From 225b53fa5eac4b2e381a6ee001c2565130622374 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Wed, 3 Nov 2021 11:10:15 +0100
Subject: [PATCH] Fix #26402: add session fixation protection for SAML

---
 .../containerproxy/auth/impl/saml/SAMLConfiguration.java        | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java
index cdc0dfa1..f04fac1a 100644
--- a/src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java
+++ b/src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java
@@ -69,6 +69,7 @@
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
+import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import javax.inject.Inject;
@@ -324,6 +325,7 @@ public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
 		samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager);
 		samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
 		samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
+		samlWebSSOProcessingFilter.setSessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());
 		return samlWebSSOProcessingFilter;
 	}