Spring Security with CAS skips session fixation protection

Question

I have an application which uses spring security and CAS (spring 3.0.5, cas 3.4.5) but when I log in the session id isn't changing.

When I log in the CasAuthenticationFilter performs authentication and if the auth is successful it doesn't continue the filter chain, instead it sets the authentication on the SecurityContextHolder and calls the successHandler. This redirects to the original URL I requested which required authentication. The SessionManagementFilter never gets a crack calling the session strategy to create a new session.

It appears that the AbstractAuthenticationFilter that CasAuthenticationFilter extends has its own session strategy but the default is NullAuthenticatedSessionStrategy which is vulnerable to session fixation. Question is why is the default strategy vulnerable, when spring claims to prevent session fixation by default?

What is the best resolution to fix this?

Answer 1

The session-fixation strategy is only automatically set when you are using the namespace. If you are using an explicit filter then you can just inject a SessionFixationProtectionStrategy into the filter yourself. Alternatively, if there's an obvious post-authentication starting point in your application, you can just recreate the session there.

The session fixation version probably isn't set by default for historical reasons, since the filters predate the introduction of the session authentication strategy and changes are usually introduced in a conservative fashion. You could open a change request to suggest that it might be better on by default.