Fixed SECURITY-3000

Author: fcrespel

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## [Unreleased]
 
+- Fixed security issue (SECURITY-3000).
+
 ## [1.6.2] - 2022-05-29
 
 - Added explicit dependency on JAXB plugin (JENKINS-68455).

src/main/java/org/jenkinsci/plugins/cas/spring/CasConfigurationContext.java

@@ -10,6 +10,7 @@
 import org.jenkinsci.plugins.cas.CasProtocol;
 import org.jenkinsci.plugins.cas.CasSecurityRealm;
 import org.jenkinsci.plugins.cas.spring.security.CasRestAuthenticator;
+import org.jenkinsci.plugins.cas.spring.security.CasSessionFixationProtectionStrategy;
 import org.jenkinsci.plugins.cas.spring.security.CasSingleSignOutFilter;
 import org.jenkinsci.plugins.cas.spring.security.CasUserDetailsService;
 import org.jenkinsci.plugins.cas.spring.security.DynamicServiceAuthenticationDetailsSource;
@@ -143,12 +144,13 @@ public CasSingleSignOutFilter casSingleSignOutFilter(CasSecurityRealm securityRe
 	}
 
 	@Bean
-	public CasAuthenticationFilter casAuthenticationFilter(AuthenticationManager casAuthenticationManager, DynamicServiceAuthenticationDetailsSource casAuthenticationDetailsSource, ServiceProperties casServiceProperties) {
+	public CasAuthenticationFilter casAuthenticationFilter(AuthenticationManager casAuthenticationManager, DynamicServiceAuthenticationDetailsSource casAuthenticationDetailsSource, ServiceProperties casServiceProperties, SessionMappingStorage casSessionMappingStorage) {
 		CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
 		casAuthenticationFilter.setFilterProcessesUrl("/" + CasSecurityRealm.getFinishLoginUrl());
 		casAuthenticationFilter.setAuthenticationManager(casAuthenticationManager);
 		casAuthenticationFilter.setAuthenticationDetailsSource(casAuthenticationDetailsSource);
 		casAuthenticationFilter.setServiceProperties(casServiceProperties);
+		casAuthenticationFilter.setSessionAuthenticationStrategy(new CasSessionFixationProtectionStrategy(casSessionMappingStorage));
 		casAuthenticationFilter.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler("/" + CasSecurityRealm.getFailedLoginUrl()));
 		casAuthenticationFilter.setAuthenticationSuccessHandler(new SessionUrlAuthenticationSuccessHandler("/"));
 		casAuthenticationFilter.setContinueChainBeforeSuccessfulAuthentication(true); // Required to reach CasSecurityRealm.doFinishLogin()

src/main/java/org/jenkinsci/plugins/cas/spring/security/CasSessionFixationProtectionStrategy.java

@@ -0,0 +1,51 @@
+package org.jenkinsci.plugins.cas.spring.security;
+
+import javax.servlet.http.HttpSession;
+
+import org.jasig.cas.client.session.SessionMappingStorage;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
+
+/**
+ * Session fixation protection strategy that invalidates the existing session
+ * and integrates with the Single Sign-Out session mapping storage.
+ * 
+ * @author Fabien Crespel
+ */
+public class CasSessionFixationProtectionStrategy extends SessionFixationProtectionStrategy {
+
+	private static final Logger LOG = LoggerFactory.getLogger(CasSessionFixationProtectionStrategy.class);
+
+	protected SessionMappingStorage sessionStorage = null;
+
+	public CasSessionFixationProtectionStrategy() {
+	}
+
+	public CasSessionFixationProtectionStrategy(SessionMappingStorage sessionStorage) {
+		this.sessionStorage = sessionStorage;
+	}
+
+	@Override
+	protected void onSessionChange(String originalSessionId, HttpSession newSession, Authentication auth) {
+		if (sessionStorage != null) {
+			LOG.debug("Session changed, removing existing session with ID '{}'", originalSessionId);
+			sessionStorage.removeBySessionById(originalSessionId);
+			if (auth.getCredentials() instanceof String) {
+				LOG.debug("Session changed, adding new session with ID '{}'", newSession.getId());
+				sessionStorage.addSessionById((String) auth.getCredentials(), newSession);
+			}
+		}
+		super.onSessionChange(originalSessionId, newSession, auth);
+	}
+
+	public SessionMappingStorage getSessionStorage() {
+		return sessionStorage;
+	}
+
+	public void setSessionStorage(SessionMappingStorage sessionStorage) {
+		this.sessionStorage = sessionStorage;
+	}
+
+}