Prevent unauthorized http requests redirected to /error from setting session cookie - spring boot - spring security
Context
I'm having some trouble with my application. We're using Spring Boot 2.4.10 and Spring Security 5.4.8. We use cookies to interact with the app.
We have a frontend application stored in src/main/resources that, among other things, connects to a websocket endpoint exposed in /api/v1/notification.
My configuration
application.properties file:
# cookie-related settings
server.servlet.session.cookie.name=mySessionCookie
server.servlet.session.cookie.path=/
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final String[] authorizedWithoutAuth = {
"/",
"/index.html",
"/static/**"
};
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers(authorizedWithoutAuth).permitAll()
.anyRequest().authenticated()
.and()
.csrf().disable()
.and()
.logout().logoutUrl("/api/v1/logout").invalidateHttpSession(true)
.deleteCookies("mySessionCookie");
}
}
The problem
While no user is logged in, the frontend tries to reach periodically the websocket endpoint to open a connection.
The first api/v1/notification ends redirected to the /error endpoint, which returns an HttpServletResponse with a 'Set-Cookie' header (I think this may be an anonymous cookie set in the first request?) and a 401 status. I cannot change this behaviour.
The following requests to api/v1/notification use this cookie in the header (while user is not logged in). These requests are also redirected to the /error endpoint, which returns each time an HttpServletResponse with 401 status but here, no 'Set-Cookie' header is included.
Once the user logs in with Authorization headers, a correct cookie is set by the response and used in the following requests.
The thing is, sometimes the set cookie suddenly changes again to an invalid one, and the following requests, done with this new invalid cookie, turn into a redirection to the login page.
After checking the code, it seems there is an old api/v1/notification request (previous to the login request) taking place, with an invalid cookie (the anonymous one, present before login).
This request is redirected to the /error endpoint: here, once again the HttpServletResponse has 401 status and is containing a Set-Cookie header that is modifying the browser cookie (replacing the good one).
Following is a scheme of the problem, to hopefully make it easier to understand.
Expected behaviour
I would like to prevent an unauthorized request from setting the session cookie.
It's ok if a previous request responds with a 401 code, but I don't want it to change the current set cookie.
I tried...
I tried extending the
ErrorControllerby returning aResponseEntitywith all the headers present in the inputHttpServletResponseexcept for the 'Set-Cookie' header. This doesn't work.I also tried modifying my configuration to disable anonymous requests:
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private final String[] authorizedWithoutAuth = { "/", "/index.html", "/static/**" }; @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic() .and() .anonymous().disable() .authorizeRequests() // .antMatchers(authorizedWithoutAuth).permitAll() I had to remove these from here, and include them in the method below .anyRequest().authenticated() .and() .csrf().disable() .and() .logout().logoutUrl("/api/v1/logout").invalidateHttpSession(true) .deleteCookies("mySessionCookie"); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers(authorizedWithoutAuth); } }but the session cookie is still set this way too, with 401 requests.
I also tried using
@ControllerAdviceto handle the exceptions, but these are thrown by Spring Security in theAbstractSecurityInterceptor, as learnt in this response.
Thak you all for your time. Sorry for the post length :)
I started digging in Spring Security libraries, and noticed the session cookie was being set in HttpSessionRequestCache.saveRequest(...) method:
public void saveRequest(HttpServletRequest request, HttpServletResponse response) {
if (!this.requestMatcher.matches(request)) {
if (this.logger.isTraceEnabled()) {
this.logger.trace(LogMessage.format("Did not save request since it did not match [%s]", this.requestMatcher));
}
} else {
DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, this.portResolver);
if (!this.createSessionAllowed && request.getSession(false) == null) {
this.logger.trace("Did not save request since there's no session and createSessionAllowed is false");
} else {
request.getSession().setAttribute(this.sessionAttrName, savedRequest);
if (this.logger.isDebugEnabled()) {
this.logger.debug(LogMessage.format("Saved request %s to session", savedRequest.getRedirectUrl()));
}
}
}
}
The 'Set-Cookie' header appears when creating the DefaultSavedRequest object.
I changed my WebSecurityConfig to the following:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.requestCache().requestCache(getHttpSessionRequestCache()) // This is new
.and()
.authorizeRequests().antMatchers(authorizedWithoutAuth).permitAll()
.anyRequest().authenticated()
.and()
.csrf().disable()
.and()
.logout().logoutUrl("/api/v1/logout").invalidateHttpSession(true)
.deleteCookies("mySessionCookie");
}
public HttpSessionRequestCache getHttpSessionRequestCache()
{
HttpSessionRequestCache httpSessionRequestCache = new HttpSessionRequestCache();
httpSessionRequestCache.setCreateSessionAllowed(false); // I modified this parameter
return httpSessionRequestCache;
}
}
and now it works. When logging in with Authorization headers, the cookie is being set correctly, but all the requests with an invalid session cookie or an expired one return a 401 response without setting a new one.
Also, after reading this answer, I understood better what this createSessionAllowed was doing
- Keep numbers which appear in both columns, in J lang
- Differentiation in J
- How to reshape an array with an arbitrary size in one dimension?
- Why is Insert (fold) right associative
- Write 4 : 'x&{.&.;: y' tacitly
- Alignment issue when printing formatted prime numbers in J language
- How can I define a verb in J that applies a different verb alternately to each atom in a list?
- How to get user input in the J programming language
- How to unbox a list of boxed lists of differing lengths in J?
- How can I fix 'noun result was required' error in J?
- In j, how can I define a verb locally in one scope and pass it to a defined adverb?
- Convert boxed array to normal array?
- Read column of CSV file as array
- Replace atom in array of strings
- What does the dyad `=` do to boxed strings?
- Index of minimum element using J
- How can I take the outer product of string vectors in J?
- Building an array of verbs in J
- Reading in multidigit command line parameter
- Amend with bond to new data shows unexpected behaviour
- How to turn a table or matrix into a (flat) list in J
- How to run dissect in J?
- How to define selection using index function in J
- How to exit the J console?
- Find 4-neighbors using J
- Writing custom verbs in J
- How do I negate a selector in J lang?
- How to use arbitrary selector in interchange in J lang?
- different result once square root is added inside tacit
- Sum of arrays with repeated indices