DMC/oauth2-authorization-server
0
0
Fork 0
Code Issues1 Pull Requests Actions Packages Projects Releases Wiki Activity

Prevent session cookie conflicts on localhost

Browse Source 
When using this as an embedded Docker container, if the calling application has set a session cookie it is possibly that it is overwritten during the authorization process.
This commit is contained in:
Andreas Svanberg 2025-03-26 18:33:36 +01:00
parent 0f03bbca52
commit 220a8a454d
Signed by: ansv7779
GPG Key ID: 729B051CFFD42F92
2 changed files with 13 additions and 0 deletions
src/main/java/se/su/dsv/oauth2
AuthorizationServer.java
shibboleth
ShibbolethConfigurer.java

6
src/main/java/se/su/dsv/oauth2/AuthorizationServer.java

@ -24,6 +24,7 @@ import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.intercept.AuthorizationFilter;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
import se.su.dsv.oauth2.shibboleth.Entitlement;
import se.su.dsv.oauth2.shibboleth.ShibbolethAuthenticationDetailsSource;
@ -153,6 +154,11 @@ public class AuthorizationServer extends SpringBootServletInitializer {
// Using a custom authentication details source to extract the Shibboleth attributes
// and convert them to the relevant Spring Security objects.
object.setAuthenticationDetailsSource(new ShibbolethAuthenticationDetailsSource());
// Prevent session creation
// It can cause conflicts when running on the same host as an embedded docker container
// as it overwrites the session cookie (it does not factor in port)
object.setSecurityContextRepository(new RequestAttributeSecurityContextRepository());
return object;
}
};

7
src/main/java/se/su/dsv/oauth2/shibboleth/ShibbolethConfigurer.java

@ -7,6 +7,7 @@ import org.springframework.security.web.authentication.preauth.PreAuthenticatedA
import org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService;
import org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter;
import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
public class ShibbolethConfigurer extends AbstractHttpConfigurer<ShibbolethConfigurer, HttpSecurity> {
@Override
@ -24,6 +25,12 @@ public class ShibbolethConfigurer extends AbstractHttpConfigurer<ShibbolethConfi
filter.setAuthenticationDetailsSource(new ShibbolethAuthenticationDetailsSource());
filter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
// Do not create a session.
// 1) it is not necessary
// 2) it can cause conflicts when running on the same host as an embedded docker container
// as it overwrites the session cookie (it does not factor in port)
filter.setSecurityContextRepository(new RequestAttributeSecurityContextRepository());
// The default filter order is X509 followed by J2EE (pre-authentication which is what Shibboleth does).
// Spring Authorization server then puts the OAuth 2.0 authorization filter before J2EE, and it requires
// the user to be authenticated. Then there is also the custom authorization endpoint used in staging