Fix #26402: add session fixation protection for SAML

openanalytics · Nov 3, 2021 · 225b53f · 225b53f
1 parent 611cafb
commit 225b53f
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java
@@ -69,6 +69,7 @@
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
+import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import javax.inject.Inject;
@@ -324,6 +325,7 @@ public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
 		samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager);
 		samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
 		samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
+		samlWebSSOProcessingFilter.setSessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());
 		return samlWebSSOProcessingFilter;
 	}