GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Revert SEC-1356. 

Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
3.0.x
Luke Taylor 16 years ago
parent
1a7f71fc0f
commit
0c10efbbf8
3 changed files with 7 additions and 34 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
  2. 2
      web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
  3. 25
      web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java

14
web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
Unescape View File

@ -121,10 +121,8 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, @@ -121,10 +121,8 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
return null;
}
String requiredPath = getCookiePath(request);
for (int i = 0; i < cookies.length; i++) {
if (cookieName.equals(cookies[i].getName()) && requiredPath.equals(cookies[i].getPath())) {
if (cookieName.equals(cookies[i].getName())) {
return cookies[i].getValue();
}
}
@ -132,11 +130,6 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, @@ -132,11 +130,6 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
return null;
}
private String getCookiePath(HttpServletRequest request) {
String contextPath = request.getContextPath();
return contextPath.length() > 0 ? contextPath : "/";
}
/**
* Creates the final <tt>Authentication</tt> object returned from the <tt>autoLogin</tt> method.
* <p>
@ -325,6 +318,11 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, @@ -325,6 +318,11 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
response.addCookie(cookie);
}
private String getCookiePath(HttpServletRequest request) {
String contextPath = request.getContextPath();
return contextPath.length() > 0 ? contextPath : "/";
}
/**
* Implementation of <tt>LogoutHandler</tt>. Default behaviour is to call <tt>cancelCookie()</tt>.
*/

2
web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
Unescape View File

@ -249,7 +249,7 @@ public class AbstractRememberMeServicesTests { @@ -249,7 +249,7 @@ public class AbstractRememberMeServicesTests {
MockRememberMeServices services = new MockRememberMeServices();
Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
services.encodeCookie(StringUtils.delimitedListToStringArray(cookieToken, ":")));
cookie.setPath("/");
return new Cookie[] {cookie};
}

25
web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java
Unescape View File

@ -109,7 +109,6 @@ public class TokenBasedRememberMeServicesTests { @@ -109,7 +109,6 @@ public class TokenBasedRememberMeServicesTests {
@Test
public void autoLoginIgnoresUnrelatedCookie() throws Exception {
Cookie cookie = new Cookie("unrelated_cookie", "foobar");
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
MockHttpServletResponse response = new MockHttpServletResponse();
@ -120,27 +119,10 @@ public class TokenBasedRememberMeServicesTests { @@ -120,27 +119,10 @@ public class TokenBasedRememberMeServicesTests {
assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
}
// SEC-1356
@Test
public void autoLoginIgnoresCookieWithWrongPath() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, "foobar");
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("not_root");
request.setCookies(new Cookie[] {cookie});
MockHttpServletResponse response = new MockHttpServletResponse();
Authentication result = services.autoLogin(request, response);
assertNull(result);
assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
}
@Test
public void autoLoginReturnsNullForExpiredCookieAndClearsCookie() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() - 1000000, "someone", "password", "key"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -156,7 +138,6 @@ public class TokenBasedRememberMeServicesTests { @@ -156,7 +138,6 @@ public class TokenBasedRememberMeServicesTests {
public void autoLoginReturnsNullAndClearsCookieIfMissingThreeTokensInCookieValue() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
new String(Base64.encodeBase64("x".getBytes())));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -172,7 +153,6 @@ public class TokenBasedRememberMeServicesTests { @@ -172,7 +153,6 @@ public class TokenBasedRememberMeServicesTests {
public void autoLoginClearsNonBase64EncodedCookie() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
"NOT_BASE_64_ENCODED");
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -190,7 +170,6 @@ public class TokenBasedRememberMeServicesTests { @@ -190,7 +170,6 @@ public class TokenBasedRememberMeServicesTests {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password",
"WRONG_KEY"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -207,8 +186,6 @@ public class TokenBasedRememberMeServicesTests { @@ -207,8 +186,6 @@ public class TokenBasedRememberMeServicesTests {
public void autoLoginClearsCookieIfTokenDoesNotContainANumberInCookieValue() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
new String(Base64.encodeBase64("username:NOT_A_NUMBER:signature".getBytes())));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -225,7 +202,6 @@ public class TokenBasedRememberMeServicesTests { @@ -225,7 +202,6 @@ public class TokenBasedRememberMeServicesTests {
jmock.checking(udsWillThrowNotFound);
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -243,7 +219,6 @@ public class TokenBasedRememberMeServicesTests { @@ -243,7 +219,6 @@ public class TokenBasedRememberMeServicesTests {
jmock.checking(udsWillReturnUser);
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});

Write Preview
Loading…
Cancel
Save