This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new fea89e2128 Harden FORM authentication by limiting session duration
fea89e2128 is described below
commit fea89e2128a8e16cfb06e91ccdb712993ab61e64
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Mar 9 10:25:00 2023 +0000
Harden FORM authentication by limiting session duration
If the session is created by the FORM authentication process, limit the
duration of the session (120s by default) to limit the time the saved
request body must be retained.
---
.../catalina/authenticator/FormAuthenticator.java | 45 +++++++++++++++++++++-
.../catalina/authenticator/SavedRequest.java | 15 ++++++++
webapps/docs/changelog.xml | 7 ++++
webapps/docs/config/valve.xml | 7 ++++
webapps/docs/security-howto.xml | 12 ++++--
5 files changed, 82 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index cdc357c118..a57db51776 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -27,6 +27,7 @@ import javax.servlet.RequestDispatcher;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
@@ -68,6 +69,13 @@ public class FormAuthenticator extends AuthenticatorBase {
*/
protected String landingPage = null;
+ /**
+ * If the authentication process creates a session, this is the maximum
session timeout (in seconds) during the
+ * authentication process. Once authentication is complete, the default
session timeout will apply. Sessions that
+ * exist before the authentication process starts will retain their
original session timeout throughout.
+ */
+ protected int authenticationSessionTimeout = 120;
+
// ------------------------------------------------------------- Properties
@@ -111,9 +119,32 @@ public class FormAuthenticator extends AuthenticatorBase {
}
- // ------------------------------------------------------ Protected Methods
+ /**
+ * Returns the maximum session timeout to be used during authentication if
the authentication process creates a
+ * session.
+ *
+ * @return the maximum session timeout to be used during authentication if
the authentication process creates a
+ * session
+ */
+ public int getAuthenticationSessionTimeout() {
+ return authenticationSessionTimeout;
+ }
+ /**
+ * Configures the maximum session timeout to be used during authentication
if the authentication process creates a
+ * session.
+ *
+ * @param authenticationSessionTimeout The maximum session timeout to use
duriing authentication if the
+ * authentication process creates
a session
+ */
+ public void setAuthenticationSessionTimeout(int
authenticationSessionTimeout) {
+ this.authenticationSessionTimeout = authenticationSessionTimeout;
+ }
+
+
+ // ------------------------------------------------------ Protected Methods
+
/**
* Authenticate the user making this request, based on the specified login
configuration. Return <code>true</code>
* if any specified constraint has been satisfied, or <code>false</code>
if we have created a response challenge
@@ -616,6 +647,10 @@ public class FormAuthenticator extends AuthenticatorBase {
request.getQueryString();
request.getProtocol();
+ if (saved.getOriginalMaxInactiveInterval() > 0) {
+
session.setMaxInactiveInterval(saved.getOriginalMaxInactiveInterval());
+ }
+
return true;
}
@@ -681,6 +716,14 @@ public class FormAuthenticator extends AuthenticatorBase {
saved.setRequestURI(request.getRequestURI());
saved.setDecodedRequestURI(request.getDecodedRequestURI());
+ if (session instanceof HttpSession && ((HttpSession) session).isNew())
{
+ int originalMaxInactiveInterval = session.getMaxInactiveInterval();
+ if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout()) {
+
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
+
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
+ }
+ }
+
// Stash the SavedRequest in our session for later use
session.setNote(Constants.FORM_REQUEST_NOTE, saved);
}
diff --git a/java/org/apache/catalina/authenticator/SavedRequest.java
b/java/org/apache/catalina/authenticator/SavedRequest.java
index a83d88ae88..147e98df68 100644
--- a/java/org/apache/catalina/authenticator/SavedRequest.java
+++ b/java/org/apache/catalina/authenticator/SavedRequest.java
@@ -163,6 +163,7 @@ public final class SavedRequest implements Serializable {
this.body = body;
}
+
/**
* The content type of the request, used if this is a POST.
*/
@@ -175,4 +176,18 @@ public final class SavedRequest implements Serializable {
public void setContentType(String contentType) {
this.contentType = contentType;
}
+
+
+ /**
+ * The original maxInactiveInterval for the session.
+ */
+ private int originalMaxInactiveInterval = -1;
+
+ public int getOriginalMaxInactiveInterval() {
+ return originalMaxInactiveInterval;
+ }
+
+ public void setOriginalMaxInactiveInterval(int
originalMaxInactiveInterval) {
+ this.originalMaxInactiveInterval = originalMaxInactiveInterval;
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 42e5dec4db..01720dde4c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -116,6 +116,13 @@
Add an access log valve that uses a json format. Based on pull request
<pr>539</pr> provided by Thomas Meyer. (remm)
</add>
+ <add>
+ Harden the FORM authentication process against DoS attacks by using a
+ reduced session timeout if the FORM authentication process creates a
+ session. The duration of this timeout is configured by the
+ <code>authenticationSessionTimeout</code> attribute of the FORM
+ authenticator. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index 906aaa460d..fc9204a8e5 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -1753,6 +1753,13 @@
value is <code>never</code>.</p>
</attribute>
+ <attribute name="authenticationSessionTimeout" required="false">
+ <p>If the authentication process creates a session, this is the
maximum session timeout (in seconds) during the
+ authentication process. Once authentication is complete, the default
session timeout will apply. Sessions that
+ exist before the authentication process starts will retain their
original session timeout throughout. If not
+ set, the default value of <code>120</code> seconds will be used.</p>
+ </attribute>
+
<attribute name="changeSessionIdOnAuthentication" required="false">
<p>Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session
fixation
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 1529af5659..d603fca1cb 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -283,9 +283,15 @@
<p>The <strong>maxSavePostSize</strong> attribute controls the saving of
the request body during FORM and CLIENT-CERT authentication and HTTP/1.1
- upgrade. For FORM authentication, the request body is cached for the
- duration of the authentication (which may be many minutes) so this is
- limited to 4KB by default to reduce exposure to a DOS attack.</p>
+ upgrade. For FORM authentication, the request body is cached in the HTTP
+ session for the duration of the authentication so the cached request body
+ is limited to 4KB by default to reduce exposure to a DOS attack. To
+ further reduce exposure to a DoS attack by limiting the permitted
duration
+ of the FORM authentication, a reduced session timeout is used if the
+ session is created by the FORM authentication. This reduced timeout is
+ controlled by the <code>authenticationSessionTimeout</code> attribute of
+ the <a href="config/valve.html#Form_Authenticator_Valve">FORM
+ authenticator</a>.</p>
<p>The <strong>maxParameterCount</strong> attribute controls the maximum
total number of request parameters (including uploaded files) obtained
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
