Superfluous re-authenticate changes session ID uncoditionally on second request

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 7.6.4
Fix Version/s: 7.6.6, 8.1.6
Component/s: Security and SSL
Labels:
None

Number of attachments :
1

Description

There seems to be a bug in renewSessionOnAuthentication when using BASIC authentication, which is confusing our web applications.

What happens is:

1) First request -> user is required to authenticate -> serves HTML page.
2) HTML page pulls in additional resources, but the first one of them arriving triggers renewSessionOnAuthentication() code which changes the session ID, and invalidates the second request.

The offending code seems to be in :

LoginAuthenticator.renewSessionOnAuthentication(HttpServletRequest request, HttpServletResponse response)
{
  if (_renewSession && httpSession!=null && httpSession.getAttribute(SESSION_SECURED)==null)
    ...
               httpSession.invalidate();
               httpSession = request.getSession(true);
               httpSession.setAttribute(SESSION_SECURED,Boolean.TRUE);
    ...
}

If I read this correctly and interpret what we see, then it seems that even though a session has been authenticated already, but the SESSION_SECURED attribute is not yet set (it is only set in this code ?), the session will be invalidated and only then this attribute is set.

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

jetty-auth-bug.tar.gz

05/Jul/12 2:56 AM

199 kB

Koen Deforche

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Jan Bartel added a comment - 02/Jul/12 11:01 AM

Koen,

The easy workaround for you is to call SessionHandler.setSessionRenewedOnAuthentication(false) for that webapp. Depending on how you set up jetty, either do it in code or in a context xml file.

Meanwhile, I will look into changing our impl to avoid the problem. The only way I can see this happening is if you do not have a session already at the time the 1st request is authenticated. Do you have a small webapp I can use as a test harness?

thanks
Jan

Show

Jan Bartel added a comment - 02/Jul/12 11:01 AM Koen, The easy workaround for you is to call SessionHandler.setSessionRenewedOnAuthentication(false) for that webapp. Depending on how you set up jetty, either do it in code or in a context xml file. Meanwhile, I will look into changing our impl to avoid the problem. The only way I can see this happening is if you do not have a session already at the time the 1st request is authenticated. Do you have a small webapp I can use as a test harness? thanks Jan

Hide

Permalink

Koen Deforche added a comment - 05/Jul/12 2:56 AM

Hey Jan,

Thanks for the workaround, that works indeed.

Your comment made me realize that this is probably because we are deploying with cookies for session tracking disabled. In this way, the first request might create a session but the redirect to the login page does not retain this ?

I've attached a test case. To reproduce, open /protected/hello.jsp, login using guest/guest. Occasionally (press reload if necessary) you will get a broken image and an error like this:

2012-07-05 09:53:15.039:WARN::/protected/wt_powered.jpg;jsessionid=1q61mq23ranll1ii7ivsynow6j
java.lang.IllegalStateException
at org.eclipse.jetty.server.session.AbstractSessionManager$Session.getAttributeNames(AbstractSessionManager.java:888)
at org.eclipse.jetty.security.authentication.LoginAuthenticator.renewSessionOnAuthentication(LoginAuthenticator.java:71)
at org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:80)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:439)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:937)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:871)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110)
at org.eclipse.jetty.server.Server.handle(Server.java:346)
at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:589)
at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1048)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:601)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:214)
at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:411)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:535)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:40)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:529)
at java.lang.Thread.run(Thread.java:662)

The priority of this problem is probably even less than minor now, since we realize it is triggered by the URL-encoding of the session ID (I suspect?), and because with servlet-based authentication, the URL-encoding for the session ID becomes undesired since it appears in the URL. Until now the application was a single-page web app which did not suffer from this.

Regards,
koen

Show

Koen Deforche added a comment - 05/Jul/12 2:56 AM Hey Jan, Thanks for the workaround, that works indeed. Your comment made me realize that this is probably because we are deploying with cookies for session tracking disabled. In this way, the first request might create a session but the redirect to the login page does not retain this ? I've attached a test case. To reproduce, open /protected/hello.jsp, login using guest/guest. Occasionally (press reload if necessary) you will get a broken image and an error like this: 2012-07-05 09:53:15.039:WARN::/protected/wt_powered.jpg;jsessionid=1q61mq23ranll1ii7ivsynow6j java.lang.IllegalStateException at org.eclipse.jetty.server.session.AbstractSessionManager$Session.getAttributeNames(AbstractSessionManager.java:888) at org.eclipse.jetty.security.authentication.LoginAuthenticator.renewSessionOnAuthentication(LoginAuthenticator.java:71) at org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:80) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:439) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:937) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:871) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110) at org.eclipse.jetty.server.Server.handle(Server.java:346) at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:589) at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1048) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:601) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:214) at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:411) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:535) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:40) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:529) at java.lang.Thread.run(Thread.java:662) The priority of this problem is probably even less than minor now, since we realize it is triggered by the URL-encoding of the session ID (I suspect?), and because with servlet-based authentication, the URL-encoding for the session ID becomes undesired since it appears in the URL. Until now the application was a single-page web app which did not suffer from this. Regards, koen

