[Logo] Enterprise Client Community
  [Search] Search   [Recent Topics] Recent Topics   [Members]  Member Listing   [Groups] Back to home page 
[Register] Register / 
[Login] Login 
Using CaptainCasa with Spring Security 5.7  XML
Forum Index -> Deployment
Author Message
CaptainCasa

Power User
[Avatar]

Joined: 21/11/2007 12:23:06
Messages: 5545
Offline

Hi,

when using CaptainCasa in the following way...

1. Session management by URL-rewriting (not by COOKIE)
2. Spring Security version 5.7

...then the access to e.g. "BufferedContent" is not working anymore. On server side you get a log message like:

Code:
 2022-12-21 15:47:18,431 INFO | Could not find any object in buffered content for bufferId: BUFFERED_1671634036281_89447575_394 
 


The same is true for using "TemFileManager"-content.

Reason: we use the HttpServletResponse.encodeURL(...) method, which should by definition append ";jsessionid=...." to the URL. SPring does not do this anymore, or better: this must be explicitly switched on...:

Please check: https://docs.spring.io/spring-security/reference/5.7/servlet/appendix/namespace/http.html#nsa-http-attributes
And set the parameter "disable-url-rewriting" to "false".

Some further comments on this:

1. CaptainCasa can run with either URL-based session management or by COOKIE-based session management. It's up to you to decide.

2. When running in URL-bases session management then the "jsessionid" is rewritten into the URL. And this means it can be "hijacked". - But...: CaptainCasa always in parallel sends a cookie with a "check-id". So hijacking the jsessionid from the URL does not have any effect - the "check-id" of the cookie needs to be hijacked in addition, and this is part of the encrypted information (https), so no man-in-the-middle can catch.

More information on this is available in Developer's Guide, there is a chapter "Security considerations".

Kind regards! Björn

PS: and thanks to the one who not only found the problem but also knew the solution! ;-)

Björn Müller, CaptainCasa GmbH
 
Forum Index -> Deployment
Go to:   
Powered by JForum 2.1.6 © JForum Team