This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 7b321d7de9 Harden FORM authentication by limiting session duration
7b321d7de9 is described below
commit 7b321d7de9f2ea5ba2a75ab64c815c615b8732d6
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Mar 9 10:25:00 2023 +0000
Harden FORM authentication by limiting session duration
If the session is created by the FORM authentication process, limit the
duration of the session (120s by default) to limit the time the saved
request body must be retained.
---
.../catalina/authenticator/FormAuthenticator.java | 45 +++++++++++++++++++++-
.../catalina/authenticator/SavedRequest.java | 15 ++++++++
webapps/docs/changelog.xml | 7 ++++
webapps/docs/config/valve.xml | 7 ++++
webapps/docs/security-howto.xml | 12 ++++--
5 files changed, 82 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index cdc357c118..a57db51776 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -27,6 +27,7 @@ import javax.servlet.RequestDispatcher;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
@@ -68,6 +69,13 @@ public class FormAuthenticator extends AuthenticatorBase {
*/
protected String landingPage = null;
+ /**
+ * If the authentication process creates a session, this is the maximum
session timeout (in seconds) during the
+ * authentication process. Once authentication is complete, the default
session timeout will apply. Sessions that
+ * exist before the authentication process starts will retain their
original session timeout throughout.
+ */
+ protected int authenticationSessionTimeout = 120;
+
// ------------------------------------------------------------- Properties
@@ -111,9 +119,32 @@ public class FormAuthenticator extends AuthenticatorBase {
}
- // ------------------------------------------------------ Protected Methods
+ /**
+ * Returns the maximum session timeout to be used during authentication if
the authentication process creates a
+ * session.
+ *
+ * @return the maximum session timeout to be used during authentication if
the authentication process creates a
+ * session
+ */
+ public int getAuthenticationSessionTimeout() {
+ return authenticationSessionTimeout;
+ }
+ /**
+ * Configures the maximum session timeout to be used during authentication
if the authentication process creates a
+ * session.
+ *
+ * @param authenticationSessionTimeout The maximum session timeout to use
duriing authentication if the
+ * authentication process creates
a session
+ */
+ public void setAuthenticationSessionTimeout(int
authenticationSessionTimeout) {
+ this.authenticationSessionTimeout = authenticationSessionTimeout;
+ }
+
+
+ // ------------------------------------------------------ Protected Methods
+
/**
* Authenticate the user making this request, based on the specified login
configuration. Return <code>true</code>
* if any specified constraint has been satisfied, or <code>false</code>
if we have created a response challenge
@@ -616,6 +647,10 @@ public class FormAuthenticator extends AuthenticatorBase {
request.getQueryString();
request.getProtocol();
+ if (saved.getOriginalMaxInactiveInterval() > 0) {
+
session.setMaxInactiveInterval(saved.getOriginalMaxInactiveInterval());
+ }
+
return true;
}
@@ -681,6 +716,14 @@ public class FormAuthenticator extends AuthenticatorBase {
saved.setRequestURI(request.getRequestURI());
saved.setDecodedRequestURI(request.getDecodedRequestURI());
+ if (session instanceof HttpSession && ((HttpSession) session).isNew())
{
+ int originalMaxInactiveInterval = session.getMaxInactiveInterval();
+ if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout()) {
+
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
+
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
+ }
+ }
+
// Stash the SavedRequest in our session for later use
session.setNote(Constants.FORM_REQUEST_NOTE, saved);
}
diff --git a/java/org/apache/catalina/authenticator/SavedRequest.java
b/java/org/apache/catalina/authenticator/SavedRequest.java
index 9ac5e0ef3b..6b8956ffa6 100644
--- a/java/org/apache/catalina/authenticator/SavedRequest.java
+++ b/java/org/apache/catalina/authenticator/SavedRequest.java
@@ -168,6 +168,7 @@ public final class SavedRequest implements Serializable {
this.body = body;
}
+
/**
* The content type of the request, used if this is a POST.
*/
@@ -180,4 +181,18 @@ public final class SavedRequest implements Serializable {
public void setContentType(String contentType) {
this.contentType = contentType;
}
+
+
+ /**
+ * The original maxInactiveInterval for the session.
+ */
+ private int originalMaxInactiveInterval = -1;
+
+ public int getOriginalMaxInactiveInterval() {
+ return originalMaxInactiveInterval;
+ }
+
+ public void setOriginalMaxInactiveInterval(int
originalMaxInactiveInterval) {
+ this.originalMaxInactiveInterval = originalMaxInactiveInterval;
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7fa4629893..ee686836c4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -116,6 +116,13 @@
Add an access log valve that uses a json format. Based on pull request
<pr>539</pr> provided by Thomas Meyer. (remm)
</add>
+ <add>
+ Harden the FORM authentication process against DoS attacks by using a
+ reduced session timeout if the FORM authentication process creates a
+ session. The duration of this timeout is configured by the
+ <code>authenticationSessionTimeout</code> attribute of the FORM
+ authenticator. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index 7599493947..6fdc190634 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -1753,6 +1753,13 @@
value is <code>never</code>.</p>
</attribute>
+ <attribute name="authenticationSessionTimeout" required="false">
+ <p>If the authentication process creates a session, this is the
maximum session timeout (in seconds) during the
+ authentication process. Once authentication is complete, the default
session timeout will apply. Sessions that
+ exist before the authentication process starts will retain their
original session timeout throughout. If not
+ set, the default value of <code>120</code> seconds will be used.</p>
+ </attribute>
+
<attribute name="changeSessionIdOnAuthentication" required="false">
<p>Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session
fixation
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index d2cd44127c..3d2a0a7eb9 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -283,9 +283,15 @@
<p>The <strong>maxSavePostSize</strong> attribute controls the saving of
the request body during FORM and CLIENT-CERT authentication and HTTP/1.1
- upgrade. For FORM authentication, the request body is cached for the
- duration of the authentication (which may be many minutes) so this is
- limited to 4KB by default to reduce exposure to a DOS attack.</p>
+ upgrade. For FORM authentication, the request body is cached in the HTTP
+ session for the duration of the authentication so the cached request body
+ is limited to 4KB by default to reduce exposure to a DOS attack. To
+ further reduce exposure to a DoS attack by limiting the permitted
duration
+ of the FORM authentication, a reduced session timeout is used if the
+ session is created by the FORM authentication. This reduced timeout is
+ controlled by the <code>authenticationSessionTimeout</code> attribute of
+ the <a href="config/valve.html#Form_Authenticator_Valve">FORM
+ authenticator</a>.</p>
<p>The <strong>maxParameterCount</strong> attribute controls the maximum
total number of request parameters (including uploaded files) obtained
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