Hide

Permalink

Koen Deforche added a comment - 05/Jul/12 2:56 AM

Test case to reproduce

Show

Koen Deforche added a comment - 05/Jul/12 2:56 AM Test case to reproduce

Hide

Permalink

Jan Bartel added a comment - 26/Jul/12 1:27 AM

Hi Koen,

Thanks for the test case. I will be making a couple changes in jetty, however they won't really help you with this type of webapp setup (ie basic auth coupled with all resources behind protected urls). In your case, the 1st request for the hello.jsp will trigger the basic auth mechanism and create the session. When the html page is returned to the browser after authentication succeeds, it contains a link to 2 static resources. The browser can request these 2 resources in any order it likes, even concurrently. Thus, with SessionHandler.setSessionRenewedOnAuthentication(true), depending on whichever one is serviced first, it will change the sessionid, and thus the second request is likely to see an exception that the sessionids don't match. Note that this is regardless of whether you're using url rewriting or cookies.

If you want all resources to be behind protected urls, then I recommend that you use FORM authentication instead, as the authentication only happens once, and thus the session id change will only happen once.

For those that are interested, the change I'll be making is a small fix to ensure that if no existing session exists at the time of authentication, but is subsequently created before the request is finished being handled (eg the jsp engine creates the session while generating the page), it will be marked by jetty as being a secure session - ie one whose id has never been seen by a client - and thus does not need changing. Without this fix, a session created after authentication would cause a subsequent (re)-authentication to unnecessarily change the id. This primarily affects BASIC authentication, as it is performed on every request.

thanks
Jan

Show

Jan Bartel added a comment - 26/Jul/12 1:27 AM Hi Koen, Thanks for the test case. I will be making a couple changes in jetty, however they won't really help you with this type of webapp setup (ie basic auth coupled with all resources behind protected urls). In your case, the 1st request for the hello.jsp will trigger the basic auth mechanism and create the session. When the html page is returned to the browser after authentication succeeds, it contains a link to 2 static resources. The browser can request these 2 resources in any order it likes, even concurrently. Thus, with SessionHandler.setSessionRenewedOnAuthentication(true), depending on whichever one is serviced first, it will change the sessionid, and thus the second request is likely to see an exception that the sessionids don't match. Note that this is regardless of whether you're using url rewriting or cookies. If you want all resources to be behind protected urls, then I recommend that you use FORM authentication instead, as the authentication only happens once, and thus the session id change will only happen once. For those that are interested, the change I'll be making is a small fix to ensure that if no existing session exists at the time of authentication, but is subsequently created before the request is finished being handled (eg the jsp engine creates the session while generating the page), it will be marked by jetty as being a secure session - ie one whose id has never been seen by a client - and thus does not need changing. Without this fix, a session created after authentication would cause a subsequent (re)-authentication to unnecessarily change the id. This primarily affects BASIC authentication, as it is performed on every request. thanks Jan

Hide

Permalink

Jan Bartel added a comment - 27/Jul/12 12:34 AM

Change previously mentioned committed for jetty-7.6.6/8.1.6

Show

Jan Bartel added a comment - 27/Jul/12 12:34 AM Change previously mentioned committed for jetty-7.6.6/8.1.6

Hide

Permalink

Michael Pujos added a comment - 08/Aug/12 12:15 PM - edited

@Jan Bartel

I use a servlet from gwt-comet that requires SessionHandler.setSessionRenewedOnAuthentication(false) to work, when authentication is enabled. Otherwise it is confused by the new HttpSession created by renewSessionOnAuthentication().

Can you explain the implication of setting SessionHandler.setSessionRenewedOnAuthentication(false) on security ?
Is it a good idea to setting it to false ?

Show

Michael Pujos added a comment - 08/Aug/12 12:15 PM - edited @Jan Bartel I use a servlet from gwt-comet that requires SessionHandler.setSessionRenewedOnAuthentication(false) to work, when authentication is enabled. Otherwise it is confused by the new HttpSession created by renewSessionOnAuthentication(). Can you explain the implication of setting SessionHandler.setSessionRenewedOnAuthentication(false) on security ? Is it a good idea to setting it to false ?

People

Assignee:

Jan Bartel

Reporter:

Koen Deforche

Vote (0)

Watch (3)

Dates

Created:

28/Jun/12 3:18 PM

Updated:

08/Aug/12 12:16 PM

Resolved:

27/Jul/12 12:34 AM