Hello Team,
After digging it into low level, Finally i have resolved this issue in very
simpler manner by writing custom DelegatingFilterProxy as follows.
CustomDelegatingFilterProxy .java
--------------------------------------------------
public class CustomDelegatingFilterProxy extends DelegatingFilterProxy{
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
HttpServletRequest hRequest = ((HttpServletRequest)request);
HttpServletResponse hResponse = ((HttpServletResponse)response);
/*
* This method functionality extended only to remove the JSESSIONID from
the url,
* Ignore all requests,
* Trap only the first request which is immediate after the session got
created.
*/
if(hRequest.getContextPath().equalsIgnoreCase(hRequest.getRequestURI())){
hResponse.sendRedirect(hRequest.getContextPath().concat("/user/login"));
return;
}else{
super.doFilter(request, response, filterChain);
}
}
}
web.xml
-----------
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>com.package.CustomDelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
The above code & the configuration made me to hide the jsession id from the
url on immediate of first request once the session got created.
I think the above code may helpful to you if you have the same Vulnerable
issue / requirement.
On Sat, Jul 11, 2015 at 12:49 PM, Nagaraju Kurma <
[email protected]> wrote:
> Hello Team,
>
> As we know that this is one of the vulnerability challenges where we are
> supposed to remove JSESSIONID from the url.
>
> I observed that there is a possibility with the plain servlet api 3.x
> version with the web.xml configuration which disables the JSESSIONID from
> the url is
>
> <session-config>
> <tracking-mode>COOKIE</tracking-mode>
> </session-config>
>
> But shiro will identify and reads the above configuration if and only if
> shiro xml contains session manager configuration with the class
> *<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.*
> *ServletContainerSessionManager**">**</bean>*
>
> But the limitations with above *class *are....
>
> 1) No session listeners configuration
> 2) No Session dao configuration
> 3) No Session validation scheduler configuration
> 4) No invalid session deletion configuration
> ...
> ...
> etc
>
> But removing session token from the url is possible with this.
>
> To achieve all the above limitations i am using the following session
> manager
>
> *<bean id="sessionManager"
> class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"></bean>*
>
> But with this i unable to hide session token from the url as it doesnt
> read web.xml configuration and context.xml...etc
>
> Does anybody having any work around this or is there any other session
> manger which will include both above 2 session managers functionality so
> that i can achieve all the above limitations and the session token issue.
>
> I am facing the issues with these insufficient configuration, Could
> anybody please suggest the way forward..
>
>
>
>
> --
>
> Thanks & Regards
>
> Nagaraju Kurma
>
--
Thanks & Regards
Nagaraju Kurma
