    .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
    .invalidSessionUrl("/login?invalidSession")
    .maximumSessions(1)
    .maxSessionsPreventsLogin(true)
    .expiredUrl("/login?expired")
    .sessionRegistry(sessionRegistry());
maximumSessions metodu
Şöyle yaparız.
httpSecurity.sessionManagement().maximumSessions(1)                                      
                                        .maxSessionsPreventsLogin(true);
maxSessionsPreventLogin metodu
Şöyle yaparız.
http
  .sessionManagement()
    .maximumSessions(1)
    .maxSessionsPreventsLogin(true)
    .sessionRegistry(sessionRegistry)
setSessionCreationPolicy metodu
Bu alana atanan değer "SecurityContext"  nesnesinin yaşsam döngüsünü belirtir. Policy olarak ALWAYS, NEVERSTATELESS gibi değerler alabilir.
Açıklaması şöyle
We can control exactly when our session gets created and how Spring Security will interact with it:

always – a session will always be created if one doesn't already exist
ifRequired – a session will be created only if required (default)
never – the framework will never create a session itself but it will use one if it already exists
stateless – no session will be created or used by Spring Security
STATEFULL Olursa
Always seçeneği kullanılır

STATELESS Olursa
STATELESS seçeneği kullanılır

STATELESS kullanılırsa authentication bilgisinin her istekte gelmesi gerekir. 
- Form authentication için STATELESS kullanılamaz.
- Basic Authentication için STATELESS kullanılabilir.
- Digest Authentication için STATELESS kullanılabilir.
- JWT için STATELESS kullanılabilir.
Eğer STATELESS seçersek artık Cookie kullanılmaz. Açıklaması şöyle
Finally, the strictest session creation option – “stateless” – is a guarantee that the application will not create any session at all.

This was introduced in Spring 3.1 and will effectively skip parts of the Spring Security filter chain – mainly the session related parts such as HttpSessionSecurityContextRepository, SessionManagementFilter, RequestCacheFilter.

These more strict control mechanisms have the direct implication that cookies are not used and so each and every request needs to be re-authenticated. This stateless architecture plays well with REST APIs and their Statelessness constraint. They also work well with authentication mechanisms such as Basic and Digest Authentication.
Authentication sonucunda SecurityContextPersistenceFilter sınıfında NullSecurityContextRepository kulanıldığı için artık Http Session'a Cookie yazılmaz. Açıklaması şöyle
Before executing the Authentication process, Spring Security will run a filter responsible with storing the Security Context between requests – the SecurityContextPersistenceFilter. The context will be stored according to a strategy – HttpSessionSecurityContextRepository by default – which uses the HTTP Session as storage.

For the strict create-session=”stateless” attribute, this strategy will be replaced with another – NullSecurityContextRepository – and no session will be created or used to keep the context.
Örnek - ALWAYS
Şöyle yaparız.
HttpSecurity http = ...;
http.sessionManagement()
      .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
      .enableSessionUrlRewriting(true)
Örnek - NEVER
Şöyle yaparız.
@Override
public void configure(HttpSecurity http) throws Exception {
  http
  .csrf()
    .disable()
  .sessionManagement()
   .sessionCreationPolicy(SessionCreationPolicy.NEVER)
  .and()
  .authorizeRequests()
    .antMatchers("/v2/api-docs").permitAll()
    .antMatchers("/swagger-ui.html").permitAll()
    .antMatchers("/swagger-resources").permitAll()
    .antMatchers("/images").permitAll()
    .antMatchers(HttpMethod.OPTIONS, "/**").permitAll();
}
Örnek - STATELESS
Şöyle yaparız.
http.sessionManagement()
  .sessionCreationPolicy(SessionCreationPolicy.STATELESS); 
sessionFixation metodu
Her yeni giriş için yeni bir session id yaratır. Session Fixation saldırısına karşı korur
Örnek
Şöyle yaparız
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .sessionFixation().migrateSession()
        .sessionIds().useSecureCookie(true)
        .sessionIds().sessionConcurrency(1, 1);
  }
}
Açıklaması şöyle
By default, Java generates session IDs that are based on a predictable algorithm. This can make it easier for attackers to hijack a user’s session. To prevent this, you can use a secure session ID generator that uses a random number generator and a cryptographically secure hash algorithm to generate session IDs.

In this example, we are using Spring Security to configure our session management settings. We are setting the session creation policy to STATELESS to prevent the server from creating a session for each user. We are also enabling session fixation protection by calling the migrateSession() method, which ensures that a new session ID is generated each time a user logs in. Finally, we are setting the useSecureCookie flag to true to ensure that session cookies are transmitted over a secure HTTPS connection.
sessionConcurrency metodu
Örnek
Şöyle yaparız
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .sessionFixation().migrateSession()
        .sessionIds().useSecureCookie(true)
        .sessionIds().sessionConcurrency(1, 1)
        .invalidSessionUrl("/login?expired=true")
        .maximumSessions(1)
        .maxSessionsPreventsLogin(true)
        .expiredUrl("/login?expired=true");
  }
}
Açıklaması şöyle
In this example, we are using Spring Security to set a maximum session limit of one, which means that if a user logs in from a different device or browser, their original session will be invalidated. We are also setting the maxSessionsPreventsLogin flag to true, which means that if a user reaches their maximum session limit, they will be prevented from logging in from any other device or browser until they log out from their original session.

By using these secure session management techniques, you can help protect user sessions from attacks like session hijacking or session fixation. It’s important to choose a session management strategy that meets the specific needs of your application and to thoroughly test your session management implementation for vulnerabilities.
setSessionRegistry metodu
SessionRegistry yazısına taşıdım


Hiç yorum yok:

Yorum Gönder