This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push: new fe6ffca0a3 Harden FORM authentication by limiting session duration fe6ffca0a3 is described below commit fe6ffca0a31fc59a57fcbfec5c948c61786d7ce8 Author: Mark Thomas <ma...@apache.org> AuthorDate: Thu Mar 9 10:25:00 2023 +0000 Harden FORM authentication by limiting session duration If the session is created by the FORM authentication process, limit the duration of the session (120s by default) to limit the time the saved request body must be retained. --- .../catalina/authenticator/FormAuthenticator.java | 45 +++++++++++++++++++++- .../catalina/authenticator/SavedRequest.java | 15 ++++++++ webapps/docs/changelog.xml | 7 ++++ webapps/docs/config/valve.xml | 7 ++++ webapps/docs/security-howto.xml | 12 ++++-- 5 files changed, 82 insertions(+), 4 deletions(-) diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index 5abdb07998..2876a2d04c 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -27,6 +27,7 @@ import jakarta.servlet.RequestDispatcher; import jakarta.servlet.http.Cookie; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpSession; import org.apache.catalina.Realm; import org.apache.catalina.Session; @@ -68,6 +69,13 @@ public class FormAuthenticator extends AuthenticatorBase { */ protected String landingPage = null; + /** + * If the authentication process creates a session, this is the maximum session timeout (in seconds) during the + * authentication process. Once authentication is complete, the default session timeout will apply. Sessions that + * exist before the authentication process starts will retain their original session timeout throughout. + */ + protected int authenticationSessionTimeout = 120; + // ------------------------------------------------------------- Properties @@ -111,9 +119,32 @@ public class FormAuthenticator extends AuthenticatorBase { } - // ------------------------------------------------------ Protected Methods + /** + * Returns the maximum session timeout to be used during authentication if the authentication process creates a + * session. + * + * @return the maximum session timeout to be used during authentication if the authentication process creates a + * session + */ + public int getAuthenticationSessionTimeout() { + return authenticationSessionTimeout; + } + /** + * Configures the maximum session timeout to be used during authentication if the authentication process creates a + * session. + * + * @param authenticationSessionTimeout The maximum session timeout to use duriing authentication if the + * authentication process creates a session + */ + public void setAuthenticationSessionTimeout(int authenticationSessionTimeout) { + this.authenticationSessionTimeout = authenticationSessionTimeout; + } + + + // ------------------------------------------------------ Protected Methods + /** * Authenticate the user making this request, based on the specified login configuration. Return <code>true</code> * if any specified constraint has been satisfied, or <code>false</code> if we have created a response challenge @@ -616,6 +647,10 @@ public class FormAuthenticator extends AuthenticatorBase { request.getQueryString(); request.getProtocol(); + if (saved.getOriginalMaxInactiveInterval() > 0) { + session.setMaxInactiveInterval(saved.getOriginalMaxInactiveInterval()); + } + return true; } @@ -681,6 +716,14 @@ public class FormAuthenticator extends AuthenticatorBase { saved.setRequestURI(request.getRequestURI()); saved.setDecodedRequestURI(request.getDecodedRequestURI()); + if (session instanceof HttpSession && ((HttpSession) session).isNew()) { + int originalMaxInactiveInterval = session.getMaxInactiveInterval(); + if (originalMaxInactiveInterval > getAuthenticationSessionTimeout()) { + saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval); + session.setMaxInactiveInterval(getAuthenticationSessionTimeout()); + } + } + // Stash the SavedRequest in our session for later use session.setNote(Constants.FORM_REQUEST_NOTE, saved); } diff --git a/java/org/apache/catalina/authenticator/SavedRequest.java b/java/org/apache/catalina/authenticator/SavedRequest.java index c82a4d7a8c..8b9f08b618 100644 --- a/java/org/apache/catalina/authenticator/SavedRequest.java +++ b/java/org/apache/catalina/authenticator/SavedRequest.java @@ -163,6 +163,7 @@ public final class SavedRequest implements Serializable { this.body = body; } + /** * The content type of the request, used if this is a POST. */ @@ -175,4 +176,18 @@ public final class SavedRequest implements Serializable { public void setContentType(String contentType) { this.contentType = contentType; } + + + /** + * The original maxInactiveInterval for the session. + */ + private int originalMaxInactiveInterval = -1; + + public int getOriginalMaxInactiveInterval() { + return originalMaxInactiveInterval; + } + + public void setOriginalMaxInactiveInterval(int originalMaxInactiveInterval) { + this.originalMaxInactiveInterval = originalMaxInactiveInterval; + } } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index a2bec27624..e4a51ba2cf 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -116,6 +116,13 @@ Add an access log valve that uses a json format. Based on pull request <pr>539</pr> provided by Thomas Meyer. (remm) </add> + <add> + Harden the FORM authentication process against DoS attacks by using a + reduced session timeout if the FORM authentication process creates a + session. The duration of this timeout is configured by the + <code>authenticationSessionTimeout</code> attribute of the FORM + authenticator. (markt) + </add> </changelog> </subsection> <subsection name="Coyote"> diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml index 35c1f3f3ac..dbec996c45 100644 --- a/webapps/docs/config/valve.xml +++ b/webapps/docs/config/valve.xml @@ -1752,6 +1752,13 @@ value is <code>never</code>.</p> </attribute> + <attribute name="authenticationSessionTimeout" required="false"> + <p>If the authentication process creates a session, this is the maximum session timeout (in seconds) during the + authentication process. Once authentication is complete, the default session timeout will apply. Sessions that + exist before the authentication process starts will retain their original session timeout throughout. If not + set, the default value of <code>120</code> seconds will be used.</p> + </attribute> + <attribute name="changeSessionIdOnAuthentication" required="false"> <p>Controls if the session ID is changed if a session exists at the point where users are authenticated. This is to prevent session fixation diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 73c228000e..ffbc5bc7e6 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -295,9 +295,15 @@ <p>The <strong>maxSavePostSize</strong> attribute controls the saving of the request body during FORM and CLIENT-CERT authentication and HTTP/1.1 - upgrade. For FORM authentication, the request body is cached for the - duration of the authentication (which may be many minutes) so this is - limited to 4KB by default to reduce exposure to a DOS attack.</p> + upgrade. For FORM authentication, the request body is cached in the HTTP + session for the duration of the authentication so the cached request body + is limited to 4KB by default to reduce exposure to a DOS attack. To + further reduce exposure to a DoS attack by limiting the permitted duration + of the FORM authentication, a reduced session timeout is used if the + session is created by the FORM authentication. This reduced timeout is + controlled by the <code>authenticationSessionTimeout</code> attribute of + the <a href="config/valve.html#Form_Authenticator_Valve">FORM + authenticator</a>.</p> <p>The <strong>maxParameterCount</strong> attribute controls the maximum total number of request parameters (including uploaded files) obtained --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org