0 Replies Latest reply on May 26, 2014 8:48 PM by Subhajyoti Chatterjee

    Session Fixation Attack : AS 7.1.1.Final

    Subhajyoti Chatterjee Newbie

      My Application is using LDAP for authentication.

       

      How do I set Jboss to renew session ID after successful authentication ?

       

      standalone.xml

      ===============

      <security-domain name="LDAP" cache-type="default">

       

         <authentication>

       

         <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

      .....


      web.xml

      ==============


      <security-constraint>

       

      <web-resource-collection>

       

      <web-resource-name>evTestToolPages</web-resource-name>

       

      <description>

       

      </description>

       

        <url-pattern>/*</url-pattern>

       

      <http-method>GET</http-method>

       

      <http-method>POST</http-method>

       

      <http-method>DELETE</http-method>

       

      <http-method>PUT</http-method>

       

      </web-resource-collection>

       

      <auth-constraint>

       

      <description>

       

      </description>

       

      <role-name>RISK_ANALYST</role-name>

       

       

      </auth-constraint>

       

      <user-data-constraint>

       

      <description>

       

      </description>

       

      <transport-guarantee>NONE</transport-guarantee>

       

      </user-data-constraint>

       

      </security-constraint>