search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.55k stars 5.8k forks source link

X509 logout #6145

Open sunflower-seed opened 5 years ago

sunflower-seed commented 5 years ago

Summary

If you configure your Webserver to do X509 authentication only on a specific URL it is possible to use Spring Security's logout function (some kind of work around). But if you immediately perform an action after logging out, you are still logged in

Details

Logging out with certificate authentication is not really possible via Website. The only solution is to close the browser. And it's not the best solution to do certificate logins only via a login URL to have the possibility to perform logouts. So its somehow an edge case. Also this is not at least a security thing, because every User should be informed about how to handle certificates. But it's not really user friendly to perform an unsuccessful logout.

We chose this quirks implementation, because we want users not to overtax with a certificate request popup when they open the page, even if the don't have certificates. So we chose an extra url where the user can perform certificate login.

Reason and Expected Behavior

Best thing in my use case would be that the user is logged out. Maybe this could be reached to Configure the Spring app to X509 only on a specified URL (not tested yet, see configuration) if this is possible.

If you perform a logout the "Keep-Alive" http header is sent and the browser is advised to keep the connection open for about 5 seconds. So the https handshaked connection runs for at least five seconds after logout. So if you perform any action in this time, you are kept logged in.

For more security it might be the best to set the keep alive headers to zero.

Configuration

The Apache webserver has a hardcoded URL where SSLVerification (x509) is enabled and the Cert data are paseed-through to the app via ajp. Spring Security is globally configured to accept 509 logins.

Version

4.x

rwinch commented 5 years ago

Thanks for the report. The problem is that as soon as you hit a protected URL the X509 certificate is still being used which will authenticate again. I'm not sure there is anything you do because there is no way to signal to the browser to stop sending the certificate.

sunflower-seed commented 5 years ago

Thank you for your replay. And sorry for maybe confusing:

which will authenticate again.

You can work around this by configuring the webserver (Apache) to do Cert requests only on a certain URL. So then logout is possible (also it is as mentioned not a real logout). But then you run in trouble with the keep-alive thing.

rwinch commented 5 years ago

Can you put together a minimal and complete example of this?

sunflower-seed commented 5 years ago

Can you put together a minimal and complete example of this? i try. may take some time.

sunflower-seed commented 5 years ago

Sorry i tried to get the x509 sample running without success. Can you provide or have already provided a short how-to anywhere?

The thing is pretty simple: If performing a logout with x509 the keep-alive header should be checked to always be 0 in this case.