Table of Contents
In addition to coordinating the authentication and authorization
requirements of your application, Spring Security is also able to
ensure unauthenticated web requests have certain properties. These
properties may include being of a particular transport type, having a
particular HttpSession
attribute set and so on. The
most common requirement is for your web requests to be received using
a particular transport protocol, such as HTTPS.
An important issue in considering transport security is that of
session hijacking. Your web container manages a
HttpSession
by reference to a
jsessionid
that is sent to user agents either via a
cookie or URL rewriting. If the jsessionid
is ever
sent over HTTP, there is a possibility that session identifier can be
intercepted and used to impersonate the user after they complete the
authentication process. This is because most web containers maintain
the same session identifier for a given user, even after they switch
from HTTP to HTTPS pages.
If session hijacking is considered too significant a risk for
your particular application, the only option is to use HTTPS for every
request. This means the jsessionid
is never sent
across an insecure channel. You will need to ensure your
web.xml
-defined
<welcome-file>
points to an HTTPS location,
and the application never directs the user to an HTTP location. Spring
Security provides a solution to assist with the latter.